How does the Cybersecurity Framework created by the Department of Commerce's National Institute of Standards and Technology (NIST) align with the Federal Trade Commission's data security program?
"From the perspective of the staff of the Federal Trade Commission, NIST's Cybersecurity Framework is consistent with the process-based approach that the FTC has followed since the late 1990s, the 60+ law enforcement actions the FTC has brought to date, and the agency's educational messages to companies, including its recent Start with Security Guidance," the agency explained in a new blog post.
The Framework—issued in February 2014 at the direction of President Barack Obama—uses five concurrent and continuous functions to provide a strategic view of the life cycle of an organization's management of cybersecurity risk: Identify, Protect, Detect, Respond, and Recover.
Each of these five functions signifies a key element of cybersecurity, Andrea Arias wrote for the FTC, and each of them relates to an area of the FTC's enforcement in the realm of data security. Take the Protect function, for example. The NIST uses this function to provide guidance to organizations "to develop and implement appropriate safeguards to ensure the delivery of critical services and to limit or contain the impact of a cybersecurity event."
Many FTC cases highlight the alleged failure of companies to implement reasonable data security practices that the Framework emphasizes, Arias said. For example, in an action against Twitter, the agency asserted that Twitter gave almost all of its employees administrative control over the social networking site's system, which increased the risk that a compromise of any of its employees' credentials would result in a serious breach.
"This principle comports with the Framework's guidance about managing access permissions, incorporating the principles of least privilege and separation of duties," the FTC added.
Similarly, the Framework's Respond function—which "provides guidance on how to develop and implement appropriate actions in response to a detected cybersecurity event to effectively contain its impact"—overlaps with the FTC's enforcement efforts. In its case against Wyndham Worldwide Corporation, the agency alleged that the company failed to follow proper incident response procedures, including the failure to monitor its network for malware after a prior intrusion.
Businesses should use the Framework's five functions as a model to conduct their risk assessments and mitigation, the agency suggested, as FTC enforcement actions have demonstrated that "companies could have better protected consumers' information if they had followed fundamental security practices like those highlighted in the Framework."
"In addition, given that the FTC's enforcement actions align well with the Framework's core functions, companies should review the FTC's publication, Start with Security, which summarizes lessons learned from the FTC's data security cases and provides practical guidance to reduce cybersecurity risks," Arias concluded. "Applying the risk management approach presented in the Framework with a reasonable level of rigor—as companies should do—and applying the FTC's Start with Security guidance will raise the cybersecurity bar of the nation as a whole and lead to more robust protection of consumers' data."
To read the FTC's blog post, click here.
Why it matters: The touchstone of the FTC's approach to data security has been reasonableness: "that is, a company's data security measures must be reasonable in light of the volume and sensitivity of information the company holds, the size and complexity of the company's operations, the cost of the tools that are available to address vulnerabilities, and other factors." The Framework is not a checklist or a standard; instead it focuses on risk assessment and mitigation to ensure that the NIST's and the FTC's approaches are "fully consistent: The types of things the Framework calls for organizations to evaluate are the types of things the FTC has been evaluating for years in its Section 5 enforcement to determine whether a company's data security and its processes are reasonable. By identifying different risk management practices and defining different levels of implementation, the NIST Framework takes a similar approach to the FTC's long-standing Section 5 enforcement."