Cybersecurity’s current moment in the spotlight, propelled by numerous high profile data breaches and cyberattacks in recent years (Wannacry, Target, Deloitte, etc), has most industry professionals nervously seeking guidance for their organizations in 2018. If your line of work involves information technology, one of the frameworks you’ve likely heard of in the last few years is NIST.
The National Institute of Standards and Technology is a non-regulatory agency of the US Department of Commerce with a mission to promote industrial innovation and industrial competitiveness.1 However, when someone refers to “the NIST framework” they may be referring to one of several different frameworks: the Cybersecurity framework, the Security and Control framework, or the Risk Management framework.
NIST’s Cybersecurity framework, released in 2014, focuses on building cyber resiliency - shifting an organization’s stance toward cyber attacks from a reactive one to a prepared state. As internal auditors, business owners, board members, and executives alike all seek to better understand how to build cyber resilient programs, NIST is an important agency and resource to get to know. Not only do its Cybersecurity and Security and Control frameworks overlap with many existing information security control frameworks, including CIS, COBIT, ITIL, but they are among the most detailed pieces of guidance accessible to professionals and senior management.
We spoke with a handful of risk management professionals - Ben Sady of Dixon Hughes Goodman; Andrew Cheng, CRISC, CISM, CISA; and Keith Snyder, Lindsay Timcke, and Dennis Christoforatos of DLA, a management consulting firm - to get their take on NIST and its importance today.
The NIST frameworks you should be paying attention to
The most commonly referenced NIST frameworks in our interviews were the 800-53 Security and Control framework and the Cybersecurity framework. The frameworks highlighted below are relevant to anyone making decisions about cybersecurity or implementing new IT policies in an organization.
800-53 Security and Control Framework
NIST 800-53 is a robust control framework with over 800 controls and enhancements for developing secure federal information systems. 2 Unlike other cyber frameworks that are more general in nature, NIST 800-53 is highly granular in its coverage of topics - from settings to physical security to asset management, HR, and legal. This framework works hand in hand with the 800-37 Risk Management Framework.
The cybersecurity framework is “voluntary guidance” for all industries considered critical infrastructure, including transportation, banking, healthcare, state and local government. 3 Developed in a collaboration between the government, academia, and the private sector and nested under the 800-53 Security and Control framework, it is its own risk management and control framework. Version 1.1 is due out in Spring 2018.
800-37 Risk Management Framework
The risk management framework lays out a standard process for performing a risk assessment; security and privacy control selection, implementation, and assessment; system and control authorizations; and continuous monitoring processes. Its purpose is providing management and leadership the information to make cost-effective, risk management decisions. 4 The Risk Management framework works hand-in-hand with the 800-53 Security and Control framework to ensure you have proper risk management and security around your system. It is the basis framework upon which other NIST publications are bolted onto.
How are organizations using NIST?
States like New York, Virginia, and Massachusetts are already pushing out mandatory security standards and regulations, choosing to align closely with NIST when customizing their frameworks.
Foundation for cybersecurity audits
Because NIST is so detailed, it gives a CAE with little IT knowledge the opportunity to properly scope different security reviews, as opposed to performing a high level cybersecurity audit. And due to its comprehensive guidance, firms that consult on cybersecurity may choose to use the Cybersecurity Framework as a central spine for building out a tailored cybersecurity program for clients.
“NIST is what we usually use as our base framework,” says Dennis Christoforatos, who works in the Internal Audit practice at DLA, a management consulting firm. “But while we focus on NIST, we take all the best components out of other frameworks as well. For instance, the New York State Department of Finance just released a set of regulations that focuses on such things as third party service provider security policies and multi-factor authentication, so those are pieces we add in. When assisting clients we try to look into more than just the framework, but what the industry is really heading towards.”
If a CIO or CISO has prior working knowledge of NIST, they may be inclined to implement NIST in their organization. But while NIST represents a desired state for cyber resilience, it may not always be practical to achieve it completely. Instead, companies can leverage NIST by implementing a selection of its controls, and bypassing those that aren’t as applicable or practical to employ.
“We’re probably not going to live up to NIST fully, but it’s the desired state and it would be good to reach it,” says Andrew Cheng, a risk and compliance professional working at a public company. His company decided to implement NIST 800-53 after having a cybersecurity review to strengthen their stature. “We compared it to other standards like CIS and general security controls and found that NIST 800-53 has so many guidelines and covers such a broad spectrum that it was good for us to see what high level expectations are and what our goal should be.”
Conversely, a company may have such complex information security systems that it will not only want to comply with NIST, but incorporate its adoption along with other information security compliance requirements found in regulations such as PCI, SOX, IT, HIPAA, and GDPR. In this case, the company could build out its own common control framework that meets many of those requirements and frameworks, including NIST.
“They can use a system like AuditBoard’s compliance management software to map their common controls to all of the other frameworks’ standard required controls - and then they can evaluate a control one time and apply the results to many requirements,” says Ben Sady, Director of Advisory Services at Dixon Hughes Goodman, a public accounting firm serving government contractors and public companies. “This ‘test once, apply to many’ approach can make their compliance program much more efficient.”
What does the future for NIST hold?
As boards and audit committees increasingly come to view cybersecurity as an investment that protects their bottom line as opposed to a cost center, NIST will only continue to grow in relevance. “Cybersecurity is likely one of the top risks most organizations are facing,” says Sady. “It should be on everybody’s internal audit plan as an audit to be performed on a regular cycle.”
Just as SOX was one of the original regulations that led to the widespread adoption of COBIT and COSO and helped transform the way the industry thinks about security compliance, NIST is predicted to have a similar impact. “Even if it’s not the NIST framework that becomes mandatory, they’re going to be pulling out components of NIST to put into other frameworks that become mandatory,” says Keith Snyder, a partner at DLA. “It will probably be a backbone to a lot of smaller or specific frameworks that may be specific to states, industries, etc.”
Stay tuned for the NIST 201: NIST Adoption Best Practices whitepaper. To learn how AuditBoard can help you map your NIST controls and manage your NIST framework testing, contact us here.