National Institute of Standards and Technology

We consistently comment about the importance of educating the next generation of students on cybersecurity. The earlier the better, as far as I am concerned-as early as the third grade. There is a dearth of cybersecurity talent in the U.S. and it is one of the fastest growing fields for job  opportunities.

Because cybersecurity is

On Monday, October 24, 2016, the Department of Transportation’s National Highway Traffic Safety Administration (NHTSA) issued proposed cybersecurity  guidance to the auto industry, including auto manufacturers and designers and manufacturers of vehicle systems and software, designed to assist the industry in developing best practices to safeguard vehicles’ systems against cyber-attacks and to protect the data

The National Institute of Standards and Technology (NIST) recently published a draft cybersecurity self-assessment tool entitled “The Baldrige Cybersecurity Excellence Builder,” which provides organizations with a tool to determine its security maturity level.

According to the guide, it will assist organizations to:

  • Determine cybersecurity-related activities that are important to business strategy and the delivery of

The National Institute of Standards and Technology (NIST) recently published a new article that finds that most typical computer users experience security fatigue that leads users to engage in risky behavior when they are at work and at home.

In one interview, a participant said that when it comes to computer security “I don’t pay any attention to those things anymore…People get weary from being bombarded by ‘watch out for this or watch out for that.’”

The study confirms what we all feel daily. Instead of a handful of passwords, we are supposed to use a different password for every online application, and it’s nearly impossible to remember them all. Throughout the study, they “got this overwhelming feeling of weariness throughout all of the data.” They found that computer users feel overwhelmed, bombarded, and were exhausted from being on alert all of the time, trying to adopt safe behavior and understanding the complexities of data security.

Because users are so tired, they feel resigned and out of control, and therefore they avoid decisions, choose easy options, behave impulsively and fail to follow the rules. This is basic psychology.

Continue Reading New NIST Study Shows Risks of Security Fatigue

On September 13, 2016, Governor Andrew Cuomo announced the first proposed broadly applicable cyber regulation in the U.S. (the “Regulation”). The Regulation covers banks, insurance companies and other financial institutions (Covered Entities) regulated by the New York Department of Financial Services (the “DFS”). The Regulation is tightly focused, but with broad reach. It appears to adopt aspects of other regulations and standards, but then adds some unique requirements that create the most sweeping and protective regulation proposed. If adopted in a form close to the draft presented, financial institutions regulated by the DFS will have significant responsibility, and oversight, for protecting core operations and data, which extends far beyond personally identifiable information covered by most existing statutes and regulations.

At the core is the Regulation’s first section, which requires Covered Entities to “establish and maintain a cybersecurity program designed to ensure the confidentiality, integrity and availability of the Covered Entity’s Information Systems.” This requirement is analogous to, and may have been modeled on, Section 242.1001(a) of the Securities and Exchange Commission’s Regulation Systems Compliance and Integrity (Reg SCI). This seemingly simple requirement has broad implications, as failures of data and systems integrity and availability have the potential to be far more devastating to institutions and individuals than confidentiality breaches. Much of the Regulation provides the regulatory scaffolding designed to ensure that Covered Entities meet this requirement.

However, whereas Reg SCI uses language in its core requirement that does not have clear definition in existing cybersecurity standards, DFS took another route. By using the terms “confidentiality, integrity and availability” and requiring Covered Entities to identify Nonpublic Information, the sensitivity of Nonpublic Information, and how and by whom such Nonpublic Information may be accessed, the Regulation incorporates concepts that appear to come directly from the National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 4 (NIST 800-53 Standard). The NIST 800-53 Standard requires data and systems identification and classification, and may provide an analogous structure that could be used for much, but not all, of the policies, processes and procedures required by the Regulation.

Continue Reading The Cyber Regulation Drops

The National Association of Insurance Commissioners’ (NAIC) Cybersecurity Task Force released a revised draft of the Insurance Data Security Model Law (Model Law) last week. The Model Law’s goal is to “establish exclusive standards… for data security and investigation and notification of a data breach” for “any person or entity licensed, authorized to operate, or registered” pursuant to state insurance laws. The Model Law was first released in April of this year and received over 40 comments from trade associations, market participants and regulators. This week, at the NAIC National Summer Meeting, the Task Force met with interested parties to discuss comments on this new draft and written comments to the Model Law may be submitted by September 16, 2016.

Continue Reading NAIC Released Draft of Revised Insurance Data Security Model Law for Review

The National Institute of Standards and Technology (NIST) developed and issued its voluntary “Framework for Improving Critical Infrastructure Cybersecurity” (Framework) in response to a 2013 Executive Order in February of 2014. It was developed in collaboration with industry, academia and state and federal government officials. It has been widely praised and used as a valuable