NIST Roundup: Frameworks and Profiles and Standards, Oh My!


Posted on by RSAC Editorial Team

In a digital world hungry for data, privacy has become the focal point for organizations. Privacy mainly applies to critical personal information and the rights users have over the control of that information, while security focuses on how that data is protected. Privacy and security, while often defined differently, go hand in hand. Therefore, it comes as no surprise that privacy and security regulations, standards and best practices often share a number of commonalities.

How to tackle the challenge of addressing and simplifying the myriad of compliance requirements around security and privacy was featured in several sessions at this year’s RSA Conference. In “Compliance Made Easy—Simplify Your Approach to Privacy,” Kelly Hood and Mike Green of Optic Cyber Solutions walked through an example scenario to show how to bring regulatory requirements and standards into a single place using the NIST Privacy Framework. Hood and Green pointed to the example of the requirements and controls around data inventory practices across NIST, CCPA and ISO. They demonstrated a simple way for organizations to map the similarities against the NIST Privacy Framework, define where they are today and identify the gaps that need to be addressed.

In “Death to CIA! Long Live DIE! How the DIE Triad Helps Us Achieve Resiliency,” Sounil Yu, CISO at JuniperOne, discussed how security has evolved through different eras from the 1980s to today. He noted that each era had followed a pattern that maps into the NIST Cybersecurity Framework. “Back at RSA Conference in 2017, I predicted that if this pattern follows its course, in the 2020s, we are going to face recover-oriented challenges in the form of irreversible and destructive attacks that undermine our ability to recover,” stated Yu. “You could say the 2020s is the age of resiliency.”

Yu introduced the concept of a new security model that replaces the well-known and highly recognized CIA Triad (Confidentiality, Integrity, Availability). The DIE Triad (Distributed, Immutable, Ephemeral), Yu explained, helps us become resilient against attacks, “not by simply stopping attacks but rather by making them irrelevant.” Yu made the distinction with a fun analogy often used by DevOps teams: pets vs. cattle. Yu explained, “Pets is how we built machines in the past. When our machines had a vulnerability or problem, we took it to our cyber veterinarians to patch it and make it better. Cattle, on the other hand, are branded with an obscure, unrecognizable name you can’t pronounce. When it gets sick, you basically cull it from the herd.” In one example, he referred to customer data as being a “pet,” which can be turned into “cattle” with privacy-enhancing technologies such as tokenization.

In “Three’s Company: Unpacking and Settling in with Three NIST Frameworks,” Christina Sames, David Weitzel and Julie Snyder of MITRE examined the components of the three NIST frameworks for Risk Management, Cybersecurity and Privacy and how organizations can bring them together to help in decision-making. In the session, the team presented a case study featuring an organization responsible for developing and designing a program for dynamic flight routing. Using the Risk Management Framework, a baseline of 450 controls was generated. Snyder noted, “This conveys the sense of overwhelm that a system or program manager often feels when they are determining, ‘How do I tackle all of this?’ ” By doing a Cybersecurity Framework or Privacy Framework profile, Snyder demonstrates how the organization could narrow 450 controls down to only 11 that are among the most critical to implement.

While the rapid shift to digital over the past year has taught us as an industry that we can act with unprecedented speed in the face of crisis and accomplish in months what may have taken years, regulatory demands, industry standards and risk management requirements are not going away. Just as we had to find new ways to live and work in a digital world, we must also find better ways to effectively manage security and privacy risk.

Contributors
RSAC Editorial Team

Editorial, RSA Conference

RSAC Insights

privacy risk management standards & frameworks

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community