Framework for Managing Cybersecurity
On February 12, the National Institute of Standards and Technology (NIST) released a voluntary cybersecurity framework designed to address the heightened business and security risks that come from increased reliance on information technology and industrial control systems.* The growing interconnectivity of these systems and their increasing use to deliver critical business services and support business decisions have exacerbated the potential impact of a cybersecurity incident on an organization's business, assets and reputation.
NIST's recommended cybersecurity framework urges banks, utilities and other critical infrastructure operators to adopt a set of industry standards and best practices to manage cybersecurity risks. The framework is the result of collaboration between government and the private sector, and it encourages organizations to consider cybersecurity risks as part of their overall risk management processes. It augments requirements already in effect for some businesses, such as the North America Energy Reliability Corporation's Critical Infrastructure Protection plan applicable to electric industry participants. For financial services providers, NIST's recommended framework has been endorsed by the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security (FSSCC). Established in 2002, the FSSCC is the coordinator for financial services providers for the protection of critical infrastructure, focusing on operational risks.
NIST's recommended cybersecurity framework is designed to provide common terminology to discuss cybersecurity issues and describes mechanisms for organizations to:
- evaluate their current cybersecurity readiness;
- articulate their cybersecurity goals;
- identify and prioritize opportunities for improving their cybersecurity procedures;
- assess progress toward their cybersecurity goals; and
- communicate about cybersecurity risks both internally and externally.
There are three parts to the cybersecurity framework: the Framework Core, the Framework Profile and the Framework Implementation Tiers. The Framework Core provides detailed guidance for developing a set of cybersecurity procedures that are common across critical infrastructure sectors. The common standards, guidelines and practices are designed to facilitate communication about cybersecurity activities between an organization's management and those implementing the organization's cybersecurity systems. The Framework Core provides guidance and best practices for five functions: to identity cybersecurity threats; to protect critical information technology and industrial control systems; and to detect, to respond to and to recover from hostile cybersecurity events. The Framework Core identifies categories and subcategories for each function.
The Framework Profile of an organization is based on the categories and subcategories that the company selects for each function of the Framework Core. Organizations can use their Framework Profiles to determine their current state of cybersecurity readiness, describe a desired state of readiness and identify opportunities to reach this goal.
The Framework Implementation Tiers provide a method for organizations to evaluate their level of risk and threat awareness and to categorize the effectiveness of their security procedures. The tiers range from Partial (Tier 1) to Adaptive (Tier 4). Lower-tier responses are reactive and informal; higher-tier responses are adaptive and integrated throughout an organization's structure.
The NIST framework also includes recommendations on how organizations can better protect individual privacy and civil liberties through integration of privacy controls into their cybersecurity and risk management structures.
The cybersecurity framework is technology-neutral and relies on standards, guidelines and practices currently in use in the private sector. The framework seeks to create global standards that may be used across borders. In order for the framework to remain effective, NIST indicates that it will update and revise the framework as new practices, technologies and cybersecurity threats develop.
While the framework is described as voluntary and is targeted at selected industries, businesses in all industries should anticipate that their compliance programs will be measured against it and would be well-served to assess their cybersecurity readiness with reference to the framework. Jim Bowers, the head of Day Pitney's Compliance Risk Services group, has written in greater depth about growing cyber threats and NIST's efforts to develop the cybersecurity framework. For more information on this topic, see his article "Mitigating Data Breach Liability: In Search of a Best Practice."
Our team would be pleased to assist you in developing a cybersecurity readiness plan consistent with the newly issued cybersecurity framework.
*NIST Framework for Improving Critical Infrastructure Cybersecurity
Recommended
Day Pitney Intellectual Property Partner Brooke Penrose's arrival to the firm's Boston office was featured in Bloomberg Law.
Day Pitney Technology Counsel Laura Land Himelstein's arrival to the firm was featured in the Law360 article, "In-House Tech Atty Returns to Private Practice at Day Pitney." She has joined Day Pitney in both the technology, telecommunications and outsourcing and the data privacy, protection and litigation practice groups, based in the firm's New York and Stamford offices.
Day Pitney Technology Counsel Laura Land Himelstein's arrival to the firm was featured in Connecticut Law Tribune's Connecticut Movers column. She has joined Day Pitney in both the technology, telecommunications and outsourcing and the data privacy, protection and litigation practice groups, based in the firm's New York and Stamford offices.
Katharine A. Coffey, a Real Estate Partner, has a new leadership post after being tapped as vice chair of the firm's corporate and business law department.
Day Pitney Press Release
Day Pitney Press Release
Day Pitney Litigation Partner Naju Lathia was featured in the article, "NJ, Attys Brace For Tech 'Evolution' in Litigation."
Day Pitney is proud to announce that two of our Connecticut-based attorneys and our Litigation department have been recognized by the Connecticut Law Tribune as part of their second annual New England Legal Awards. According to the publication, the awards recognize exceptional attorneys and firms from Connecticut, Maine, Vermont, New Hampshire, Massachusetts and Rhode Island across various legal domains.
Day Pitney Data Privacy, Protection and Litigation practice co-chair William Roberts authored the article "A Privacy Plan For Your Family Office" for Family Wealth Report's Post Summit Report: Family Office Cybersecurity and AI Summit. Roberts was a speaker at the June 4 event.
Day Pitney Energy Attorneys Eric Runge and Margaret Czepiel provided insights into a recent landmark FERC on an episode of the American Bar Association's Environmental Law Explored podcast hosted by Liz Bogle.