The NIST Cybersecurity Framework and the Impact on Your Organization
September 9, 2013 | Regulations, Audit & Compliance | Yariv Lenchner
by Yariv Lenchner
The National Institute of Standards and Technology (NIST) recently published the Discussion Draft of the Preliminary Cybersecurity Framework, a key document in the NIST process of establishing a voluntary framework for reducing cyber risks to critical infrastructure in the US.
In this post, I want to address some proposed guidelines in the framework that have a specific impact on privileged accounts, and how CyberArk can help you address these upcoming guidelines.
The framework core provides references to cybersecurity activities that critical infrastructure operators should consider in developing their cybersecurity programs. Privileged access points have emerged as one of the most highly targeted vulnerabilities by external attackers and the framework points to the critical issue of managing privileged users and remote access in several different items within it.
This is seen in the requirement to “Perform identity and credential management (including account management, separation of duties, etc.) for devices and users” (Access Control- PR.AC-1), to the requirement to “Protect remote access to organizational networks to include telework guidance, mobile devices access restrictions, and cloud computing policies/procedures” (Access Control- PR.AC-4).
Several requirements cover the Awareness and Training (AT) functions for internal privileged users (PR.AT-2). For third-party stakeholders (PR.AT-3), CyberArk’s PSM solution is a great tool to use for its screen pop up message that can highlight and increase awareness of privileged users (internal and external) that they are now working with a critical system and they are expected to do that in a responsible manner.
The last requirement to highlight here is the requirement to “Perform personal and system monitoring activities over external service providers” (DE.CM-6), another requirement that CyberArk’s PSM product provides – allowing the monitoring (and recording) of sessions performed by other users (such as external service providers).
NIST is expected to publish the Preliminary Framework for formal public comment on October 10, 2013.
On a related note, on Tuesday, Sept. 10th at 2:00 p.m. ET, we’ll be addressing recent updates to NIST SP 800-53 Rev 4 in a webinar with Dr. Ron Ross, a Fellow at NIST. Dr. Ross leads the Federal Information Security Management Act (FISMA) Implementation Project and will be able to help organizations understand the important ramifications the potential changes have for Federal agencies that need to be FISMA compliant. Hopefully you can join us for this discussion.