The Department of Commerce Provides Website Owners with High-Level Security Guidelines
The DoC issued the NIST Cyber Security Framework in February 2014. NIST stands for National Institute of Standards and Technology. Its framework organizes security around five functions: Identify, Protect, Detect, Respond, and Recover. These represent the high-level activities that help organizations make sound decisions around risk/threat management and forward improvement. Let us explain:
- Identify: failures to maintain processes for receiving, addressing, or monitoring reports about security vulnerabilities;
- Protect: providing broad employee administrative access to data systems; failure to secure sensitive data-in-transit; and to appropriately manage removal, transfer or disposition of data;
- Detect: failures to use processes to identify unauthorized intrusions to networks and systems(i.e., monitoring), and unauthorized external disclosures of personal information;
- Respond: repeated failures to enhance incident response procedures despite multiple data breaches, and failure to notify consumers regarding known security vulnerabilities associated with products
- Recover: consent orders that include requirements to proactively notify consumers about security vulnerabilities and remediation measures, and to work with security vendors as part of sustaining secure products/services.
Each function maps to key categories of desired outcomes (e.g., “Asset Management,” “Access Control”). Each category then expands to a series of more specific outcomes and technical/management activities. These are then tied to dozens of “informative references,” such as ISO/IEC, ISA, and COBIT, which are well-established implementation standards. The Framework doesn’t include specific practices or requirements. Instead, it’s meant to facilitate an iterative process that involves “detecting risks and constantly adjusting one’s security program and defenses.”
Companies that utilize the NIST Cyber Security Framework must comply with other respected entities and their related rules such as the FTC and the Payment Card Industry. Those that accept or process or provide technology in relation to payment card data must comply with specified Payment Card Industry (PCI) rules, including specific data security standards (PCI DSS) and implementation protocols.