07 Dec 2016
Should financial institutions use NIST guidance, even if it isn’t written for government agencies?
I think so. And it looks like the government angle will be going away, making the guidance more applicable to financial institutions than it already is.
If you’re not familiar with NIST, it is the National Institute for Standards and Technology. It could be considered the United States’ equivalent of ISO, or perhaps an expanded version of COBIT regarding a series of documents that provide guidance on Information Technology topics. NIST covers such diverse topics as communications, energy, bioscience, and of course our favorite cybersecurity. To give you a picture of the scope of NIST documentation, there are 749 individual publications on cybersecurity alone.
Until recently the intended audience of the major NIST publications like 800-53 “Security and Privacy Controls for Federal Information Systems and Organizations” was, as the name implies, federal government entities. Hence the word ‘Federal’ in the title of the NIST document. However, as Eric Chabrow points out in his October 24, 2016 article on bankinfosecurity.com, the intended use of NIST 800-53 is changing. The upcoming release of 800-53 version 5 is being reworded to drop ‘Federal’ from the terminology and appeal to a wider audience of non-government entities.
Before this proposed change in approach, NIST was already useful. There are three key benefits of using NIST guidance. It is free, it provides comprehensive guidance, and it integrates well with FFIEC guidance. Unlike other cybersecurity guidance like the ISO 27000-series, COBIT, or the 20 Critical Security Controls (at least for us IT GRC software makers) NIST is free to download and use. Not that these other frameworks are horribly expensive but hey, free is free.
Even at a cost of zero NIST provides comprehensive cybersecurity guidance. Need guidance on an IT Risk Assessment methodology? Check. Need a framework of security controls to build your security program around? Check. Need a definitive explanation on what cloud computing is? Check. Looking for recommendations on block cipher modes of operations (and who isn’t)? Check. With so many publications related to cybersecurity, NIST provides guidance on pretty much everything you’ll ever need.
The other primary benefit of NIST guidance is its integration with FFIEC requirements. The FFIEC Cybersecurity Assessment Tool (CAT) published in June 2015 was built to integrate with the NIST Cybersecurity Framework. When the FFIEC released the CAT, it also provided a mapping from the declarative statements (a.k.a. security controls) to the NIST Cybersecurity Framework. And some of the language contained in the CAT appears to come straight out of the NIST Cybersecurity Framework.
Now that the guidance published by NIST will be written for a wider audience, its usefulness to financial institutions is even greater.
If you are on the hook for performing IT Risk Assessments for your organization, you can learn more about Rivial’s risk assessment methodology here.
Our methodology is based on NIST with some cool tweaks that make life easier with a simplified approach.