NIST CSF, "Cyber Security Cheat Sheet"?
NIST CSF, “Cyber Security Cheat Sheet”?
Martin Joseph is president of 360IT PARTNERS and in a recent column he referred to the NIST CyberSecurity Framework (CSF) as a “Cyber Security Cheat Sheet” While this probably didn’t resonate at NIST headquarters he has a point. The purpose of a framework is to provide a common language.
Matthew Eggers, executive director for cybersecurity policy with the U.S Chamber of Commerce, feels the framework provides stakeholders in different roles within an organization with a common language.
This is especially important for HIPAA compliance in healthcare because Health and Human Services has refused to provide a certification process for HIPAA. While their position, that HIPAA compliance is a process not an event is valid the accreditation process has worked for years in healthcare. Basically, agencies such as JCAHO are given authority to do and on-site survey (audit) of a facility and if they pass they get a certificate good for three years that is accepted throughout healthcare. To ensure that the facility stays compliant they are subject to unannounced surveys throughout the three year period and must be re-surveyed every three years. The NIST CSF provides the first set of standards that are accepted throughout healthcare. A Certified NIST CSF Risk Assessment is as close as you can get to a HIPAA certification. NIST CSF requires a process and reassessment. The Jumpstart method has built in quarterly risk assessments that are Certified NIST Risk Assessments produced by the ACR2 Solutions Automated Compliance Reporting engine, linked to the Compliance Helper NIST Policies. The Jumpstart method connects consultants (called Helpers) and clients through sophisticated software that provides a path and all of the needed content.
For more information contact Jack@compliancehelper.com