In corporate America and today’s society, Internet use in engrained into everyday life. Accessing vital information including medical, financial, personal, or corporate with the use of emails, online banking, government, web portals and medical records from both a professional and personal standpoint has become a way of life and a dependency that we rely upon to provide increased effectiveness, efficiencies and conveniences in our life. Governments, military, corporations, financial institutions, hospitals and other businesses collect, process and store a great deal of confidential information on computers and transmit that data across networks to other computers. With the growing volume and sophistication of cyber-attacks, ongoing attention is required to protect sensitive business and personal information, as well as safeguard national security. There are threats [both domestic and foreign] which seek to exploit user and corporate information for their advantage and personal gain. Protecting confidential information from threats and misuse is the responsibility of the data owners and the users. But are owners and users being diligent protecting this information and do they have the knowledge and understanding to really be effective in carrying out this important initiative. Statistics would clearly indicate that the US as a whole is ineffective since from 2006 to 2012 the reported incidents to the US-CERT increased by 782% and there does not appear to be solid evidence to demonstrate there is a significant decrease in the rate of increase.
In response to the need for enhanced Cyber Security and to protect the information of the United States and its citizens from potential harm the president signed Executive Order 13636. The executive order is designed to improve the US Infrastructure as it relates to Cyber Security. The goal of the Executive Order is to improve both public and private sector US Cyber Security Awareness and response through a coordinated effort. The Order provides a voluntary Cyber Security framework to align and promote cyber security between the public and private sector.
The Framework, created through collaboration between industry and government, consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk. While the framework would not be considered to be the holy grail of information security it does provide a solid guidance at describing an approach designed to reduce and mitigate risks associated with an organizations critical infrastructures and will most likely become the baseline for what is considered commercially reasonable if an organization’s cyber security practices are ever questioned during a regulatory investigation or litigation.
Why adopt the voluntary security framework
Foolproof cybersecurity protection does not exist. But by taking a practical approach using the steps defined within the framework can provide an effective method for a company to be better positioned to mitigate cyber risks and defend its practices for meeting industry standards when things go wrong. The frame work is designed to be tailored and easily adapted to each specific business or industry and how extensively a company might manage its cybersecurity risks to better address the risks based upon a summary of best-practices. It provides companies with standardized criteria for analyzing and mitigating risks that is focused on the type of critical information maintained by the organization. The risks are organized around five core activities that a company's management and IT security teams routinely must perform when dealing with security risks: identify, protect, detect, respond, and recover. For each of these activities, the framework sets out a number of methods, practices, and strategies it recommends for effectively minimizing cyber risk.
Since there is no one implementation of the framework that represents the perfect answer, the final cyber security program and oversight can be tailored to your organization’s specific risk appetite. Thoughtful consideration needs to be given to the assessment to ensure it is practical and sustainable for your organization. If you are considering voluntarily adopting the cyber security framework and would like more information on the approach or assistance with your cyber security program development and assessment, please contact Eric Wright of Schneider Downs by phone at (412) 697-5328.
© 2014 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.
This advice is not intended or written to be used for, and it cannot be used for, the purpose of avoiding any federal tax penalties that may be imposed, or for promoting, marketing or recommending to another person, any tax related matter.