U.S. NIST releases a Framework for Improving Critical Infrastructure Cybersecurity.
On February 12, 2014, the U.S. National Institute of Standards and Technology released the first version of the Framework for Improving Critical Infrastructure Cybersecurity.
The purpose of the Framework is to enhance the security and resilience of critical infrastructure and to maintain a cyber-environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy and civil liberties.
The Framework provides a methodology for how organizations can address privacy implications of cybersecurity activities, such as monitoring or information-sharing, which are explicitly addressed by the Framework.
It was created through collaboration with the private and public sectors, multiple workshops were held and hundreds of public comments were received on the preliminary Framework which was released in October 2013. It provides a set of voluntary measures which can be used by corporations to address cybersecurity risks.
The Framework consists of three parts: the Framework Core, the Framework Profile and the Framework Implementation Tiers, as described below:
Framework Core:
The Core consists of five Functions – Identify, Protect, Detect, Respond and Recover. Together, these Functions are supposed to provide a high-level, strategic view of an organization’s management of its cybersecurity risks. For each Function, the Framework Core also identifies underlying Categories and Subcategories (a subdivision of the Functions into groups of cybersecurity outcomes and into specific outcomes of technical and/or management activities) and matches them with example Informative References such as existing standards, guidelines, and practices for each Subcategory.
Framework Profile:
The Profiles represent outcomes (current or desired) based on an organization’s selected Categories and Subcategories. A Profile can be described as the alignment of the Framework Core with the business requirements, risk tolerance, and resources of an organization. Profiles can be used to identify opportunities for improving the cybersecurity state of an organization.
To develop a Profile, an organization can review the Core’s Categories and Subcategories and determine which are most important; Categories and Subcategories may be added as needed in order to address the organization’s specific risks.
Framework Implementation Tiers:
The Implementation Tiers provide context as to how organizations view cybersecurity risks and the processes they have in place for the management of such risks. The Framework Implementation Tiers reflect the degree to which an organization’s cybersecurity practices are in line with the Framework. The Tiers characterize an organization’s practices as Partial (Tier 1), Risk Informed (Tier 2), Repeatable (Tier 3), or Adaptive (Tier 4). These Tiers reflect an increasing degree of strictness and sophistication in an organization’s practices, they progress from informal, reactive responses to more agile and risk-informed cybersecurity risk management practices.
Please Note: While organizations identified are encouraged to consider moving toward higher Tiers, it is only encouraged when such a change would reduce cybersecurity risks and be cost effective. Successful implementation is based upon achievement of the outcomes described in the organization’s “Target” Profile and not upon Tier determination.
Practical implications
Although the Framework is voluntary, organizations should expect to see wide-ranging efforts by the U.S. government to encourage its use. It is also likely that the Framework will be referenced in regulatory proceedings, commercial and government contracts and litigation filed following data security breaches.
It is most possible that the Framework will become a benchmark for assessing reasonableness of cybersecurity practices.
Our recommendations:
Offer cybersecurity solutions relating to as many Categories and Subcategories as possible, and in alignment with as many Informative References as possible.
Address privacy and civil liberties implications and consider how cybersecurity program might incorporate privacy principles such as: data minimization in the collection, disclosure, and retention of personal information material related to the cybersecurity incident.
Use limitations outside of cybersecurity activities on any information collected specifically for cybersecurity activities; transparency for certain cybersecurity activities; individual consent and redress for adverse impacts arising from use of personal information in cybersecurity activities; data quality, integrity, and security; and accountability and auditing.
Focus on the back end of process – “respond and recover” as much as “identify and protect/detect” – not everything will be stopped at the firewall and companies with CI will be looking for full solutions.
If your organization is already subject to data security or privacy regulations or is subject to any Israeli or foreign export control, try to identify whether and how the implementation of the Framework can complement and ideally support the existing compliance programs and comply with the applicable export control and privacy law obligations.
For further information regarding the Framework:http://www.nist.gov/cyberframework/
Privacy Matters
The Israeli Privacy Protection Law, 5741-1981 (the “Privacy Law”) and related regulations constitute a comprehensive arrangement to provide a high level of privacy protection to data subjects, including the protection of personal data processed in a Database (in general, collection of data, kept by a magnetic or optical means and intended for computer processing, as such term is further defined in the Privacy Law). A Database which is either held, managed, or owned in Israel (regardless of the physical location of the servers hosting the data), is deemed subject to the Privacy Law.
Any entity which holds, manages and/or owns a Database in Israel is subject to the Privacy Law and its regulations. The Privacy Law imposes obligations on such entities and on the use of the data held in such Database. The major substantive data protection obligations under the Privacy Law includes the following: (i) a requirement to receive the data subjects’ consent prior to the collection and use of personal data; (ii) a requirement to notify the data-subject regarding the purposes for which its data is collected and regarding any transfer of its data to a third party; (iii) the owner of any Database must take reasonable measures to secure the confidentiality of the data contained in the Database; (iv) the owner of a Database must allow data-subjects to access and inspect any information about them which is kept in the Database and shall allow them, upon their demand, in certain circumstances, to amend or delete the information; (v) a requirement to register the Database with the Israeli Database Registrar under certain circumstances; and (vi) a requirement to use the information held in Database only for the purpose for which such Database was established. In addition, there are specific regulations which govern the authorized transfer of information held in databases in Israel to other countries.
Owning, holding or managing a Database in Israel in breach of certain obligations under the Privacy Law may carry both civil and criminal sanctions.
Our Recommendations:
In the event that your organization holds, manages or owns a Database in Israel (regardless of the physical location of the servers hosting the data) then you should verify that your organization complies with the Israeli Privacy Law’s requirements (including without limitation the requirement to register a database with the Israeli Database Registrar).
In addition, if your organization transfers information held in its Database in Israel to another countries, you should verify that such transfer is conducted in accordance with the provisions of the Israeli Privacy Laws and regulations.
Address any required privacy and cybersecurity issues in any applicable agreements with third parties, which may include, for example, the following: (i) add restrictions under which the other party’s use of your software and/or the services will not be conducted in a manner that would violate applicable data privacy laws; (ii) add restrictions under which the other party is prohibited from using your software and/or services to track or collect personally identifiable information, unless it had received the applicable data subject’s consent as required under any applicable law; (iii) add, to the extent applicable, reference to compliance with applicable laws, treaties and regulations in connection with the laws pertaining to security breaches, data privacy, data intrusion, and the transmission of technical or personal data; and (iv) add, to the extent applicable, reference to an obligation to maintain reasonable administrative, physical, and technical safeguards designed for the protection, confidentiality and integrity of users’ data (which may include physical access controls, encryption, Internet firewalls, intrusion detection, and network monitoring).
Export Laws – Israeli perspective
The State of Israel regulates the use of encryption means through the Order Governing the Control of Commodities and Services (Engagement in Encryption Items) – 1974 (the “Encryption Order”). In order to regulate engagement in this field, the Israeli Ministry of Defense (“IMOD”) has instituted a system of control and licensing for items of encryption. According to the Encryption Order, engagement with encryption Means may be made only subject to obtaining the applicable permit from the IMOD and in accordance with the terms of such permit. The Encryption Order also includes a comprehensive definition of the term “Engaging in Encryption Means”, which includes, inter alia, development, production, integration, sale, import and export of Encryption Means. A breach of the Encryption Order may carry both civil and criminal sanctions.
The Encryption Order defines three categories of licenses for engagement in Encryption: (a) a General License (issued with no time limit to its validity) – a license for a particular Encryption item which allows the license-holder free use of that item (other than modifications or integration that essentially creates a new item for which a separate license is required); (b) a Special License (generally valid for one year) – a license for specific engagement (generally involving sales to clients who do not fall under the restrictions imposed on an applicant for a Restricted License; and (c) a Restricted License (generally valid for one year) – a license that imposes restrictions on engagement in encryption items (which may restrict the nature of permissible sales (e.g. restriction on selling to certain countries and sectors)). We note that, in general, an IMOD permit is not required for purchase, use, holding, transfer, distribution, sale, export of “Free Means”, which is defined as an item of encryption which the Director-General of the IMOD has granted a General License with respect thereto or the Director-General of the IMOD has defined the item of encryption as a “Free Means” (a full list of such “Free Means” can be found at:http://www.mod.gov.il/pages/encryption/freeMeansSearch.asp).
Our recommendations:
In the event that your organization engages in Encryption Means (i.e., develops, produces, integrates, sells, imports or exports Encryption Means), including in the event that your organization’s product incorporates any Encryption Means, you should consult with counsel to determine whether your organization is required to receive a permit from the IMOD for such specific use and product.