Comments
NIST Cybersecurity Framework: Donít Underestimate It
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
TracyB483
50%
50%
TracyB483,
User Rank: Apprentice
6/18/2014 | 2:51:29 PM
Re: Update
Hi - can you point to whether the "Protecting Critial Infrastructure" digital report is available and where? Thanks
WKash
50%
50%
WKash,
User Rank: Author
4/4/2014 | 5:58:45 PM
Update
Watch for our digital report -- Protecting Critical Infrastructure – A progress report on how the U.S. Government, industry groups and private sector owners of America's critical infrastructure are working to adopt common practices to protect against cyber attacks... coming April 21.
WKash
50%
50%
WKash,
User Rank: Author
3/24/2014 | 1:50:32 PM
Re: NIST Cyber Framework
otterIT, thanks for weighing in on NIST Cyber Framework.  Your message is an important one, and one we'll try to share back w/ the NIST folks for response.
otterit
50%
50%
otterit,
User Rank: Apprentice
3/23/2014 | 9:31:30 PM
Re: NIST Cyber Framework
This framework is virtually useless. What small business owner, who has only limited resources and overhead, is going to spend a minute trying to translate "government speak" to commercial operations. There is already an overload of existing frameworks and standards: PCI, HIPAA, SOC 1/2/3, and ISO. ISO is an "international standard."

Small and medium business (SMB) are shifting their information technolgy services to "the cloud" and platform/software as a service models. Google Mail, PayChecx, Salesforce, and Aquia Cloud (Drupal) have taken the place of traditional on-site infrastructure. A more appropriate framework for 2014 should have focused on outsourcing and contracts (service level agreements). 

IMHO: This framework and DHS's insistance on handling the implementation is just another way for DHS to attempt to show their value. It's not going to work. DHS hasn't proven they are capable of handling this mission. DHS has absolutely no authority over commercial companies.

The people who wrote this framework are smart. The framework itself is going to have absolutely no impact on SMBs. 
WKash
50%
50%
WKash,
User Rank: Author
2/13/2014 | 4:36:41 PM
New release
Gerald, now that NIST has issued its Version 1.0 of the new Cybersecurity Framework, which seems a bit stripped down from the draft we've all been looking at, how have your views about adoption changed?

 
tonyalfidi
50%
50%
tonyalfidi,
User Rank: Strategist
12/17/2013 | 3:23:42 AM
Network Security in IoT
The Amphion Forum 2013 had very informative sessions on network security.  There is a strong business case for making security a priority in the IoT's IT/OT convergence.  http://alfidicapitalblog.blogspot.com/2013/12/talking-security-at-amphion-forum-2013.html
WKash
50%
50%
WKash,
User Rank: Author
12/11/2013 | 9:07:40 PM
Re: NIST Cyber Framework
Your point about incentives is well taken.  Part of the efforts outlined in the Executive Order calls for exploring ways to provide incentives to critical infrastructure owners, through insurance cost breaks for example.  It's complicated with so many industries, but your right, there will need to be a big stick as well as big carrots here.

 
tuanp
50%
50%
tuanp,
User Rank: Apprentice
12/11/2013 | 4:15:08 PM
Re: NIST Cyber Framework
This is a great article.  The challenge I see in the adoption of the NIST Cyber framework will be the lack of a reward mechanism to enable small and medium businesses to embrace the framework. Large businesses will do it for good practices.

Case in point, when HIPAA came out back in 2004? it was mandatory for covered entities, which by definition at the time, were the health plans, health care clearinghouses, etc.  'Business associates' of the CEs were encouraged to be comply to the regs but, during that time, were not obligated. What CMS had found later in subsequent years, that the BAs are just as noncompliant as the rest, and the enforcement power to be enabled.  Subsequently, the scope was broaden to the BAs and enforcement actions such as financial penalties were taken.  In 2013 to date we have seen about $900k per entity in term of penalties for noncompliance.   

The point is that, where there is big stick, there will be adoption.  Where there is no stick there will be no adoption as adoption costs resources.  Voluntary adoption needs incentives such as those enjoyed in health IT where such financial incentives were given to stimulate adoption (physician e-Prescription).

Perhaps NIST will come back to the law makers with financial incentives such as reduced tax break, tax credit (similar to Energy Star for homeowners) for the businesses that can effectively demonstrated their embrace to the framework.  And that will open another market to talk about similar to 3PAO of FedRAMP.  
WKash
50%
50%
WKash,
User Rank: Author
12/10/2013 | 9:31:17 AM
Re: NIST Cyber Framework
You're right, it is an important document, though hardly a first step.  The Bush and Obama administrations have issued a number of executive orders, created task forces, and commissioned recommendations before. This document does have the weight of a presidential executive order, and President Obama's name, behind it.

As to the focus, it's not brick and mortar but rather a comprehensive collection of practices for managing cybersecuritiy risks -- broken down into five core areas on how to Identify, Protect, Detect, Respond, and Recover from cyber security threats.

Read more at:

http://www.nist.gov/itl/upload/preliminary-cybersecurity-framework.pdf

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Author
12/10/2013 | 9:16:39 AM
Re: NIST Cyber Framework
This sounds like a very important document and a significant first step in the development of an industry cybersecurity standard. I'm curious as to the scope of the framework. It the focus primarly on bricks-and-mortar infrastructure, or does it also include practices involving cloud computing?
Page 1 / 2   >   >>


The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.