Benefiting from the NIST cybersecurity framework.

• Author: Scofield, Meg

"The Framework for Improving Critical Infrastructure Cybersecurity," which was published by the National Institute of Standards and Technology, acts as a Rosetta stone to help organizations translate and navigate among complex cybersecurity requirements. Its adaptability makes it applicable to a broad range of operating environments and potentially will make it the de facto industry standard.

[ILLUSTRATION OMITTED]

Security breaches dominate the news. This past summer, a federal government computer hack compromised personal information belonging to 21.5 million individuals. In September 2014, Home Depot's credit card breach cost the company an estimated $62 million for damage control, like credit monitoring. Then, only a month later, network data bandits targeted Staples and stole more than 1.16 million credit cards.

For organizations, their leaders, and their customers, these incidents can mean professional--as well as personal--devastation. In addition to the significant expense incurred in just responding to a breach, there are financial and time losses resulting from ensuing lawsuits. Not so easily measured is the additional economic damage of the negative publicity.

Ever-increasing volumes of electronic information mean growing vulnerability to cyber-threats. Rather than assume the IT shop is handling the risks, a collaborative effort between IG and IT will best produce a strong information governance (IG) strategy and robust online protection.

The "Framework for Improving Critical Infrastructure Cybersecurity" (Framework), developed in 2014 by the National Institute of Standards and Technology (NIST). provides the common language collaborative parties need to talk about how organizations can keep online information safe. (A free PDF of the Framework can be downloaded from www.nist.gov/ cyberframework/upload/cybersecurity-framework-021214.pdf.)

A Path Through the Panic

In 2013, President Barack Obama issued Executive Order 13636 that directed NIST to work with government and private industry representatives to create guidelines to help critical infrastructure organizations keep their online platforms safe.

The order defines critical infrastructure as essential systems that, if impaired, would result in "a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters." Examples include public and private sector areas like utilities, health care, agriculture, chemical manufacturing, and water supply.

NIST, in developing the Framework, convened industry representatives and members of the public and asked what would be valuable for them. A year later, the answer became the Framework document, offering voluntary and technology-neutral precepts for information protection.

The Framework's Broad Relevance

Matt Barrett, NIST program manager for the Framework program, describes the financial services industry as a model that illustrates the Framework's relevance. The Framework has a role in ensuring the security of daily financial transactions like using an ATM machine, swiping a credit card, or making an online purchase.

"When critical infrastructure organizations win, we all win," Barrett says.

Not only critical infrastructure can benefit...