We’ve been following events related to the Executive Order on Improving Critical Infrastructure Cyber Security. Earlier, we discussed public comments made during NIST’s first public workshop and explored how managed file transfer principles might affect and/or shape the cyber security reform process. At that time, we noted: “There seems to be agreement among all involved that a ‘checklist’ approach, like that in PCI-DSS, is not the best alternative. Business professionals want a risk-based system that is flexible, scalable, and not complex.” Based on a recent publication from NIST, it appears that a substantial majority of private sector business leaders favor such a risk-based approach for the cyber security framework.
“Initial” Cyber Security Analysis
The NIST publication to which we refer is a paper captioned “Initial Analysis of Cyber Security Framework RFI Responses” (“Initial Analysis”). In its Initial Analysis, NIST surveyed the 243 responses received thus far and gleaned from them a total of 18 recurring “themes,” which it then slotted into three separate “categories.”
The first category is called “Framework Principles” and is described as “[c]haracteristics and considerations the Framework must encompass.” In other words, this category contains the “must-haves” from NIST’s perspective based on public comments received thus far. NIST included the following four themes in this category:
- Impact on Global Operations
- Risk Management Approaches
- Leverage Existing Approaches, Standards, and Best Practices.
The second category is called “Common Points” and is described as “[p]ractices identified as having wide utility and adoption.” We refer to this category as the “definite maybes.” NIST included the following seven themes in the “definite maybes” category:
- Senior Management Engagement
- Understand Threat Environment
- Business Risk/Risk Assessment
- Separation of Business and Operational Systems
- Models/Levels of Maturity
- Incident Response
- Cyber Security Workforce
The third category is called “Initial Gaps” and is described as “those areas where RFI responses were not sufficient to meet the goal of the Executive Order.” We refer to this category as “don’t know yet.” NIST included the following seven themes in the “don’t know yet” category:
- Privacy/Civil Liberties
- Industry Best Practices
- Critical Infrastructure Cyber Security Nomenclature
The Initial Analysis covers a lot of ground. The “Initial Gaps” category contains many themes relevant to the managed file transfer field, including “metrics,” “tools,” and “industry best practices.” But the issues in the category are currently not developed enough to examine/discuss. So for now, we will focus on the “Framework Principles” (i.e., the must-haves) category and offer some thoughts from a data security/managed file transfer perspective.
The Framework Principles are Definitely Must-Haves
We agree with NIST’s assessment of the Framework Principles as must-haves, and that the themes within this category are necessary. Perhaps the best means of explaining why is by considering the themes as applied to particular industry segment, the financial services industry (“FSI”).
FSI Already Faces Many Data Security Requirements
For the theme “leverage existing approaches, standards, and best practices,” NIST provided the following explanation: “Owners/operators [of critical infrastructure] should not have to manage overlapping or duplicative approaches, dual standards and conflicting requirements.” That applies especially well to FSI.
FSI institutions are subject to an array of data security laws and regulations. The industry is required to conduct periodic cyber threat/vulnerability assessments in collaboration with other regulatory and law enforcement authorities. Thus, financial regulators obtain vast amounts of information on FSI institutions, critical assets and processes, and potential vulnerabilities. Individual institutions also conduct risk assessments for all critical business functions, including data security, to identify and mitigate vulnerabilities. The adequacy of risk assessment processes and methodologies is reviewed by the individual institution’s primary regulator as part of the regulatory examination process.
Given this, it would make no sense to add another layer of requirements to an already-existing, well-conceived plan for ensuring cyber security. Rather, the framework should integrate with, and build upon existing standards.
FSI Operations are Global
FSI institutions operate in a digital communications ecosystem that is increasingly global. Most of our FSI customers are large, multi-national organizations that transmit data around the world, whether it is sent to internal departments/groups or to external business partners. Thus, the cyber security framework should align U.S. and international standards to reduce conflicts and duplication of effort. Or as one FSI association put it: “[NIST should] ensure the framework consists of generally applicable standards and guidelines that can be modified by industry to fit varying businesses, practices and local-law requirements across the globe and can respond to potential worldwide cyber threats.”
A Flexible, Risk-Based Approach is Essential
For the theme “risk management approaches,” NIST provided the following explanation: “The Framework should encourage the use of risk-based approaches rather than compliance-based approaches.” More than 80% of all the respondents touched on this theme, making it the most prevalent private sector concern. One respondent summarized this concern: “Standards and approaches tend to become audit guidelines and the application of and attainment of these approaches becomes a goal in itself. This discourages innovative risk management and commits resources to compliance-based processes.”
We are not surprised. All our customers, but especially our FSI customers, are ever vigilant with respect to governance, risk and compliance issues. We are often consulted by FSI organizations when they are engaged in risk management assessments regarding data security. We help such organizations to scope and analyze their data security processes and file transfer flows, and we help design a managed file transfer solution that best allocates resources based on potential future failures.
What Does All This Mean For Your Organization?
The best way to protect your organization from a cyber attack is to be prepared. Data risk assessment is an area that will require more dedicated effort in the future. A risk-based approach means more than just recycling policies and conducting audits. First and foremost, it requires developing a complete understanding of your data flows. An effective risk-based approach is a continual process of identifying risks of data breach, assessing the risk levels, developing and implementing appropriate protective measures, and measuring the effectiveness of the protective measures.
We will continue monitoring events associated with the Executive Order and keep you updated on developments. In the meantime, feel free to contact us at firstname.lastname@example.org if you have any questions, or if want our data security experts to analyze your infrastructure to determine how best to protect your valuable and confidential data.