As US companies face evolving cybersecurity and privacy laws and regulations, the National Institute of Standards and Technology (NIST) continues to publish helpful resources. The NIST Cybersecurity Framework (CSF) 2.0 “provides guidance to industry, government agencies, and other organizations to manage cybersecurity risks.” NIST’s cybersecurity framework “explicitly aims to help all organizations — not just those in critical infrastructure, its original target audience — to manage and reduce risks.”
The CSF 2.0 is useful in linking high level cybersecurity concepts to practical steps that any organization can use. It starts with an assessment of organizational core functions at the highest level:
- Govern: the organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored.
- Identify: the organization’s current cybersecurity risks are understood.
- Protect: safeguards to manage the organization’s cybersecurity risks are used.
- Detect: possible cybersecurity attacks and compromises are found and analyzed.
- Respond: Actions regarding a detected cybersecurity incident are taken.
- Recover: Assets and operations affected by a cybersecurity incident are restored.
The framework “describes what desirable outcomes an organization can aspire to achieve. It does not prescribe outcomes nor how they may be achieved.”
Similar to developing a Privacy Program, this flexibility is essential to create a program that is appropriate to the organization:
Planning includes assessing the nature of your business operations, the records you maintain, the systems you use, the jurisdictions you interact with, and the legal requirements that may apply. It is not just about using a template handbook or a lofty privacy statement; rather, it is about creating a privacy culture in your organization. Through that culture and the privacy team, professionals including our office, and partner-IT companies, your business will have a solid guide for the implementation that follows. In support of this plan and the implementation below, Cyber Risk Insurance should be evaluated and planned for. Neither insurance nor planning is sufficient on its own; rather, they act in concert to protect your company
Developing a Privacy Program
Following these initial assessment and planning steps, the CSF 2.0 dives deeper into means and methods of implementing and operationalizing the corporate cybersecurity framework. CSF 2.0 is also helpful in linking to NIST’s vast trove of online resources, templates, QuickStart Guides, and other tools for planning, implementing, and training your corporate cybersecurity program.
If you have questions about your corporate cybersecurity, data protection, or privacy program, contact our office to discuss your specific organizational needs.
