the NIST Framework complements, but does not replace existing risk management processes and cybersecurity programs. It can, however, be used to assess and improve (if necessary) the already existing security practices. The NIST Framework may become a de facto standard for determining whether or not a business has adequate data security safeguards in place. In fact, in May 2017, then President Trump issued an executive order specifically requiring U.S. governmental agencies to use the NIST framework. Additionally, the proposed NIST Cybersecurity Framework Assessment and Auditing Act, which passed out of the House Science Committee in March but has not yet reached the House floor, would task the NIST with verifying that agencies have proper cyber protections in place and reporting on those agencies which do not. In the meantime, it is clearly worth considering the NIST Framework when adopting any extensive data security program since it may be viewed by some insurance companies as a prerequisite to coverage. Following the standards described in the NIST Framework might also serve as a defense against any FTC charge of inadequate data security. Other Cybersecurity Standards. In addition to the NIST Framework, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) have issued cybersecurity standards. These various cybersecurity standards enable organizations to practice safe security techniques and minimize successful cybersecurity attacks. They provide general outlines as well as specific techniques for implementing cybersecurity. In some cases, obtaining certification under one of these standards might be a prerequisite to obtaining cybersecurity insurance. As noted above, it can also help defend against any FTC investigation and assertion of lax data security by a business.
58
Made with FlippingBook - Online Brochure Maker