Regulation & Compliance

From Framework to Application: Security Ratings and NIST

Ben Fagan | April 21, 2015

This is the introductory post in a series exploring how security ratings can address key aspects of the National Institutes of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity. The purpose of these posts is to outline how security and risk professionals can leverage BitSight’s ratings to drive better risk management through the lens of the NIST framework.

While the mega-breaches affecting retailers, healthcare organizations, and others continue to grab headlines, some cyber security threats are largely overlooked. One such issue is the security problems that affect our nation’s critical infrastructure. This infrastructure includes all virtual and physical assets and systems that are crucial to daily functioning of our way of life, or, as the Department of Homeland Security puts it, “We know it as the power we use in our homes, the water we drink, the transportation that moves us, and the communication systems we rely on to stay in touch with friends and family.”

Though it is hard to quantify the full extent of cyber threats to critical infrastructure, one Ponemon survey found that 70% of critical infrastructure firms had been breached in the last year. In order to address these issues, government officials and agencies government official and agencies have been looking for solutions to the growing problem of data security within the nation’s critical infrastructure. In February 2013, President Obama signed Executive Order 13636, mandating that all entities that fall within the nation’s critical infrastructure must adhere to a new cybersecurity framework put forth by National Institute of Standards and Technology (NIST). This framework provides five key core framework functions along with more specific categories that provide references to best practices from other guidelines, such as the Control Objectives for Information and Related Technology (COBIT), the ISA99 Industrial Automation and Control Systems Security, among others.

While voluntary for organizations that are not part of the nation’s critical infrastructure, there has been a concerted effort to encourage widespread adoption of this framework. NIST notes that an organization “can use its current processes and leverage the Framework to identify opportunities to strengthen and communicate its management of cybersecurity risk while aligning with industry practices.” It’s clear that this framework is not being pushed as something to overhaul a company’s security programs, yet rather encourage better risk management practices within an organization by adopting key best practices. The private sector is beginning to recognize this with firms such as PwC actively promoting the adoption of the framework and noting that it will likely be used as a standard for future legal rulings.

Outside-in ratings of a company’s security performance can directly address key components of the NIST guidelines. This blog series will look at how Security Ratings can address key aspects of the five Framework Functions: Identify, Protect, Detect, Respond, Recover. By gaining insight into security performance with quantitative ratings, business can promote security awareness, identify threats, continuously monitor networks and more. By adopting this Framework in conjunction with outside-in, objective ratings, businesses can move to better risk management of growing cyber threats.


Part 2 In This Series | From Framework to Application: Identify with BitSight

Suggested Posts

FFIEC IT Handbook Updates: Business Continuity Is 2020 Focus

In November 2019, the Federal Financial Institutions Examination Council (FFIEC) released an update to the Information Technology Examination Handbook (IT Handbook). This handbook is a guide for examiners at its member agencies, which...


Australian Companies Now Have 6 Months For APRA Compliance

Early in 2019, unknown threat actors attempted to hack the Australian federal Parliament’s computer network and the servers used by every politician, staffer, and security officer in Parliament House. Authorities believe there is a strong...


Texas Senate Bill 820: New Regulation Takes Aim at Cyber Threats in Education Sector

Schools and colleges are facing an alarming increase in cybersecurity incidents. Some hackers seek ransoms while others see value in scooping up personally identifiable information to sell to identity thieves.


Subscribe to get security news and updates in your inbox.