By Henry J. Sienkiewicz, the former CIO of DISA and CyLogic’s Board Member
Security has always been about identifying who or what can be trusted accessing data, and what they can do with that access. Early enterprise networks used a strong walls approach, the notion of a single perimeter, akin to a moat around a castle, as the line of trust delegation. In other words, gaining access to any point of the perimeter is sufficient for establishing trust and anyone outside the perimeter is untrusted. This approach remains heavily in place today but unfortunately has fallen behind in sufficiently securing networks and data in the modern technology landscape.
Progressively sophisticated adversaries and intentional or unintentional malicious insider behavior as well as new challenges such as cloud computing and bring your own device (BYOD) policies have made the task of securing data against threats increasingly difficult.
The “gold standard” in risk management framework is NIST’s CSF, and its operational implementation found within the FedRAMP program
Today, the “gold standard” in risk management framework is NIST’s CSF, and its operational implementation found within the FedRAMP program. The NIST CSF is widely recognized as an effective security framework for both private and public organizations, assisting them to move from being reactive to proactive when it comes to risk management and effective security posture.
Commercial organizations are increasingly adopting the risk management framework (RMF) found at the National Institute of Standards (NIST) and Technology’s Cybersecurity Framework (CSF). This is the approach that should be taken by every organization that is truly concerned about securing their data.
NIST’s CSF framework’s core contains five functions:
These functions were specifically chosen because they assist organizations in conveying their management of technological risk and enable educated risk management decisions.
The Identify function involves having an in-depth understanding of the organization and its systems, data, people, and assets, allowing the organization to focus and prioritize its efforts.
The Protect function acts as an outline to effectively ensure the safety of assets and the delivery of architectural services, hopefully limiting the possibility or impact of a cybersecurity event.
The Detect function is critical should there be a cybersecurity event as it highlights the activities capable of identifying the event, allowing for prompt discovery of the attack.
The Respond function demonstrates how best to contain the impact of a security incident so that it does not escalate into a major issue.
Lastly, the Recover function accentuates the activities appropriate for restoring any impaired capabilities or services, so that the organization can get back to normal business operations as quickly and smoothly as possible.
The NIST’s CSF risk management framework is ideal for all organizations to implement regardless of size as it is imperative to have a consistent and well-detailed methodology for managing cyber risk. Additionally, because of the framework’s outcome driven nature, it breeds scalability - it was designed with all types of data infrastructure in mind and is extremely versatile.
In today’s environment, organizations should require, in fact demand, the highest level of security
In today’s environment, organizations should require, in fact demand, the highest level of security. FedRAMP High is the optimal implementation of the most strict NIST standards.
As you face challenges with your current cloud services you need to look for a robust enterprise solution to securing your data. The CyCloud platform provides that solution as the practical implementation that is in a full alignment with the NIST - FedRAMP HIGH framework for enterprises.
About the writer: Mr. Sienkiewicz is the former CIO of the US Defense Information Systems Agency’s (DISA), who oversaw the DISA’s Rapid Access Computing Environment (RACE) Project, which was a reference foundation for the FedRAMP standards. He is currently on faculty at Georgetown University, instructing on cyber security. Mr. Sienkiewicz is also a member of CyLogic‘s Board of Directors.
The last few years have seen a series of high-profile breaches against large institutions, particularly in the banking industry. Many firms have been accused of being stuck in a “90’s” cybersecurity mentality believing that on premise networks, strong firewalls, and anti-virus software were sufficient to ward off most cyber-attacks.
Financial Institutions are Vulnerable to Cybersecurity Threats
The Banking and Financial Services Industry is targeted by cybersecurity attackers 300 times more frequently than other industries. Financial firms are spending on average $3,000 per employee on cyber security reflecting a three fold increase in the last four years to combat the surge of state level attacks on their data. Cybercriminals and state sponsored attacks targeting banks are becoming increasingly sophisticated, stealing sensitive customer data for a variety of fraudulent activities.
READ more >
You Are Always In Control With CyCloud
The Economist wrote that “The world’s most valuable resource is no longer oil, but data.” You’re doing a lot to protect your data, but what about keeping control of your data? Having transparency about where your data is located and who has access to it are key components of controlling your data.
READ more >
Cybersecurity Critical to Energy Sector
The energy and utilities sector is one of the vital infrastructure sectors where a shutdown would have adverse effects on national security, public health and safety. For that reason, Industrial Control Systems (ICS) and other critical energy production operations must be protected from cyberattacks.
READ more >