Please register to participate in our discussions with 2 million other members - it's free and quick! Some forums can only be seen by registered members. After you create your account, you'll be able to customize options and access all our 15,000 new posts/day with fewer ads.
Since this general topic has been getting a huge amt of focus and attention in various ways this year. I thought bringing up major potential changes was important. It looks like the implications will have much bigger effects everywhere. The EO occurred around the time the original bill to suspend the debt ceiling was approved in Feb. There appears to be a sense of urgency or intent focus going on this year especially.
NIST Unveils Draft of Cybersecurity Framework
quote:
In February, Obama issued an executive order directing NIST, working with the private sector, to develop a framework to reduce cybersecurity risks that the mostly private operators of the nation's critical infrastructure could adopt voluntarily
For people not understanding this. Essentially it is Nationally and likely Global Best Practices for all things cyber. This can effect how data everywhere is handled and stored. The original draft and how the system is designed is in a pdf off of the first article. Here is another article discussing repercussions. Also looks to be opening the door to an increase in "cyber-insurance". Insurance makes govt a great deal of money so no surprise there. How the NIST Cybersecurity Framework Could Reduce Cybersecurity
quote:
Companies “should regularly review the scope of detection and filtering methods to prevent the collection or retention of PII that is not relevant to the cybersecurity event.” Instead of poring over logs, looking for intruders, cybersecurity professionals are to pore over them for personal data that “is not relevant.” In another liability magnet, companies are instructed to adopt policies “to ensure that any PII that is collected, used, disclosed, or retained is accurate and complete.” That language will give employees who violate network rules new ways to challenge disciplinary actions.
...Perhaps worst of all, the privacy appendix imposes a heavy new legal and practical burden on cybersecurity information-sharing. It calls on companies to scrub any forensic data they may collect before they share it with others: “When voluntarily sharing information about cybersecurity incidents, organizations should ensure that only PII that is relevant to the incidents is disclosed”; and “When performing forensics, organizations should only retain PII that is relevant to the investigation.”
Well, we know how the federal government's IT heavy initiatives have worked out lately. I'm not sure I'd be all that enthusiastic about being involved.
Well, we know how the federal government's IT heavy initiatives have worked out lately. I'm not sure I'd be all that enthusiastic about being involved.
As I said there seems to be a sense of urgency and focus here. The EO pretty much states such. When you see what is being laid out and proposed, you can start to see the issues and implications.
Voluntary is really moot here. Because when the govt lays out best practices and uses this kind of language voluntary really doesn't matter.
quote:
Right off the bat, the NIST privacy "methodology" shows remarkable ambition, telling companies that they “should identify all PII of employees, customers, or other individuals that they collect or retain, or that may be accessible to them.” Why critical infrastructure cybersecurity should require a comprehensive census of PII -- but not of other sensitive corporate information -- is not explained.
....Not one of these quasi-requirements has anything to do with the objectives of the executive order. But they have everything to do with smuggling comprehensive privacy regulation into a cybersecurity initiative. In fact, the provisions are more specific and demanding than the twenty-year privacy consent decrees imposed on technology companies like Google that have been caught up in FTC enforcement actions.
The provisions are drawn from the so-called Fair Information Practice Principles that the US government adopted for itself in the 1970s -- and that Europe's data protection laws incorporated around the same time.
....This means that the privacy appendix, which made its first appearance in public in the dead of August, will have a potentially irreversible effect as early as October 10, when NIST is due to issue the preliminary framework. In short, if the NIST framework keeps this appendix, the FTC and every other regulator in town will have plenty of topcover to impose the Fair Information Practice Principles on the private sector. The excuse for doing so will be the need for better cybersecurity, but adoption of the NIST framework as written will likely be a net loss for cybersecurity.
quote: Problems with Choice/Consent [12] Consumers do not have a fair say in the consent process. For example, customers provide their health information such as their social insurance number or health card number while making an appointment for a dental check-up through on-line. Customers are commonly asked to sign an agreement stating that ‘third-party may have an access to the information you provide under certain conditions.’ The certain conditions are rarely specified in any part of the agreement. Later on, the third-party may share the information with their subsidiary institutions. Thus, access to customers’ personal information is beyond their control.
Well, we know how the federal government's IT heavy initiatives have worked out lately. I'm not sure I'd be all that enthusiastic about being involved.
IMO, this is a pretty stupid statement.
The fed has thousands of IT systems that are doing just fine.
Yours is a typical immature remark. If 1 person from a group does or says something you accuse EVERY person of that group of supporting what was said or done.
Anyone who is involved in Data protection and security, who after the RSA (and many other encryption technologies) debacle of basing their choice of encryption on NIST standards, deserves everything they get.
As far as data security, NIST has less than zero credibility, it's a proven shill for government intrusion.
Please register to post and access all features of our very popular forum. It is free and quick. Over $68,000 in prizes has already been given out to active posters on our forum. Additional giveaways are planned.
Detailed information about all U.S. cities, counties, and zip codes on our site: City-data.com.
Please register to participate in our discussions with 2 million other members - it's free and quick! Some forums can only be seen by registered members. After you create your account, you'll be able to customize options and access all our 15,000 new posts/day with fewer ads.
