The National Institute of Standards and Technology (NIST) said businesses that refer to the framework should be able to reduce risks to their systems. NIST was asked to lead the development of the framework by US President Barack Obama earlier this year.
Under Secretary of Commerce for Standards and Technology and NIST director Patrick Gallagher wants the draft framework (47-page / 1.05MB PDF) to be reviewed and tested by organisations before the final version is released in February.
"We want to turn today's best practices into common practices, and better equip organisations to understand that good cybersecurity risk management is good business," Gallagher said. "The framework will be a living document that allows for continuous improvement as technologies and threats evolve. Industry now has the opportunity to create a more secure world by taking ownership of the framework and including cyber risks in overall risk management strategies."
The framework developed by NIST encourages businesses to understand the risks to their systems, data, assets and capabilities and then put in place "appropriate safeguards" to ensure they can deliver critical infrastructure services. The framework also requires businesses to be able to detect attacks to their systems and outlines how they should respond to and recover from cyber security events.
A further more detailed checklist outlines practical steps the companies making use of the framework can do to identify, protect against, detect, respond to and recover from risks and attacks. These measures include carrying out risk assessments, limiting access to data, training staff on information security and monitoring for cyber attacks and ensuring the systems put in place to repel them are effective.
