Guiding Standards for Cybersecurity

Information security is mostly focused on data protection. The most popular standard used for this purpose is ISO IEC 27001. It does address some part of infrastructure security and privacy but not to the extent that other Cybersecurity standards cover infrastructure security.

The main guiding standards for Cybersecurity are:

• NIST cybersecurity framework
• ISO IEC 27032 – Guideline for Cybersecurity, to be used along with ISO 27001 standard.
• General Document on Privacy Requirements (GDPR) – New privacy regulations from EU to be released in May 2018.

To implement the Cybersecurity framework basic requirements is to conduct risk assessment using the NIST Risk Management Framework (RMF) and implement controls from the applicable NIST 800 series standards.

Why NIST standards?

• All Federal Government and Defense organizations use NIST standards for their Information Security.
• All Federal and Defense contractors handling (storing, processing and transmitting) information falling under the Controlled Unclassified Information (CUI) category must comply with NIST SP 800-171 before end of 2017.

What is Controlled Unclassified Information (CUI)?

CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act (National Archives).

A CUI Registry has been published by the National Archive to provide categories and subcategories based on industry segments. Some examples of CUIs for Technology Contractors (under Controlled Technical Information categories) are contract data, requirement specification, design specifications, and project plans related to Government projects that are stored in the computer systems of the contractor.

General Document on Privacy Requirements (GDPR)

The General Data Protection Regulation will replace the EU Data Protection Directive and will be effective starting on May 25, 2018. This is occurring due to the European Commission’s aim at unifying data protection laws across the union via one regulation, such as the GDPR.

The protection of personal and organizational data is always crucial in a constantly growing cross border market environment. The General Data Protection Regulation requires safeguards and measures for protecting personal data, ensuring safe data processing, and managing notifications of potential breaches.

The GDPR applies to organizations collecting, processing, and storing EU citizens’ personal data or EEA. This regulation also applies to:

• Organizations with a physical presence in at least one-member state of the European Union.
• Organizations located outside of the EU, if they offer services, monitor, or process data subjects which belong in the European Union, even if the company location is not in the European Union.

Overlap with ISO 27001:

ISO/IEC 27001, NIST standards, and GDPR at their core have the commitment to protect sensitive information from unauthorized access, i.e. store, process, and transmit sensitive information in a secured way, in common.

ISO 27001 is a generic standard as it defines the objectives and intents of the security controls. It also allows organizations to select appropriate controls from annex A and/or from any other standards. Both ISO and NIST require a security risk assessment, but ISO does not provide any method for conducting risk assessment. NIST RMF could be a nice supplement for that purpose.

ISO 27001 provides an Information Security Management System Framework, which helps an organization to sustain and continuously improve its security posture.

DQS services:

Trainings: DQS can offer awareness trainings on the following subjects:

• GDPR requirements
• Risk Management Framework (RMF)
• NIST SP 800-53 requirements
• NIST SP 800-171

Conformity assessment: Why is an Independent Conformity Assessment Required?

NIST standards are developed for government organizations to secure their Information Systems. GDPR is for ensuring privacy of personal information. None of these are intended to be used for the purpose of third party certifications (like ISO standards), and there is no certification scheme available for NIST standards or GDPR. Application of NIST standards are now extended beyond the government agencies. Contractors are now required to comply with NIST SP 800-171 with target deadline. Very often the government also requires contractors to comply with NIST SP 800-53.

How can an organization show evidence of compliance to GDPR or NIST standards? A Conformance assessment report from an independent organization is the only option.

How to achieve conformity?

Option 1: ISO 27001 Registration:

There is a considerable amount of overlap between the controls provided in NIST SP 800-171, NIST SP 800-53 or GDPR with the controls provided in Annex A of ISO 27001. Additional controls from the NIST standard or GDPR can be added to the Statement of Applicability (SOA) of ISO 27001 registration audit. Registration scope statement will mention that the SOA includes controls from NIST standard.

You can request a quote for registration here.

Option 2: Conformity Assessment:

If organization is not willing to go for ISO 27001 registration, DQS can conduct an independent conformity assessment against the NIST standard and GDPR. After successful assessment, DQS will issue a “Letter of Conformance” (LOC) and detailed assessment report as evidence of conformance to the applicable NIST standard or GDPR. Assessment report and LOC will be valid for one year. Reassessment will be required for continuous evidence of conformance. Please contact us for more information on this.