Jump to content
Sign in to follow this  
GHancock

Your 3 Recommendations from the 6th Workshop

Recommended Posts

It was a good two days worth of discussions in Tampa last week.

As participants traded stories and ideas about how to implement the NIST Framework.

Several topics kept coming up;

--Information sharing

--How to implement the Framework against other standards (is there a baseline we can all start

   from?)

--Workforce development

 

Did anyone else consistently hear other topics or issues?

What are your top 3 actions/ideas on the above data?

Share this post


Link to post
Share on other sites

I'm sorry I couldn't attend, so if this information was already covered, please disregard.  Here are a couple items that may be useful.

 

How to implement the Framework against other standards:  Symantec has an "IT Security Controls" poster that is a very good crosswalk between different standards.  It is a bit unwieldy in the e-format, but if you can print it out to about 24" x 50" (for the back of a door) it is a very handy reference.  Add your own company standards/P & P and you have a good cross-reference to help if you have to meet other standards.

 

workforce development:  ACSAC does a good annual conference that tends to have a lot of NIST content.  It's worth checking it out.  I attended in 2012 and learned a lot about the SP 800-53 rev 4 publication before it came out and was able to prepare ahead of time.  The NIST presenters were very helpful.  You can also contact NIST authors via email if you have questions or need additional guidance help.

 

Information sharing:  Has a regular (monthly, perhaps) teleconference been tried as a touchbase or information sharing venue?  Is there any interest in it?

Share this post


Link to post
Share on other sites

Here are Several important conclusions that emerged at the end of the workshop:

The Framework is clearly being used as a risk management tool that helps communicate both across the peer groups and vertically within the organization and is applicable in multiple sectors.

The community is not ready for Framework 2.0 and NIST will hold off on any revisions for some time. The Framework has only been out for 8 months and it is too early in the process to make changes.

The Framework is absolutely voluntary and NIST will not be engaging in any kind of "conformity assessment" activities that would measure conformance with the Framework. The terms used were "gain confidence" against expectations. Conformity assessments can be one of the ways to gain confidence but NIST does not plan to develop or implement a specific conformity assessment methodology.

The Framework is being noticed internationally evidenced by United Kingdom (UK) Government and European Network and Information Security Agency (ENISA) panelists and Japanese participants. UK Government is now recommending that organizations that don't already have some sort of cybersecurity approach use the Framework to get started. ENISA is looking for closer alignment of EU cybersecurity initiatives with the Framework.

While many are aware of the Framework, further awareness of the Framework is required especially by the organizations that are just beginning their cybersecurity journey.

More outreach to State and Local governments will help emphasize that the Framework provides a useful communication vehicle for conversations about cybersecurity.

There is still a gap in how to communicate cybersecurity matters to the Executives and Boards of Directors. While Framework is helpful, further "translation" is needed to communicate in the business language.

There is also a gap on how to implement the individual subcategories beyond the outcome-based statements in the subcategories.

Case studies and illustrative examples of "how to start" would be most useful for the community.

Share this post


Link to post
Share on other sites

Nadya, no disagreements, but additional thoughts:

 

The Framework is clearly being used as a risk management tool that helps communicate both across the peer groups and vertically within the organization and is applicable in multiple sectors.

 

 

Those using it as a risk management tool tend to already have risk management capabilities and/or knowledge in house (or, it seems that way).  So a clearer takeaway might be, IMO, that the Framework is useable as an augment to Risk Managed environments but that the tools with which to do so are not entirely contained in the framework itself. Work needs to be done (in the community) to develop and publish linking patterns.

 

There is still a gap in how to communicate cybersecurity matters to the Executives and Boards of Directors. While Framework is helpful, further "translation" is needed to communicate in the business language.

 

 

Beyond communicating cybersecurity matters to the Executive and the Boards of Directors (which other tools, or even just the media, are starting to do), the Framework also does not address a related but perhaps more important gap: It does not provide many insights into how Executives and Boards can use the many, various levers at their disposal to improve cybersecurity in their organizations.  The focus seems to be (implied) on sustaining or increasing funding for CISO type shops or "Planning" - but the "Planning" type of advice is unhelpful in that it typically does not describe specific Exec/Board levers beyond funding.

Share this post


Link to post
Share on other sites
Guest
You are commenting as a guest. If you have an account, please sign in.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×