Skip navigation
All Places > Products > RSA Archer Suite > Blog > 2018 > September
2018

With the increase in Cybersecurity threats in today’s world, organizations that are considered a part of our national critical infrastructure pose a much greater risk of being attacked which can place national security, the economy, and public safety at risk.  The National Institute of Standards and Technology (NIST) created the Cybersecurity Framework (CSF) as a standard and best practices in which government agencies and private sector organizations can utilize to manage their cybersecurity risks.  NIST CSF has become even more widely adopted by all types of organizations across the U.S. and worldwide.

 

The RSA Archer Cybersecurity Framework Management app-pack, released in August 2017, provides organizations with the methodology to assess and measure their cybersecurity posture, address gaps and report on cybersecurity.  The app-pack enables profile owners to catalog the current state, prioritize and core profile elements, and define their desired or targeted state outcomes for the organization’s cybersecurity program.  Assessors can then evaluate these profiles against the NIST CSF categories.  Previous assessments can be archived for comparison with a Current Profile and measure progress.  Reports and dashboards provide clear insight into the cybersecurity current state and progress being made toward the desired cybersecurity state. 

 RSA Archer CybersecurityFramework  Profile Owner Dashboard

Based on customer feedback, the RSA Archer Cybersecurity Framework Management app-pack has been enhanced and incorporates the newest version of the NIST Cybersecurity Framework that was released in April 2018.  With the updated version, customers can now automate the scope for their cybersecurity assessments based on the selected business process and analyze the Current Profile against the Target Profile not just by the NIST functions but by the NIST category or business processes.  The RSA Archer Cybersecurity Framework Management app-pack will now track the NIST Cybersecurity Framework versions for cybersecurity assessments and related authoritative sources.  In addition, Cybersecurity Profiles can now be approved using electronic signature capabilities.

 

Interested in learning more about the RSA Archer Cybersecurity Framework Management app-pack? Join us for a Free Friday Tech Huddle on Friday, September 21 for a live demo. Free Friday Tech Huddles are only available to RSA Archer customers. If you are not yet a customer but you are interested in learning more, please contact your local representative or authorized reseller—or visit us at www.rsa.com.

Global businesses with an online presence know that customers from any part of the world can opt in for their services and provide their personal information. As good for business and innocuous as this may seem, it opens up these businesses to regulation – the most visible right now being the General Data Protection Regulation (GDPR) which went into effect on May 25, 2018. GDPR will impact any business, whether based in the European Union (EU) or not, that processes the personal data of EU residents.  While GDPR may seem like "old news", the regulation provides a opening to talk about how your company's resiliency efforts are affected by privacy requirements.

 

To comply with GDPR, organizations will have to review their approach to data and privacy management to evaluate how they control data as part of their business continuity (BC), IT disaster recovery (ITDR), crisis management and resilience planning systems and processes. Because GDPR rules are applicable to backup and DR systems and practices as well as production systems, these key requirements include:

 

  • the ongoing confidentiality, integrity, availability and resilience of processing systems and services
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

 

Recovery planning has long been subject to Data Protection legislation, but the wider remit within GDPR is something organizations will need to look at to ensure they can comply with the new rules. The following are a few areas and examples:

 

  • Data privacy has often been the responsibility of the Compliance or Legal group, however, where a Data Protection Officer (DPO) is appointed, there must be proper alignment between the DPO and BC/DR programs to ensure they look at GDPR compliance holistically and coordinate their efforts accordingly
  • Recovery Time Objective (RTO) and Recovery Point Objective (RPO) take on greater importance and have to very closely align internally (between business process and IT system recovery)
  • If your DR provider is non-compliant with GDPR it could render you non-compliant, so RTO and RPO between your organization and the DR provider also have to be aligned. Questions need to include: where is the customer data held? Will customer data be accessible and available according to RTOs? Does your DR provider perform regular testing and evaluation to ensure they can achieve the RTOs and RPOs?
  • Breaches that are deemed to be high risk have to be reported by a data controller within 72 hours of becoming aware of such breach and may also require crisis management response. Therefore, IT risk and security processes must align with crisis response and management.

 

In summary, the disparate parts of the organization that manage data privacy management and business resiliency, internally and externally, must better coordinate their efforts to enable compliance with GDPR.

Filter Blog

By date: By tag: