Security Magazine has the story:
http://www.securitymagazine.com/articles/86057-understanding-the-new-federal-cyber-laws
The CEA(Cybersecurity Enhancement Act 2014) is the most significant of the December bills both in breadth and likely in significance.
Where NIST(National Institute of Standards and Technology) has setup a Cybersecurity framework which is very flexible for companies to follow. NIST Feb 12,2014 Cybersecurity Framework document.
The interesting paragraph is the last one:
“The implications of the CEA give companies something to think about. Since courts and regulatory bodies lack laws to guide their decision making process in this area, they likely will turn increasingly to NIST as having set the standard of what good security processes look like. As a result, organizations that strive to make their cybersecurity controls more robust may be well-advised to turn to the same NIST standards as a baseline for exploring their risk and setting their controls. Companies that have not already implemented an internationally recognized set of cybersecurity standards (such as ISA, ISO/IEC, or COBIT) will find that, by using the NIST standards to inform their cybersecurity protocols, they can get ahead of the game should clients or regulatory bodies begin asking for the basis of the cybersecurity posture. ”
This NIST Framework will be a potential for lawsuits if you do nothing. The writer of the article is Legal Counsel for CrowdStrike, So there is a little bit of promotion here, but there is a point to be made.
If you continue to do nothing then the courts will make you pay.
So what is the NIST framework anyway?
It is a very basic categorization of Cybersecurity:
core elements
- Functions
- Identify, Protect, detect, Respond, and recover
- Categories
- Asset management, Access Control, Detection Processes
- Subcategories
- further subdivision of categories such as Data-at-rest is protected
- Informative References
There are also Tiers of implementation where Tier1 is partial and Tier 4 is adaptive. The Framework recommends that you move from tier 1 to a higher Tier when you can.
Tier 2 is Risk informed, and Tier 3 is Repeatable.
The framework profile is the alignment o the functions, categories and subcategories with business requirements, legal requirements and industry best practices.
this framework is a defined way to increase Cybersecurity practices in a manner that can be measured and improved over time. Since a lot of executives are unsure of where to go and how to start this framework says you can start even in a small way (the partial Tier) where there are only a few of the suggested practices actually followed.
The idea is to make incremental improvements year after year.
I would be happy to help you decipher this for your organization. – Contact Us