90 second read
Last week we defined reasonable cybersecurity and what constitutes reasonable cybersecurity. This week we’re going to continue our discussion by redefining the way you think about cyber risk management. We’re not saying you have to get rid of your checklists. Creating and completing a checklist once a year or every quarter isn’t enough. Instead, focus on doing your best every single day in order to be considered reasonable.
What Does the FTC Say About Reasonableness?
The Federal Trade Commission says that every business should take reasonable security measures that are appropriate for an entity of similar size, sophistication, and resources given the type, amount and sensitivity of data collected. You’ve got two moving variables; the entity itself, small or large, and then you have the data you’re collecting. Depending upon the size of your entity and the sensitivity of that data, it really begins to vary.
National Institute of Standards and Technology
The National Institute of Standards and Technology is a department of the US Government. They’re also a part of the Department of Commerce. They’re not, however, a part of the Department of Defense or law enforcement. The FTC has stated that the NIST Cybersecurity Framework is a good model for creating a reasonable cybersecurity program for a given company. The NIST framework is based on preexisting cybersecurity standards. It includes concepts taken from older standards like the ISO 27001 and 27002, CSC Top 20, and OWASP Top 10.
The nature of the framework is such that it’s not a checklist, so a given company can’t “be compliant” with the NIST Cybersecurity Framework. That sentence doesn’t even make sense. It does not compute. That’s because the framework is a set of broad principles. It’s a skeleton on which one builds a much more complete cybersecurity program.
What Makes the NIST Cybersecurity Framework Different?
The Cybersecurity Framework is not that detailed and was not created by NIST staffers; it drew from detailed work done by private industry experts. The NIST actually brought in those experts and asked them what they thought should be in the framework. Making the framework particularly useful when it comes to reasonable cybersecurity.
Next week we’ll discuss the five functions of reasonable cybersecurity.