NIST Releases Guide To Help Organizations Share Cyber Threat Data
November 18, 2014 in News
The National Institute of Standards and Technology has issued draft guidelines to help health care organizations and other industries share information about cyberattacks, FierceHealthIT reports (Dvorak, FierceHealthIT, 11/13).
Draft Guide Details
NIST’s Guide to Cyber Threat Information Sharing aims to give organizations, including health care organizations, key practices for developing, implementing and maintaining information-sharing relationships with other organizations, according to an NIST release.
Specifically, the guide assesses:
- Challenges and benefits associated with coordinating and sharing cyber threat data;
- Different information-sharing models’ strengths and weaknesses;
- Trust among organizations; and
- Considerations regarding data handling (NIST release, 11/10).
Among other things, the guide recommends that organizations:
- Articulate an adaptive approach to cybersecurity that addresses the entire cyberattack life cycle;
- Conduct an inventory of the information they possess and when it could be shared;
- Make sure they have the resources to continue sharing information;
- Protect sensitive information by being aware of information security, threats and vulnerabilities (NIST draft guide, October 2014);
- Share threat intelligence, tools and techniques with partners; and
- Use open, standard data formats (FierceHealthIT, 11/13).
Christopher Johnson, the guide’s lead author, said information-sharing on cyber threats can help organizations “learn the types of systems and information being targeted, the techniques used to gain access and indicators of compromise.” He added that organizations can use the shared information to “prioritize defensive strategies including patching vulnerabilities, implementing configuration changes and enhancing monitoring capabilities” (NIST release, 11/10).
The organization is soliciting comments on the draft guidelines until Nov. 28 (FierceHealthIT, 11/13).