In February 2013, the President issued Executive Order 13636, Improving Critical Infrastructure Cybersecurity, with the aim of reducing cyber risks to critical infrastructure. Is your law firm part of that infrastructure? And what does this new policy mean for cybersecurity at your law firm?
The National Institute of Standards and Technology (NIST) has put together a Cybersecurity Framework Core that presents five functions—identify, protect, detect, respond and recover—that taken together allow any organization to understand and shape its cybersecurity program.
That includes your firm. You can download the Core in Excel format here.
The first thing to remember is that the Core is not a checklist of actions to perform. It presents key cybersecurity outcomes identified by industry as helpful in managing cybersecurity risk. In summary, these are:
- Identify–Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
- Protect–Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure.
- Detect–Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
- Respond–Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
- Recover–Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.