NIST Offers Guidance on Measuring and Improving Your Company's Cybersecurity Program | NIST – NIST

An official website of the United States government
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
https://www.nist.gov/news-events/news/2024/01/nist-offers-guidance-measuring-and-improving-your-companys-cybersecurity
Imagine you’re the new head of cybersecurity at your company. Your team has made a solid start at mounting defenses to ward off hackers and ransomware attacks. As cybersecurity threats continue to mount, you need to show improvements over time to your CEO and customers. How do you measure your progress and present it using meaningful, numerical details? 
You might want a road map for creating a practical information security measurement program, and you’ll find it in newly revised draft guidance from the National Institute of Standards and Technology (NIST). The two-volume document, whose overall title is NIST Special Publication (SP) 800-55 Revision 2: Measurement Guide for Information Security, offers guidance on developing an effective program, and a flexible approach for developing information security measures to meet your organization’s performance goals. NIST is calling for public comments on this initial public draft by March 18, 2024. 
The publication is designed to be used together with any risk management framework, such as NIST’s Cybersecurity Framework or Risk Management Framework. It is intended to help organizations move from general statements about risk level toward a more coherent picture founded on hard data. 
“Everyone manages risk, but many organizations tend to use qualitative descriptions of their risk level, using ideas like stoplight colors or five-point scales,” said NIST’s Katherine Schroeder, one of the publication’s authors. “Our goal is to help people communicate with data instead of vague concepts.”
Achieving this goal, according to the authors, involves moving from qualitative descriptions of risk — perhaps using broad categories such as high, medium or low risk level — to quantitative ones that carry less ambiguity and subjectivity. An example of the latter would be a statement that 98% of authorized system user accounts belong to current employees and 2% belong to former employees. 
The team developed the new draft guidance partly in response to public requests and feedback from a pre-draft call for comment. Much of that feedback cited the increased availability of security-related data together with uncertainty over how to put this data to effective use. While the resulting guidance is not prescriptive, Schroeder said its tailorable approach means it can help a variety of organizations create and then improve an information security measurement program that is right for them. 
“We want people to be able to figure out the process of what to measure. You don’t necessarily need to crunch every number,” she said. “For example, you might want to figure out whether your organization is responding to incidents appropriately, and you might consider factors such as your response time and impact to the mission or business such as additional staff hours, resources needed, or impact to the bottom line. Then you can present that information in a way that makes sense, even if you’re not a statistician — so that you can figure out how to do better.”
The two volumes are aimed at different audiences within an organization. The first, written mainly for information security specialists, provides guidance on how an organization can prioritize, select and evaluate specific measures to determine the adequacy of security that is already in place. The second, aimed primarily at the C-suite, outlines how an organization can develop an information security measurement program and offers a multistep workflow for implementing it over time.
The authors point out that qualitative descriptions are appropriate in certain circumstances, and that some organizations might want to use a mixture of qualitative and quantitative approaches. But focusing on measurement can aid communication within an organization, potentially helping to improve both security and resource allocation. 
“When technical teams communicate with management about information security, metrics provide a common language, using trends and numbers to bridge gaps in understanding,” the authors write. “Organizations want to be able to assess if controls, policies, and procedures are working effectively, efficiently, and how the organization is impacted. Metrics can be used to help prioritize areas for growth, improvement, or re-focusing resources.”  
In the Notes to Reviewers, NIST is proposing the establishment of a Community of Interest (CoI) for those interested in information security measurement to work together to share expertise, refine the body of knowledge and resources, and identify opportunities for growth and improvement.
Individuals and organizations interested in joining the Information Security Measurement CoI or submitting comments on the two-volume draft should email cyber-measures [at] list.nist.gov (cyber-measures[at]list[dot]nist[dot]gov).
Webmaster | Contact Us | Our Other Offices

source

Related Posts

After 6 months and little explanation, Norton Healthcare patients, employees still feeling effects of cyber attack – WDRB

Spotty shower possible. Storms after midnight Updated: April 16, 2024 @ 12:31 pmNorton Healthcare, a company serving about 600,000 patients a year with nearly $5 billion in assets, continues to…

Read more

CA's top cybersecurity job has been vacant for almost 2 years – CalMatters

Technology Californians get hacked all the time. The state’s top cybersecurity job is vacant In summaryGov. Newsom has yet to appoint a commander who is tasked with informing businesses and…

Read more

13 Cyber Security Measures Your Small Business Must Take – Tech.co

Our content is funded in part by commercial partnerships, at no extra cost to you and without impact to our editorial impartiality. Click to Learn MoreCybersecurity has been important to…

Read more

AVG Antivirus Free review – Ghacks

AVG AntiVirus Free is a longstanding security program for Microsoft Windows that protects computer systems from viruses, trojans and other malicious code.One interesting fact about AVG is that it maintains…

Read more

Vlog Episode #247: Chris Long on Improving Technical SEO Skills & Playing Offense SEO – Search Engine Roundtable

In part one, we learned about Chris Long and his experience working with Bill Slawski. Then, in part two, we spoke about helping people with SEO on LinkedIn and using…

Read more

Information Security Vs. Cybersecurity: What's The Difference? – Forbes

Information Security Vs. Cybersecurity: What’s The Difference?  Forbessource

Read more

Leave a Reply

Your email address will not be published. Required fields are marked *