TrustCloud updates NIST Cybersecurity Framework certifications

TrustCloud strengthens its commitment to cybersecurity with the renewal of the NIST Framework compliance audits and the addition of a new one.

B

elonging to the Cybersecurity Framework (CSF) developed by the National Institute of Standards and Technology (NIST) is one of the most useful ways for companies of all types to optimize management and reduce risks in the field of cybersecurity. As leader in secure digital transactions, it is in TrustCloud’s DNA to work conscientiously with the objective of being part of this framework, taking advantage of its tools and action plans.

The CSF was born from an initiative of the Barak Obama administration in 2013, as a response to the exponential growth of cyber-attacks suffered by both public and private institutions, putting national security at constant risk. NIST was given the task of carrying it out and, although it was not the first time such a guide had been created, their project far exceeded the scope of previous manuals.

The framework is voluntary and unifies a set of standards and improved practices on risk management. It is not a rigid protocol, it is intended to complement company cybersecurity solutions, making it a great starting point for enhancing existing protocols or creating a new one. The CSF explains and provides tools to understand threats, analyze weaknesses and protect sensitive information. It is very useful in auditing procedures and also a way to strengthen the relationships of each adopting organization with its partners and collaborators.

The CSF is based on a holistic approach. In other words, it is not just a technical analysis of the cybersecurity area, but a model on which to design an entire strategy that submits processes and human resources to a continuous review.

In order for companies to develop the different actions, the Framework proposes a starting point based on 5 pillars, making it the heart of the strategy.

• Each company must be able to define its specific needs, the resources in the security area and the context. From there, it will prioritize its efforts.
• Describe the appropriate measures to contain the effects of a cybersecurity event.
• Define the activities needed to discover potential cybersecurity breaches in time.
• Cover the required actions to be taken to deal with an incident once it has already occurred.
• This function would explain the activities necessary to restore damaged capacities or services after a cybersecurity event.

The Framework Implementation Levels are defined by three points: Risk Management Process, Integrated Risk Management Program, and External Engagement. They range from Level 1 to Level 4 (1-Partial, 2-Risk Informed, 3-Repeatable, 4-Adaptable), and are geared toward how an organization views cybersecurity risk and the procedures they have in place to mitigate it. NIST encourages organizations to consider reaching Level 4, but only when considered an appropriate solution to reduce their level of risk while being realistic and cost-effective. TrustCloud is Level 3, but by this second year will reach Level 4, as its system is not only repeatable, but adaptable as well.

Industries around the world are embracing the CSF because of its flexibility, as its methodology can be adapted to any type of company, regardless of its sector or the country where it is based. Other advantages are the scalability and the simplicity of its approach, understandable to the entire technical community. The Framework is designed to suit companies of all sizes and grow with them. Although the previous circumstances of each company are crucial, the Framework is always oriented to ensure that the improvement in the performance of security systems does not have an impact on profitability.

The NIST 800-63 compliance audit, just renewed by TrustCloud, provides security and privacy controls for identity and authentication processes. In other words, the 800-63 standard is guidance on the most appropriate way to perform an identification in a remote service. Industries in any sector that perform user identification, like fintechs, will benefit from access to this seal. Since TrustCloud is a digital identity provider, this certification takes on a very relevant value. The norm proposes different levels of security, which would be applied to each transaction, depending on its use and impact. Depending on the nature of the transaction, the guide proposes from a simple identification to a complex, multifactor one. NIST 800-63 also takes into account various concerns on security and management of authentication sessions, analyzes the possible threats at each security level and the methods each solution should implement to shield any possible breach.

NIST 800-171, implemented and audited at TrustCloud, provides a set of guidelines and recommendations on how the confidentiality of Controlled Unclassified Information (CUI) should be protected, stored, and transmitted. The CUI category, for use within the United States, combines 3 former designations relating to sensitive information, and refers to material created by or on behalf of the government that requires special protection. Achieving compliance with NIST 800-171 was fundamental for TrustCloud to develop its projects in the United States.

The NIST Framework is a very comprehensive and demanding set of standards, requiring a great deal of effort on behalf of companies to obtain the necessary favorable reports. By renewing and obtaining these certifications, TrustCloud continues to demonstrate its strength as a provider of secure digital transactions, relying on powerful cybersecurity protocols, managing and reducing risks, and protecting networks and data.