NIST

Subscribe to NIST via RSS

The National Institute of Standards and Technology (NIST) recently published a draft cybersecurity self-assessment tool entitled “The Baldrige Cybersecurity Excellence Builder,” which provides organizations with a tool to determine its security maturity level.

According to the guide, it will assist organizations to:

  • Determine cybersecurity-related activities that are important to business strategy and the delivery of

The National Institute of Standards and Technology (NIST) recently published a new article that finds that most typical computer users experience security fatigue that leads users to engage in risky behavior when they are at work and at home.

In one interview, a participant said that when it comes to computer security “I don’t pay any attention to those things anymore…People get weary from being bombarded by ‘watch out for this or watch out for that.’”

The study confirms what we all feel daily. Instead of a handful of passwords, we are supposed to use a different password for every online application, and it’s nearly impossible to remember them all. Throughout the study, they “got this overwhelming feeling of weariness throughout all of the data.” They found that computer users feel overwhelmed, bombarded, and were exhausted from being on alert all of the time, trying to adopt safe behavior and understanding the complexities of data security.

Because users are so tired, they feel resigned and out of control, and therefore they avoid decisions, choose easy options, behave impulsively and fail to follow the rules. This is basic psychology.Continue Reading New NIST Study Shows Risks of Security Fatigue

We watch closely for any guidance to HIPAA covered entities and business associates from the Department of Health and Human Services Office for Civil Rights (HHS/OCR). Why? Because there is so little of it. Lately, the only guidance we have been receiving is in the form of Resolution Agreements and Corrective Action Plans, and hefty fines accompanying them.

The Government Accountability Office (GAO) recently finished a study of HHS/OCR’s cybersecurity infrastructure to see if it was consistent with NIST standards.

The Report notes that health care entities are struggling to select appropriate privacy and security controls for their organizations, and HHS is not offering enough help to those organizations. Although OCR published two tools to assist covered entities and business associates with risk assessments, according to the GAO, those tools do not provide enough detailed information for covered entities and business associates to determine the cybersecurity activities that must be performed. The Report noted that the NIST framework has 98 subcategories for security controls, while the OCR Toolkit only addresses 19 of the 98 subcategories. According to the GAO, these gaps in the OCR’s guidance could lead to incomplete risk assessments.Continue Reading GAO Study Slams HHS For Lack of Guidance to Covered Entities

On September 13, 2016, Governor Andrew Cuomo announced the first proposed broadly applicable cyber regulation in the U.S. (the “Regulation”). The Regulation covers banks, insurance companies and other financial institutions (Covered Entities) regulated by the New York Department of Financial Services (the “DFS”). The Regulation is tightly focused, but with broad reach. It appears to adopt aspects of other regulations and standards, but then adds some unique requirements that create the most sweeping and protective regulation proposed. If adopted in a form close to the draft presented, financial institutions regulated by the DFS will have significant responsibility, and oversight, for protecting core operations and data, which extends far beyond personally identifiable information covered by most existing statutes and regulations.

At the core is the Regulation’s first section, which requires Covered Entities to “establish and maintain a cybersecurity program designed to ensure the confidentiality, integrity and availability of the Covered Entity’s Information Systems.” This requirement is analogous to, and may have been modeled on, Section 242.1001(a) of the Securities and Exchange Commission’s Regulation Systems Compliance and Integrity (Reg SCI). This seemingly simple requirement has broad implications, as failures of data and systems integrity and availability have the potential to be far more devastating to institutions and individuals than confidentiality breaches. Much of the Regulation provides the regulatory scaffolding designed to ensure that Covered Entities meet this requirement.

However, whereas Reg SCI uses language in its core requirement that does not have clear definition in existing cybersecurity standards, DFS took another route. By using the terms “confidentiality, integrity and availability” and requiring Covered Entities to identify Nonpublic Information, the sensitivity of Nonpublic Information, and how and by whom such Nonpublic Information may be accessed, the Regulation incorporates concepts that appear to come directly from the National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 4 (NIST 800-53 Standard). The NIST 800-53 Standard requires data and systems identification and classification, and may provide an analogous structure that could be used for much, but not all, of the policies, processes and procedures required by the Regulation.Continue Reading The Cyber Regulation Drops

The National Association of Insurance Commissioners’ (NAIC) Cybersecurity Task Force released a revised draft of the Insurance Data Security Model Law (Model Law) last week. The Model Law’s goal is to “establish exclusive standards… for data security and investigation and notification of a data breach” for “any person or entity licensed, authorized to operate, or registered” pursuant to state insurance laws. The Model Law was first released in April of this year and received over 40 comments from trade associations, market participants and regulators. This week, at the NAIC National Summer Meeting, the Task Force met with interested parties to discuss comments on this new draft and written comments to the Model Law may be submitted by September 16, 2016.
Continue Reading NAIC Released Draft of Revised Insurance Data Security Model Law for Review

Last week, BIMCO, along with other shipping organizations, “launched” guidelines “to help the global shipping industry prevent major safety, environmental and commercial issues that could result from a cyber incident on-board a ship.”

BIMCO states that the guidelines are “a first for the shipping industry” (which to our knowledge is true and we applaud).

The

The Federal Trade Commission (FTC) announced on January 5, 2016, that it has agreed to settle an investigation with Henry Schein Practice Solutions, Inc. (Schein), an office management software provider for dental practices based in Utah, for $250,000 for allegations of falsely advertising the level of encryption it provided for patient data.

The FTC alleged