With Success of NIST CSF, NIST Now Set to Tackle Privacy

By: Josh Mayfield | 10/30/2018

As innovation continues to push forward with AI, IoT and other intelligent technologies that both boost convenience and spur economic growth, protecting an individual’s privacy gets more complicated. Those innovative technologies also capture and store an unprecedented amount of personal data. The growing concern of how to protect that data is one important reason behind the U.S. Department of Commerce’s new effort to create a collaborative privacy framework with the NIST Cybersecurity Framework (NIST CSF) that was announced last month.

As I’ve outlined in earlier posts, the NIST CSF was the U.S. government’s attempt to help organizations become more cyber resilient, in lieu of federal regulations. It was first published in 2014 and version 1.1 came out earlier this year. Not a regulation but a framework, NIST CSF offers up guidelines through the use of very specific actions that enables users to experience greater success in their security programs.

As increasing attention shifts to privacy concerns in the U.S. and around the globe, NIST is again embarking on the creation of a comprehensive blueprint. The NIST CSF has been very successful so there’s no reason to think new voluntary guidelines for managing privacy risk, furthering protections and delivering practical tools that will allow for continued innovation won’t be equally as helpful. We can speculate that by 2021, NIST will officially publish this new Privacy Framework. For more on what the framework expectations will likely look like, read my recent article in FCW magazine, A Necessary Plan for Managing Privacy Risk.

In the meantime, how are you doing with NIST CSF? Are you using it to bolster your organization’s security? Is it helping you create cyber resiliency by default? Or maybe, you aren’t sure what it is or how to get an implementation started at your organization. If that’s the case, watch my quick new Cybersecurity Insights video that introduces NIST CSF. And while you're at it, check out our full Cybersecurity Insights video series on YouTube.

You can also read my detailed look at the 5 specific actions NIST outlines in this blog series.

Video transcript:

Hey! Josh here from Absolute. In this week’s episode, we’re going to look at the NIST Cybersecurity Framework, or NIST CSF. I’ll go into the 5 pillars of NIST in future videos, for now let’s do a quick overview.

The NIST CSF calls for actions any IT and security teams can do to create resilience-by-default.

Those actions are: Identify, Protect, Detect, Respond, and Recover

First up, Identify or SEE EVERYTHING. But this is not just an inventory of resources...

We need to put a finger on hidden weaknesses and vulnerabilities.

99% of successful attacks hit existing vulnerabilities that are either hidden or unresolved.

#2, Protect (or build a moat). The Protect pillar gives us techniques to safeguard data:

Access Control to solve overly permissive access,
data security to blanket information to prevent escape,
protective technology so we don’t have to do all this by-hand, and training to keep our users in-the-know about cybersecurity.

They simply do not know what you know. Teach them. Everyone wins.

#3, Detect...which invites us to go looking for trouble.

Once we have a strong baseline — identify and protect — we can fine-tune what makes something an anomaly. Then, watch the baseline to with keen eye to see if anomalies pop up and reflect on what we’ve found so we can keep getting better.

#4, be responsive. The Respond pillar shows how to plan, communicate, analyze, mitigate, and improve incident response.

Response planning and communication give you the connective tissue that helps diffuse security incidents

With analysis and mitigation directed toward the goal of swift recovery.

And...#5. Recover. This is where we iterate and adapt. NIST pushes us to learn from what’s happened and adjust controls to bounce back stronger than ever.

By questioning assumptions and taking our new knowledge of what can happen, we influence security measures that will protect us against an unknown future.

Putting the NIST CSF in place can lead to acute anxiety and fear. These base instincts are part of being human; we fear what we do not understand.

But...as you’ll see in later episodes, the NIST CSF is only formalizing what you’ve done for years. This is nothing new.

There is nothing to fear. Nothing.

Financial Services