In response to the February 2013 executive order released by President Obama, titled “Improving Critical Infrastructure Cybersecurity”, the National Institute of Standards and Technology (NIST) has undertaken the vital task of developing a new set of guidelines and standards to promote better cyber security practices in both the public and private sector. Known as the NIST Framework, this document is intended to be “a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.”
Throughout the development of the NIST Framework, the ISA has been a major contributor, traveling across the country to participate in NIST development workshops where ISA providing valuable insight and advice on cyber security best practices. The Framework incorporated existing security measures that were suggested by ISA at the NIST sponsored workshops and through previous calls for submission, including the measures articulated in the Verizon-Secret Service “Data Breach Investigation Reports” as well as aspects of those articulated in the ISA-ANSI publications: “Financial Impact of Cyber Risk: 50 Questions Every CFO Should Ask” and the “Financial Management of Cyber Risk: An Implementation Framework for CFOs.”.
when asked what organizations should view as the greatest challenges to cyber security, ISA indicated that economics, misaligned incentives, and the need for a broader perspective — including elevating cybersecurity issues to the board of directors level — are three major needs in the cyber security community. This is opposed to traditional responses that the need for more advanced technology is the most concerning factor.
ISA has continued to be called upon during the development process to provide critical analysis of the NIST Framework. The ISA has been vocal in expressing the need for upper-management, non-IT employees to be active and knowledgeable of cyber security, and has advised NIST to include this in the NIST Framework. The ISA has also indicated to NIST that prioritization of measures and the inclusion of cost-benefit analysis should be included, as specified by the President’s executive order.
In addition to providing commentary, research, and advice regarding the NIST Framework, working with the ISA has allowed NIST an opportunity to gain valuable insight from ISA’s board of directors — all experts in cybersecurity.