Critical Infrastructure Protection and Resilience, North America2017-12-12 10:14:32
General Data Protection Regulation (GDPR): Data protection law framework across the European Union (EU) focuses on protecting its citizen’s data and privacy. The European Union imposes strict rules on those hosting and ‘processing’ this data, anywhere in the world via stringent fines.
Federal IT Acquisition Reform Act (FITARA): U.S. legislation that puts federal agency CIOs in control of IT investments. Requires U.S. federal agencies to provide the Office of Management and Budget (OMB) with a comprehensive inventory of data centers and a strategy to consolidate and optimize their data. Also provides periodic “scorecards” to federal agencies on compliance across multiple assessment categories.
NIST Special Publication 800-171: Set of security requirements that may be added or referenced in federal contracts with the goal of improving the protection of Controlled Unclassified Information (CUI). Contractors and sub-contractors required to be compliant by Dec 31, 2017. Government attempt to transfer risk and bring contractors up to a common cyber security standard.
What do all of these diverse regulations have in common? They are a sampling of the growing list of cyber security requirements that the government and segments of the commercial industry must be both cognizant of and in compliance with. Many companies are only starting to become aware of the existence of these regulations and determining the impact that these requirements will have on their organizations. Beginning May 25, 2018, the EU GDPR will impose heavy fines on those companies violating the rules. These fines can be a percentage of the company’s revenue. As with any new regulations, many organizations are unaware of their existence and impact; particularly smaller companies currently or planning to do business in the European Union.
For organizations, the bottom line concern is liability. Much like personal injury law, it is not enough to simply put up a warning sign on an icy sidewalk. We all understand that if a pedestrian were to slip and fall on an owner’s icy sidewalk, the owner is still liable. Owners must take active steps to achieve compliance, mitigate risks inherent to their products and infrastructure, and institute a viable cyber security program that is sustainable for the long haul. This means they must put in place a program that brings together a team of skilled people, utilizes a proven process and includes the right tools to extract decisive information. The ROI to be measured is the organization’s preparedness and protection from fines and liability.
Fortunately, most of the regulatory requirements can be met by basic compliance with existing standards such as those provided by NIST. Almost all new guidance has some common denominators in existing controls and guidelines. Integrating a proactive cyber security program that both complies with regulations affecting your organization and also provides protection from legal issues is becoming imperative to any organization. Such a program isn’t a “nice to have”, but a must have. While the Cyber Sea is no doubt treacherous with volatile waters, our lighthouse with bright cyber experts are certified to help you navigate the path to get your organization safely to shore.
To learn more about “Defending Critical Infrastructure” download our eBook here: https://get.criticalinfrastructuredefense.com/iiot_ebook/
Author: Kevin Koppenhaver, Director of Cyber Security Solutions