NIST's Cybersecurity Framework Consistent With FTC Security Approach, Says FTC Attorney
The National Institute of Standards' Cybersecurity Framework, risk-based guidelines that help organizations identify, implement and enhance cybersecurity, takes a consistent approach with the FTC data security program, said Andrea Arias, an attorney with the commission's Privacy and Identity Protection Division,…
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
in a blog post Wednesday. She wrote NIST's framework isn't a checklist or standards but helps organizations assess cybersecurity capabilities and set goals and a plan for improving and maintaining practices. Organizations don't actually comply with framework but assess risk and mitigation, she said. This is where the framework is consistent with the FTC, which tries to determine if a company's data security and processes are reasonable as per its enforcement, she said. "By identifying different risk management practices and defining different levels of implementation, the NIST Framework takes a similar approach to the FTC’s long-standing Section 5 enforcement." She said alleged lapses the FTC challenged in enforcement actions correspond to the framework's five core functions -- identify, protect, detect, respond and recover -- that help companies organize information, enable risk management decisions, address threats and improve protections from learning about previous activities. "As the FTC’s enforcement actions show, companies could have better protected consumers’ information if they had followed fundamental security practices like those highlighted in the Framework," wrote Arias.