National Institute of Standards and Technology (NIST)
What is the NIST cybersecurity framework?
In February 2013, President Obama issued Executive Order 13636 (EO 13636), titled “Improving Critical Infrastructure Cybersecurity.” EO 13636 calls for a one-size-fits-all, easy-to-understand framework to help critical infrastructure manage cybersecurity risk.
The National Institute of Standards and Technology (NIST) is a non-regulatory agency that helps US federal agencies to cost-effectively protect information systems. It develops and releases standards, guidelines and other resources (including publications) to guide information security management system implementations in accordance with its established standards.
NIST implementation and compliance
NIST expects all federal agencies (with the exception of national security agencies) to be compliant with its security standards and guidelines, which help organizations to become more technologically secure and advanced. While businesses may be at different points along their information systems development, they are expected to be in compliance upon deployment.
NIST has a seven-step approach to cybersecurity:
- Prioritize and scope
- Create a current profile
- Conduct a risk assessment
- Create a target profile
- Determine, analyze, and prioritize gaps
- Implement an action plan
Accountability and auditing
Organizations audit information security measures to understand the effectiveness of their systems, policies, processes and procedures. Auditing helps a business to identify its cybersecurity roles and responsibilities, and to ensure accountability organization-wide. Cybersecurity auditors evaluate security controls for proper server maintenance and performance, and to ensure security policies are being enforced, among other factors.
Cybersecurity strategy, policies, and procedures are reviewed for effectiveness and efficiency, and to identify areas for improvement. A company will determine the scope of its audit, which events are monitored and the level of detail captured in audit logs. The audit logs are monitored regularly for suspicious activity; anomalous events are investigated and reported on.
Although there are no formal penalties for failing to implement the NIST framework, there are several notable advantages. NIST provides a framework to help federal agencies gain compliance with HIPAA, FISMA, and SOX, with which agencies are graded on annually.
ISO 27001 and NIST
The relevance of the NIST standards are limited to the mandates provided by US legislation. ISO 27001 on the other hand is an international standard that is relevant globally and is often used by organizations with an international presence. It may be appropriate for organizations with an international footprint to consider conformance to both frameworks. This is true for multinationals such as Google, Microsoft, and Salesforce, who are compliant with both.
ISO 27001 is the internationally recognized best-practice standard that lays out the requirements of an information security management system (ISMS). The latest version of the Standard, ISO 27001:2013, is simple to follow and has been developed with business in mind. It presents a comprehensive and logical approach to developing, implementing, and managing an ISMS and provides associated guidance for conducting risk assessments and applying the necessary risk treatments. In addition, ISO 27001:2013 was developed to harmonize with other standards, so the process of auditing other ISO standards will be an integrated and smooth process, removing the need for multiple audits.
Further, the additional external validation offered by ISO 27001 registration is likely to improve an organization’s cybersecurity posture while providing a higher level of confidence to customers and stakeholders—essential for securing certain global and government contracts.
How ISO 27001 can help you comply with cybersecurity legislation
Improving your cybersecurity posture and complying with regulations and multiple federal laws and state legislation can be confusing.
Learn how to reduce cyber risk with ISO 27001 and overcome compliance challenges >>
Why IT Governance?
IT Governance is a specialist in the field of information security and IT Governance and has led more than 400 successful certifications to ISO 27001 around the world.
IT Governance’s ISO 27001 DIY solutions give US organizations online access to world-class expertise. Each fixed-priced solution is a combination of products and services that will enable you to implement ISO 27001 at a speed and for a budget appropriate to your individual needs.
Get started today >>