The Fraud Examiner

New U.S. Cybersecurity Framework Aims to Help Organizations Manage Risks

April 2014

By Mark Scott, J.D., CFE

On February 12, 2014, the National Institute of Standards and Technology (NIST) released the “Framework for Improving Critical Infrastructure Cybersecurity” (Cybersecurity Framework), a tool designed to establish a baseline of security best practices that organizations can use to measure and mitigate cybersecurity risks.

The Cybersecurity Framework was written primarily for individuals in management who are responsible for the security of their organizations’ information assets, but because Certified Fraud Examiners (CFEs) are uniquely qualified to assist organizations in the prevention and detection of fraud, they should be familiar with the provisions presented in the framework.

Background

In response to growing concerns about the security of information and communications technology, U.S. President Barack Obama in February of last year issued Executive Order 13636, which directed NIST, a non-regulatory technology agency within the U.S. Department of Commerce, to develop a framework for protecting critical infrastructure from cybersecurity risks.

To develop the framework, NIST worked over the course of a year with more than 3,000 individuals and organizations from the public and private sectors.

The resulting Cybersecurity Framework “allows organizations — regardless of size, degree of cyber risk or cybersecurity sophistication — to apply the principles and best practices of risk management” to improve cybersecurity across all industries, according to NIST.