Compliance Blog

Written by Brandy Bruyere, Regulatory Compliance Counsel

Today we will broadly overview the National Institute of Standards and Technology’s (NIST) “Framework for Improving Critical Infrastructure Cybersecurity” (Framework) which was released last week. This is voluntary guidance, developed under Executive Order 13636, which aims to provide “a set of industry standards and best practices to help organizations manage cybersecurity risks.”  Because risk management is an ongoing process that involves “identifying, assessing, and responding to risk,” the Framework is meant to be flexible and address a broad spectrum of cybersecurity risks. The Framework is divided into three main sections: Framework Core, Framework Profile, and Framework Implementation Tiers.

The Framework Core (Core) describes key cybersecurity activities and informative resources that are current industry standards and practices. The Core includes five “Functions”: Identify, Protect, Detect, Respond, and Recover. These Functions are further broken down into Categories such as “Asset Management,” “Data Security,” and “Detection Processes.” The Categories are further segmented into Subcategories that describe specific outcomes such as “Notifications from detection systems are investigated.” Overall, the Functions are intended to “provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk.”

The Framework Profile (Profile) addresses the cybersecurity outcomes based on the Categories and Subcategories that the organization selected from the Core Functions. The Profile is designed to help organizations “establish a roadmap for reducing cybersecurity risk.” The Profile allows organizations to align and prioritize their particular cybersecurity risks with the characteristics of their own business requirements, risk tolerances, and resources.

The Framework Implementation Tier provides a method for organizations to contextualize and understand their approach for managing cybersecurity risk. There are four Tiers that represent different degrees of processes in place and levels of integration into overall risk management plans—Tier I (Partial), Tier II (Risk Informed), Tier III (Repeatable), and Tier IV (Adaptive). Organizations should select Tiers based upon factors such as the organization’s goals, the feasibility of implementation, the reduction of cybersecurity risk, and available resources.

The Framework is rather complex but intended to be flexible given the diversity of the different organizations that provide critical infrastructure. While this guidance is voluntary, it may be useful to credit unions in managing cybersecurity risk, particularly as this is a risk area that is part of NCUA’s Supervisory Focus for 2014. For more information on cybersecurity risk, check out this NAFCU blog post.

***

Risk-based Capital—Just a reminder to folks who haven’t yet seen it, NAFCU’s Capital Reform Issue Page is up and running with great resources such as NAFCU’s Regulatory Alert on NCUA’s proposed rule regarding risk-based capital. If your credit union hasn’t submitted a comment to NAFCU, I encourage you to do so here. The more we know about how the rule affects your credit union, the better advocates we can be for you.

 ***

 NCUA Releases Agenda for Tomorrow’s Board Meeting—NCUA will consider a Proposed Rule to amend Part 710, Voluntary Liquidations of Federal Credit Unions as well as the Share Insurance Quarterly Report.

 ***

Webcast: Post Mortem Panel: Qualified Mortgages and Ability-to-Repay

New Ability-to-Repay and Qualified Mortgage requirements took effect January 10. Our panel of compliance gurus will discuss the best examples of implementation so far.  Register by Mar. 4 to save $100 and utilize these best practices in your own compliance efforts.

Palate Cleanser

This photo appears to be of a dog enjoying the snow. However, I can assure you that Lemmy is actually making a desperate escape after realizing he had been duped into standing in fourteen inches of snow.