Canadian enterprises and governments should adopt a just-released American government framework for tightening IT security of critical infrastructure, says a security consultant.
“I don’t think we should re-invent the wheel,” Kevvie Fowler, a partner in the forensic advisory services at KMPG Canada, said of the guidelines released this week by the federal National Information Technology Laboratory (NIST). “If you look at what has been done, it already leverages concepts from internationally-adopted standards like ISO 27001/2 and a few others.”
In 2010 the Harper government announced a national strategy to better protect critical infrastructure calling for the public and private sectors to work on addressing risks. But two years later the Auditor General released a report complaining the strategy still didn’t have an action plan. That plan has since been completed.
Public Safety Canada has released a guideline of best practices for incident response. However, Fowler said the NIST document goes further.
Meanwhile, as part of its effort to work on an infrastructure security plan the Canadian government is holding an invitation-only conference in New York at the end of the month.
Called a Framework for Improving Critical Infrastructure, it’s aimed at organizations, regulators and consumers to create or improve cybersecurity programs.
The document provides a common language to address and manage cyber risk in a cost-effective way based on business needs, without placing additional regulatory requirements on businesses, NIST says.
“The framework provides a consensus description of what’s needed for a comprehensive cybersecurity program,” Under Secretary of Commerce for Standards and Technology and NIST director Patrick Gallagher said in a statement. “It reflects the efforts of a broad range of industries that see the value of and need for improving cybersecurity and lowering risk. It will help companies prove to themselves and their stakeholders that good cybersecurity is good business.”
In short, it’s a series of best practices.
NIST says organizations can use the framework to determine their current level of IT security, set goals and establish a plan for improving or maintaining their cybersecurity. It also offers a methodology to protect privacy and civil liberties (according to U.S. law) to help organizations incorporate those protections into a comprehensive cybersecurity program.
Within the framework – which will be updated periodically there are three main elements: the core, tiers and profiles. The core presents five functions—identify, protect, detect, respond and recover—that taken together allow any organization to understand and shape its cybersecurity program. The tiers describe the degree to which an organization’s cybersecurity risk management meets goals set out in the framework. The profiles help organizations move from a current level of cybersecurity sophistication to a target improved state that meets business needs.