Organizations should conduct inventories that catalogue the information they possess and are capable of producing, and document the circumstances under which the data may be shared, says the National Institute of Standards and Technology in a draft version of a guide to cyber threat information sharing.
The guide, announced Monday by the Gaithersburg, Maryland-based NIST, is intended to provide organizations with the key practices they need to consider when planning, implementing and maintaining information-sharing relationships, the agency said in a statement. The NIST is asking for comments on the draft by Nov. 28.
“By sharing cyber threat information, organizations can gain valuable insights about their adversaries,” lead author Christopher Johnson said in the statement. “They can learn the types of systems and information being targeted, the techniques used to gain access and indicators of compromise. Organizations can use this information to prioritize defensive strategies including patching vulnerabilities, implementing configuration changes and enhancing monitoring capabilities.”
The guide references the framework to address cyber security risks that was issued in February by the NIST, which is part of the U.S. Department of Commerce.
“By conducting an information inventory, an organization gains a better understanding of where its critical information resides, who owns it, how it must be protected and when it can be shared,” says the guide.
Among its other recommendations, the guide says organizations should also exchange threat intelligence with sharing partners; use open, standard formats for the efficient exchange of information; and use external sources to augment data collection and analysis.
The draft “Guide to Cyber Threat Information Sharing” is available here.
WASHINGTON — Both federal and state regulators are struggling to address cyber risk issues, said speakers at the first Business Insurance Cyber Risk Summit in Washington on Thursday.