Earlier this week, the US National Institute of Standards and Technology (NIST) announced a new draft version of NIST CSF 2.0, the widely acclaimed cybersecurity framework. Being the first update since its original release in 2014, NIST CSF 2.0 is designed to reflect changes in the cybersecurity landscape, broaden its applicability, and offer more comprehensive insights into its practical implementation. The goal is to have a final version of CSF 2.0 in early 2024.
If you’re a US-based organization working with large amounts of data, you’ll have to keep this one on your radar. Although NIST CSF 1.0 already introduced concepts like least privilege access management and usage monitoring, NIST CSF 2.0 introduces some changes that will have far reaching implications for your data security.
Firstly, the framework’s scope has expanded from protecting critical infrastructure, such as banks, hospitals and power plants, to providing cybersecurity for all organizations regardless of type or size. This means that even when your organization was originally exempt from CSF compliance it will now have to respond and ramp up efforts. This is in line with a global trend to extend the scope of cybersecurity standards and regulations beyond critical infrastructure, such as the NIS 2 Directive in Europe.
NIST CSF now also covers how organizations have to govern cybersecurity. It emphasizes that cybersecurity is a major source of enterprise risk, ranking alongside legal, financial and other risks requiring serious consideration from senior leadership. Some practical implications are:
“Data Analysts hate the current access request workflow”
Data leader at online marketplace (anonymous)
If data is a core competitive asset supporting your organization’s customer experiences, cost management and decision making, you run the risk of significantly hampering your data democratization when rolling out CSF 2.0 compliance with the current access management technology and workflows. You will need to incrementally improve your maturity without disrupting your data operations. The way to achieve this is through:
Having a good understanding of your organization’s access controls and usage patterns allows you to understand your as-as and carefully plan your roadmap to CSF 2.0 compliance. It also lets you iterate incrementally from your as-is, learn from feedback loops, and adjust the implementation where needed. Monitoring capabilities will also help you comply with the reporting requirements under NIST CSF 2.0.
Dynamic data teams have to federate data security responsibilities to data owners to achieve a productive balance between least privilege access management as required by CSF 2.0, and data democratization. Without federation, data teams will be flooded with data access requests preventing them from doing their work, and creating undue hold-ups.
Automation plays a crucial part in scaling data security. It helps you save time and reduces the risk of errors that come with manual processes. Automatically detecting and prioritizing risks, auto-approving and auto-revoking access, and automating compliance using tag-based policies are essential to striking a healthy balance between data security & democratization.
I hope this helps!
Reach out if you want to learn more at firstname.lastname@example.org.