Comments
NIST Cybersecurity Framework: Donít Underestimate It
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
jpetrova3000
100%
0%
jpetrova3000,
User Rank: Apprentice
11/2/2014 | 8:26:19 PM
Cyber Security World Conference 2014 New York City, November 21
Cyber Security World Conference 2014 New York City, November 21, is the only forum where information security authorities and innovative service providers will bring their latest thinking to hundreds of senior executives focused on protecting today's enterprises and learning more about the National Institute of Standards and Technology cybersecurity framework.
TracyB483
50%
50%
TracyB483,
User Rank: Apprentice
6/18/2014 | 2:51:29 PM
Re: Update
Hi - can you point to whether the "Protecting Critial Infrastructure" digital report is available and where? Thanks
WKash
50%
50%
WKash,
User Rank: Author
4/4/2014 | 5:58:45 PM
Update
Watch for our digital report -- Protecting Critical Infrastructure – A progress report on how the U.S. Government, industry groups and private sector owners of America's critical infrastructure are working to adopt common practices to protect against cyber attacks... coming April 21.
WKash
50%
50%
WKash,
User Rank: Author
3/24/2014 | 1:50:32 PM
Re: NIST Cyber Framework
otterIT, thanks for weighing in on NIST Cyber Framework.  Your message is an important one, and one we'll try to share back w/ the NIST folks for response.
otterit
50%
50%
otterit,
User Rank: Apprentice
3/23/2014 | 9:31:30 PM
Re: NIST Cyber Framework
This framework is virtually useless. What small business owner, who has only limited resources and overhead, is going to spend a minute trying to translate "government speak" to commercial operations. There is already an overload of existing frameworks and standards: PCI, HIPAA, SOC 1/2/3, and ISO. ISO is an "international standard."

Small and medium business (SMB) are shifting their information technolgy services to "the cloud" and platform/software as a service models. Google Mail, PayChecx, Salesforce, and Aquia Cloud (Drupal) have taken the place of traditional on-site infrastructure. A more appropriate framework for 2014 should have focused on outsourcing and contracts (service level agreements). 

IMHO: This framework and DHS's insistance on handling the implementation is just another way for DHS to attempt to show their value. It's not going to work. DHS hasn't proven they are capable of handling this mission. DHS has absolutely no authority over commercial companies.

The people who wrote this framework are smart. The framework itself is going to have absolutely no impact on SMBs. 
WKash
50%
50%
WKash,
User Rank: Author
2/13/2014 | 4:36:41 PM
New release
Gerald, now that NIST has issued its Version 1.0 of the new Cybersecurity Framework, which seems a bit stripped down from the draft we've all been looking at, how have your views about adoption changed?

 
tonyalfidi
50%
50%
tonyalfidi,
User Rank: Strategist
12/17/2013 | 3:23:42 AM
Network Security in IoT
The Amphion Forum 2013 had very informative sessions on network security.  There is a strong business case for making security a priority in the IoT's IT/OT convergence.  http://alfidicapitalblog.blogspot.com/2013/12/talking-security-at-amphion-forum-2013.html
WKash
50%
50%
WKash,
User Rank: Author
12/11/2013 | 9:07:40 PM
Re: NIST Cyber Framework
Your point about incentives is well taken.  Part of the efforts outlined in the Executive Order calls for exploring ways to provide incentives to critical infrastructure owners, through insurance cost breaks for example.  It's complicated with so many industries, but your right, there will need to be a big stick as well as big carrots here.

 
tuanp
50%
50%
tuanp,
User Rank: Apprentice
12/11/2013 | 4:15:08 PM
Re: NIST Cyber Framework
This is a great article.  The challenge I see in the adoption of the NIST Cyber framework will be the lack of a reward mechanism to enable small and medium businesses to embrace the framework. Large businesses will do it for good practices.

Case in point, when HIPAA came out back in 2004? it was mandatory for covered entities, which by definition at the time, were the health plans, health care clearinghouses, etc.  'Business associates' of the CEs were encouraged to be comply to the regs but, during that time, were not obligated. What CMS had found later in subsequent years, that the BAs are just as noncompliant as the rest, and the enforcement power to be enabled.  Subsequently, the scope was broaden to the BAs and enforcement actions such as financial penalties were taken.  In 2013 to date we have seen about $900k per entity in term of penalties for noncompliance.   

The point is that, where there is big stick, there will be adoption.  Where there is no stick there will be no adoption as adoption costs resources.  Voluntary adoption needs incentives such as those enjoyed in health IT where such financial incentives were given to stimulate adoption (physician e-Prescription).

Perhaps NIST will come back to the law makers with financial incentives such as reduced tax break, tax credit (similar to Energy Star for homeowners) for the businesses that can effectively demonstrated their embrace to the framework.  And that will open another market to talk about similar to 3PAO of FedRAMP.  
WKash
50%
50%
WKash,
User Rank: Author
12/10/2013 | 9:31:17 AM
Re: NIST Cyber Framework
You're right, it is an important document, though hardly a first step.  The Bush and Obama administrations have issued a number of executive orders, created task forces, and commissioned recommendations before. This document does have the weight of a presidential executive order, and President Obama's name, behind it.

As to the focus, it's not brick and mortar but rather a comprehensive collection of practices for managing cybersecuritiy risks -- broken down into five core areas on how to Identify, Protect, Detect, Respond, and Recover from cyber security threats.

Read more at:

http://www.nist.gov/itl/upload/preliminary-cybersecurity-framework.pdf

 
Page 1 / 2   >   >>


Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Nov. 10, 2014
Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.