The National Institute of Standards and Technology (NIST) issued a new cybersecurity framework describing best practices for organizations to develop their information security programs. The framework is the result of a collaboration between government groups and private businesses.
The guidelines in the framework are aimed at critical infrastructure organizations, such as healthcare, government, financial services and transportation. Compliance is voluntary for companies in the private sector, but may be required for government contractors.
The guidelines include practices that businesses can use to reduce cyberthreats, and consist of flexible suggestions that companies can implement.
A “cyber resilience review” is contemplated in the guidelines which is a free assessment evaluating an organization’s technology resilience. This review can be self-imposed or provided by a third party.
The framework is based on companies
- Describing their current cybersecurity posture;
- Describing their target for cybersecurity;
- Identifying and prioritizing opportunities for improvement;
- Assessing progress toward their target state; and
- Communicating about cybersecurity risks.
Three concepts are built into the framework:
- Core- a set of common review and risk management activities.
- Profiles- allowing organizations to align cybersecurity activities with its own business requirements to evaluate risk and prioritize improvements.
- Tiers- to implement and manage risk.
Compliance is voluntary, but organizations may find the framework helpful for completing a risk management review and analyzing security compliance. A copy of the guidelines may be accessed by clicking here.
