“Framework for Improving Critical Infrastructure Cybersecurity”

Cybersecurity evolved from training staff not to accept spam mail that may include a virus that will disrupt systems; to not accepting spam that may include malware that will be used to steal client information.

Target Stores announced on its website 12.19.2013 that it experienced “…unauthorized access to Target payment card data. The unauthorized access may impact guests who made credit or debit card purchases in our U.S. stores from Nov. 27 to Dec. 15, 2013.”

Neiman Marcus announced on its website 02.21.2014 that it experienced “…malicious software (malware) was clandestinely installed on our system and that it attempted to collect or “scrape” payment card data from July 16, 2013 to October 30, 2013.”

Michaels Stores, Inc. announced on its website 01.25.2014 that it “recently learned of possible fraudulent activity on some U.S. payment cards that had been used at Michaels, suggesting that the Company may have experienced a data security attack.”

Cyber threats are very real and growing.  According to the Symantec Internet Security Threat Report (ISTR) 2013, “Last year’s data made it clear that any business, no matter its size, was a potential target for attackers. This was not a fluke. In 2012, 50 percent of all targeted attacks were aimed at businesses with fewer than 2,500 employees. In fact, the largest growth area for targeted attacks in 2012 was businesses with fewer than 250 employees; 31 percent of all attacks targeted them.”

It makes sense that cyber threats will migrate to smaller companies that most likely do not have security protocols as extensive as the Fortune 100 companies that spend millions on security.

But, on February 12th 2013, President Obama signed an Executive Order, “Improving Critical Infrastructure Cyber security.”  Under the order, government agencies were expected to draft standards and share information regarding unclassified cyber threats.  In theory, the government and private industry would collaborate on this critical priority and develop voluntary standards, i.e. “best practices.”

On February 12, 2014, The National Institutes of Standards and Technology released a “Framework for Improving Critical Infrastructure Cybersecurity”.  This document is considered a start (version 1.0); and is expected to evolve over time as new risks present themselves.  A main point in the document is that cybersecurity should now be considered a standard part of any Risk Management framework, i.e. no longer kept separate.

While the document is extensive, as it was designed to safeguard critical industries in the United States, i.e. banking, financial, healthcare; the approach is generic enough where it can be adopted for use by any organization.

The framework is a non-regulatory, voluntary set of industry standards and best practices.  A brief synopsis of the framework is as follows –

Framework Core: An approach to analyze cyber risk which tracks activities based on an incident management approach –

Functions Categories Subcategories Informative References
Identify – organizational understanding of risks
Protect – safeguards against incidences
Detect – ways to identify a cybersecurity event
Respond – actions to be taken once detected
Recover – restoration activities


Framework Implementation Tiers: Four levels which describe how the organization views the cyber risk and the processes in place to address them.

Tier Risk Management Process Integrated Risk Management Process External Participation
Tier 1 Partial Ad hoc  processes No organization risk awareness; and no organization wide approach none
Tier 2 Risk Informed Approved by management; but not established organization wide Organization awareness; but no organization wide approach none
Tier 3 Repeatable Approved by management; and policy established organization wide Organization awareness; and organization wide approach Collaborates with external organizations
Tier 4 Adaptive Established processes based on lessons learned and predictive indicators Organization wide approach that uses risk-informed policies Openly shares information with external partners to improve cybersecurity for all


Framework Profile: Current state of cybersecurity vs. the desired state of cybersecurity.

The Framework can be used to either establish a cybersecurity program or improve a current cybersecurity program.  Steps are as follows –

1) Prioritize and scope – Cybersecurity direction based on your organization’s business, mission and strategy.  This action can be accomplished through interviewing senior managers.  This step is required not only to uncover concerns you may not be aware of, but to also develop buy-in.  The end result of this process will be more control and internal policies, which may cause frustration, i.e. restricted access to data, segregation of duties, system change management.  Early buy-in is highly recommended.

2) Orient – Review of cybersecurity in relation to related systems and regulatory requirements.

3) Create a Current Profile – Based on the Framework Core.

4) Conduct a Risk Assessment – Assessment of the operational environment in relation to the likelihood of an event and potential impact.  Included in this step would be to look at system access internally and how remote employees access your system externally.  The second part of this task is to understand what employees need to access vs. what they should not need to access.  Private client information should not be readily accessible to all employees of the firm.

5) Create a Target Profile – Desired cybersecurity outcomes.

6) Determine, Analyze and Prioritize Gaps – Comparison current state of cybersecurity vs. the desired state of cybersecurity; and what it will require to move to the desired state.  The ability to implement all changes quickly will be constrained by time and money.  As such, your first priority should be items that if are not done will expose you to financial loss, regulatory action, brand damage, and/or client loss.

7) Implement Action Plan – Determination of activities to implement based on previous steps.  There will be unforeseen consequences to your cyber risk mitigation strategies.  It is recommended to test the effects, prior to widespread implementation, to avoid business disruptions.

So what is the liability for doing nothing?  According to the Federal Trade Commission the liability is great – “Further, a company engages in unfair acts or practices if its data security practices cause or are likely to cause substantial injury to consumers that is neither reasonably avoidable by consumers nor outweighed by countervailing benefits to consumers or to competition.  The Commission has settled more than 20 cases alleging that a company’s failure to reasonably safeguard consumer data was an unfair practice.”  (Prepared Statement of the Federal Trade Commission on Protecting Personal Consumer Information from Cyber Attacks and Data Breaches before the Committee on Commerce, Science and Transportation, Washington DC March 26, 2014)

But how much do you spend?  Based on a recent survey by BAE Systems Applied Intelligence of senior IT officials showed that 15% of the IT budget today was allocated t0 security.  It is better to prepare for a threat that may never touch your firm, than be in a reactive mode when a situation occurs.

To read the full report click –Framework for Improving Critical Infrastructure Cybersecurity

Author: Regis Quirin
Visit Regis's Website - Email Regis
Regis Quirin is a financial executive with 23 years of corporate experience, i.e. New York Stock Exchange, JP Morgan Chase, and GMAC ResCap; and 15 years working with small and medium-sized entities, i.e. joint ventures, start-up entities, established businesses. In 2014, Regis published "Redesign to Turnaround Underperforming Small and Medium-Sized Businesses" available via Amazon.