NIST Releases Cybersecurity Framework; Risk-based Capital Rule; NCUA Board Meeting Agenda
Written by Brandy Bruyere, Regulatory Compliance Counsel
Today we will broadly overview the National Institute of Standards and TechnologyÃ¢ÂÂs (NIST) Ã¢ÂÂFramework for Improving Critical Infrastructure CybersecurityÃ¢ÂÂ (Framework) which was released last week. This is voluntary guidance, developed under Executive Order 13636, which aims to provide Ã¢ÂÂa set of industry standards and best practices to help organizations manage cybersecurity risks.Ã¢ÂÂÂ Because risk management is an ongoing process that involves Ã¢ÂÂidentifying, assessing, and responding to risk,Ã¢ÂÂ the Framework is meant to be flexible and address a broad spectrum of cybersecurity risks. The Framework is divided into three main sections: Framework Core, Framework Profile, and Framework Implementation Tiers.
The Framework Core (Core) describes key cybersecurity activities and informative resources that are current industry standards and practices. The Core includes five Ã¢ÂÂFunctionsÃ¢ÂÂ: Identify, Protect, Detect, Respond, and Recover. These Functions are further broken down into Categories such as Ã¢ÂÂAsset Management,Ã¢ÂÂ Ã¢ÂÂData Security,Ã¢ÂÂ and Ã¢ÂÂDetection Processes.Ã¢ÂÂ The Categories are further segmented into Subcategories that describe specific outcomes such as Ã¢ÂÂNotifications from detection systems are investigated.Ã¢ÂÂ Overall, the Functions are intended to Ã¢ÂÂprovide a high-level, strategic view of the lifecycle of an organizationÃ¢ÂÂs management of cybersecurity risk.Ã¢ÂÂ
The Framework Profile (Profile) addresses the cybersecurity outcomes based on the Categories and Subcategories that the organization selected from the Core Functions. The Profile is designed to help organizations Ã¢ÂÂestablish a roadmap for reducing cybersecurity risk.Ã¢ÂÂ The Profile allows organizations to align and prioritize their particular cybersecurity risks with the characteristics of their own business requirements, risk tolerances, and resources.
The Framework Implementation Tier provides a method for organizations to contextualize and understand their approach for managing cybersecurity risk. There are four Tiers that represent different degrees of processes in place and levels of integration into overall risk management plansÃ¢ÂÂTier I (Partial), Tier II (Risk Informed), Tier III (Repeatable), and Tier IV (Adaptive). Organizations should select Tiers based upon factors such as the organizationÃ¢ÂÂs goals, the feasibility of implementation, the reduction of cybersecurity risk, and available resources.
The Framework is rather complex but intended to be flexible given the diversity of the different organizations that provide critical infrastructure. While this guidance is voluntary, it may be useful to credit unions in managing cybersecurity risk, particularly as this is a risk area that is part of NCUAÃ¢ÂÂs Supervisory Focus for 2014. For more information on cybersecurity risk, check out this NAFCU blog post.
Risk-based CapitalÃ¢ÂÂJust a reminder to folks who havenÃ¢ÂÂt yet seen it, NAFCUÃ¢ÂÂs Capital Reform Issue Page is up and running with great resources such as NAFCUÃ¢ÂÂs Regulatory Alert on NCUAÃ¢ÂÂs proposed rule regarding risk-based capital. If your credit union hasnÃ¢ÂÂt submitted a comment to NAFCU, I encourage you to do so here. The more we know about how the rule affects your credit union, the better advocates we can be for you.
Â NCUA Releases Agenda for TomorrowÃ¢ÂÂs Board MeetingÃ¢ÂÂNCUA will consider a Proposed Rule to amend Part 710, Voluntary Liquidations of Federal Credit Unions as well as the Share Insurance Quarterly Report.
New Ability-to-Repay and Qualified Mortgage requirements took effect January 10. Our panel of compliance gurus will discuss the best examples of implementation so far. Â Register by Mar. 4 to save $100 and utilize these best practices in your own compliance efforts.
This photo appears to be of a dog enjoying the snow. However, I can assure you that Lemmy is actually making a desperate escape after realizing he had been duped into standing in fourteen inches of snow.
Â Â Â Â Â Â Â Â Â Â Â Â