The US National Institute of Standards and Technology (NIST) launched its Cybersecurity Framework, a voluntary how-to guide for organizations to enhance their cybersecurity. The framework provides best practices for voluntary use in all critical infrastructure sectors, including government, healthcare, financial services and transportation.
The US government and the private sector spent a year developing these guidelines to help organizations develop information security protection programs. This was a recognition and proposal by President Obama in his 2013 State of the Union address to help mitigate growing cyberthreats to the nation’s critical infrastructure. This is v1.0 and updates will follow as more recommendations are developed and those organizations implementing them give NIST feedback.
The framework has five functions and a series of categories in each function. The five functions are:
- • Identify
- • Protect
- • Detect
- • Respond
- • Recover
Clearly the first step is to Identify your critical assets, define your business environment and asses your level of risk. Once you do that, you can develop a Risk Management Strategy. Since every organization is different, your level of risk and risk mitigation will differ.
The categories under Protect combine people, process and technology. These include training your people, securing your data and implementing processes and procedures to help mitigate your risk. I want to focus on Data Security. It defines a number of subcategories that focus on data and the devices used to store and access them.
- • Data-at-rest is protected
- • Data-in-transit is protected
- • Assets are formally managed throughout removal, transfers and disposition
- • Adequate capacity to ensure availability is maintained
- • Protection against data leaks are implemented
- • Integrity checking mechanisms are used to verify software, firmware and information integrity
- • The development and testing environments are separate from the production environment
One area that’s not addressed directly is “Data-in-use is protected”. This could fall under “Protection against data leaks”, but that’s a fairly broad category. It is important to protect data at rest by encrypting it inside a database or in the file system. Implementing SSL, TLS or another transport security protocol helps protect data in transit.
Unfortunately these are not enough. If I am authorized to access a file, none of these other two will prevent me from sharing it with an unauthorized person. I could accidentally email a confidential document to someone outside my company or put it on a file-sharing service. Once there, the file might go anywhere.
You need to encrypt documents with a persistent file-level security policy that lets you control who can access the file and what they can do with it. The policy lets you control the document no matter where it is and what format it’s in. This guarantees that only authorized people can use the file. If an unauthorized user gets the file, they can’t access the information inside. It’s useless to them. That really protects against data leaks.
The NIST Cybersecurity Framework is an excellent set of guidelines to begin mitigating your risk against malicious attacks or inadvertent mistakes that can harm your business. Industry groups have already talked about adding elements of them to existing frameworks, such as the HITRUST Common Security Framework for healthcare. These guidelines will evolve as public and private organizations begin to implement them.
Encrypting your data is the best way to mitigate risk of a data breach. Start that process today.
Photo credit Maryland GovPics