Article written by:
Doug Davidson
Director of Information Technology Services
Larry Rosen
Security Architect
The National Association of Insurance Commissioners (NAIC) model law, adopted by eight states so far with variations in the law state-to-state, includes a requirement that to be compliant, an insurance firm must operate its security and privacy program with the guidance of a Written Information Security Program (WISP).
The law, using the Ohio Cybersecurity Law (SB 273) as an example, does not provide much definition or guidance as to what to include in the WISP beyond the obvious treatment of safeguard obligations written into the law.
We believe that a well-written WISP should:
- Clearly comply with the law requiring it, whether it is the Ohio Cybersecurity Law or another statute.
- Extend beyond the obligations under any single law and account for all the risks an entity may encounter based on the types of information assets it has, its business architecture, and its other compliance obligations (e.g. HIPAA, PCI, GLBA, SEC, GDPR, CCPA, etc.).
- While tailored to each organization’s risk profile also be easily:
- understood by both management and operations
- implementable
- testable by internal or external assessment or audit for “certification” support purposes
We think the National Institute of Standards and Technology (NIST) family of control frameworks provides the best foundation for writing a WISP. We find, however, that when security professionals, management and others in conversation about frameworks say “NIST” they mean many things.
NIST is a physical sciences laboratory and a non-regulatory agency of the United States Department of Commerce. Its mission is to promote innovation and industrial competitiveness. NIST’s activities are organized into laboratory programs that include nanoscale science and technology, engineering, information technology, neutron research, material measurement and physical measurement.
NIST produces special publications on many topics as guidance to the Federal bureaucracy in the use of information technology.
When we say NIST in the context of information security program formation and documentation, we see two choices, the NIST Cybersecurity Framework (CSF) and the NIST Risk Management Framework (RMF):
NIST Cybersecurity Framework:
Created through voluntary collaboration between industry and government, CSF consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the CSF helps owners and operators of critical infrastructure to manage cybersecurity-related risk.
NIST Risk Management Framework:
RMF provides a process that integrates security and risk management activities into the system development life cycle. The RMF includes the following special publications:
- NIST 800-53: NIST Special Publication 800-53 covers the steps in the RMF that address security control selection for federal information systems in accordance with the security requirements in Federal Information Processing Standard (FIPS) 200. This includes selecting an initial set of baseline security controls based on a FIPS 199 worst-case impact analysis, tailoring the baseline security controls, and supplementing the security controls based on an organizational assessment of risk. The security rules cover 17 areas including access control, incident response, business continuity, and disaster recoverability.
- NIST 800-53A: NIST Special Publication 800-53A provides a set of procedures for conducting assessments of security controls and privacy controls employed within federal information systems and organizations. The procedures are customizable and can be easily tailored to provide organizations with the needed flexibility to conduct security control assessments and privacy control assessments that support organizational risk management processes and that are aligned with the stated risk tolerance of the organization. Information on building effective security assessment plans and privacy assessment plans is also provided along with guidance on analyzing assessment results.
- NIST 800-30: This document provides guidance for carrying out each of the three steps in the risk assessment process (i.e., prepare for the assessment, conduct the assessment, and maintain the assessment) and how risk assessments and other organizational risk management processes complement and inform each other.
The tree frameworks overlap in some ways. Given the different purposes for each, they each also cover ground the others do not.
The NIST CSF is a voluntary program primarily aimed at private business with the original emphasis being on critical infrastructure.
The NIST RMF, in its full implementation, is a federal program and is intended for federal agencies. Many private businesses adopt NIST 800-53 for its prescriptive controls and NIST 800-30 for its risk assessment method, but other special publications that are a part of the RMF defining system authorization are government focused and do not apply to private businesses.
Unless special considerations apply (e.g., an insurance firm takes payment cards for payment and must meet Payment Card Industry Data Security Standards (PCI DSS) compliance; an insurance firm is focused on health markets and must meet Health Insurance Portability and Accountability Act (HIPAA) compliance; an insurance firm is focused on an international marketspace, which may bring International Organization for Standards (ISO) 27000 and/or General Data Protection Regulation (GDPR)), we recommend:
- For smaller firms with limited IT sophistication and staff, developing a WISP-based on the NIST CSF with implementation priorities aligned with the Center for Internet Security 20 (CIS 20).
- For larger firms with more sophisticated IT infrastructure and staff, and potentially other compliance requirements (e.g. PCI, HIPAA, etc.), developing a WISP-based on the NIST CSF, and cross-walked to relevant other frameworks including NIST 800-53.
Firms are often faced with priority decisions when implementing a program. We recommend prioritizing remediation efforts using the CIS 20 as a formal way of identifying “first things first.”
CIS Critical Security Controls:
Developed by the SANS™ Institute, “the CIS Critical Security Controls are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks”. There are 20 control families in total, spanning priority areas such as secure hardware and software configurations, malware defenses, data recovery, account monitoring and control, incident response and management, penetration tests and Red Team exercises.
