Last week, the National Institute of Standards and Technology (NIST) released an update to its Framework for Improving Critical Infrastructure Cybersecurity, incorporating feedback from its October workshop as well as responses to an August Request for Information. While adoption of the Framework remains voluntary and not a regulatory requirement, many large organizations in a variety of industries consider it to be an effective benchmark for security operations. We at Guidance Software believe it will soon be considered a “commercially reasonable” standard, but we also recommend incorporating additional, proactive security practices for a more complete security posture.
Information-Sharing Holds Real Promise for More Effective Organizational Defense
Among the aspects of the NIST Framework that I believe holds the most promise in defending our organizations is that of information-sharing. Many who have responded to NIST’s calls for feedback have expressed interest in expanding this type of collaboration in order to build more powerful threat intelligence feeds across American industries. While interest in participation is high, so are the levels of concern about potential impact on corporate reputation if data breaches were made public. Since the original Framework was published, there has been a clear call for a means of reporting a breach and related information anonymously.
Congress has just passed the National Cybersecurity Protection Act in order to better support cyber-threat information exchange between the public and private sector via the National Cybersecurity and Communications Integration Center. However, a bill that incorporates liability protections for those reporting on breaches will have to wait until early next year.