The information security landscape in the world is relatively diverse with different approaches and standards, but one country stands out in particular: Germany. While other countries rely on the American standards published by NIST (National Institute for Standards in Technology) for risk management, the “Risk Management Framework” (NIST RMF), and for securing critical infrastructure, the “Cybersecurity Framework” (NIST CSF), Germany comes up with its own standard. In this article, we explain what advantages NIST could offer in Germany in addition to the BSI standards.
The background to the current international information security situation
The following standards are among the most widely used worldwide:
– NIST Cybersecurity Framework (CSF)
– NIST Risk Management Framework (RMF)
-ISO 27001
ISO 27001 is one of the leading frameworks for information security and is required by many companies as a prerequisite for collaboration and therefore certification is sought by many. Other standards such as TISAX from the VDI and the BSI Standards 200-x are based on the ISO standard, which further increases its popularity. On the other hand, there are the standards from NIST, the US American Institute for Standardization in Technology, whereby the two frameworks also complement each other very well. They are required by law for American authorities and are constantly being developed further. In 2014, the US Department of Defense (DoD) replaced the Information Assurance Certification and Accreditation Process, which came into force in 2006, with its successor, the NIST Risk Management Framework (RMF). As the NIST RMF is mandatory and is prescribed by US authorities, this standard is particularly tailored to the environment of public authorities and not to private companies. To address this situation, NIST published the NIST Cybersecurity Framework (NIST CSF) in 2014. However, the CSF differs fundamentally from the NIST RMF in terms of structure, as it is solely a framework and differs fundamentally from the risk management process. NIST CSF describes the basic structure of the process in which an ISMS is embedded. The security measures that are then implemented can be borrowed from another standard, such as ISO 27001 or supporting NIST SP 800-53, which also serves the RMF. For these reasons, NIST CSF should not be implemented alone, but together with a catalog of measures for optimal integration. With this look at the international nature of the various frameworks, we now come to the situation in Germany.
The process for secure infrastructure at the RMF and CSF each involves 5 steps:
1. Inspection and description of the system
2. Development of the security strategy
3. Implementation of the security strategy
4. Reviewing the implementation based on the risk
5. Communication and continuous further development
The BSI has created a standard for securing critical infrastructures and has thus published the same purpose as the NIST RMF. Only the approach differs significantly. The focus of the BSI standards is on mandatory measures and compliance rather than on adapting the strategy to the current risk landscape. On the other hand, the focus is also on values (assets) and offers little support or explanation in the area of risk management when compared with the NIST RMF. However, the standard is increasingly based on the ISO 27001 standard, as the latest changes to the 200 series in contrast to the 100 series show. (1)
Advantages of implementation according to BSI in Germany
These BSI standards, series 200-x and 100-4, are used as the basis for many German authorities, as an ISMS is to be implemented (3) in accordance with the state of the art for operators of critical infrastructures under the IT Security Act of 2015 (2). This fills the gap for securing critical infrastructures in the public sector and NIST fades into the background as an alternative. In summary, it can be assumed that the following reasons are responsible for this displacement:
– Simplicity of implementation via a tool. There are various tools that can be used and are in constant development, such as “verinice” or “HiScout”.
– Publication in German, whereas the NIST standards are only available in English. This point is particularly important for authorities where German is usually the official language.
– The BSI standards are based on ISO 27001, which significantly simplifies certification according to ISO 27001, which many companies are aiming for.
Advantages of implementation according to NIST in Germany
Now, these benefits offer a lot in terms of securing information, with other aspects falling into the background that we should not forget. NIST CSF and RMF offer support through a different perspective on business risk:
Freely available and easy to use:
All relevant documents published by NIST, especially the SP 800-x series, are supported by the government and are available free of charge, albeit only in English (4). This makes it very easy to disseminate the relevant documents within the company. In comparison to the ISO standard, where every reader incurs costs, which can lead to considerable hurdles for larger companies. The BSI standards are also freely available, but since they are tool-supported and it is hardly feasible for employees to work effectively with the IT-Grundschutz catalogs with 5082 pages, we have an additional hurdle here in readability (5).
Focus on trust and risk instead of compliance:
This offers the opportunity to achieve a higher level of security more quickly, as it is easier or more important to involve the corporate culture. Risk management is the main objective of the Risk Management Framework and identifying and addressing information security risks is the main focus. Therefore, an ISMS according to NIST RMF takes a very pragmatic approach. In comparison, risk management according to ISO 31000 or BSI standards is very rudimentary and lies in the background or at the discretion of management. At the lower security levels, such as the basic protection according to BSI Standard 200-2, there is even no provision for risk management (6), which severely limits the possibilities for recommendations for action and continuous further development.
Focus on system development:
The system development life cycle (SDLC) is directly incorporated into risk management so that different measures and processes are implemented to safeguard information at each stage of system development. The system is, so to speak, guided by risk management in order to provide comprehensive protection (7). SDLC is not automatically integrated into all other standards and is therefore more of an additional option that is often overlooked or not considered important.
Focus on adaptability:
Adapting the measures to the existing infrastructure offers the possibility of taking additional measures, deleting superfluous measures and identifying and centrally managing cross-system measures (8). These options are firmly anchored in the process and must be authorized. This process is unique and focuses on trust in the systems rather than compliance. It builds a bridge from rules and regulations to pragmatic and effective implementation.
Optimal adaptation to the system landscape and governance structure:
Similar to the BSI standards, concepts are offered that can either be managed comprehensively and centrally, as well as the option of splitting them into smaller umbrella concepts that are managed decentrally but are still self-contained. In comparison to the ISO 27001 standard, which has a management structure in the form of a committee as its guiding principle and therefore involves a great deal of effort if different systems have to be certified, NIST RMF forms a process in which the actors can be different. In this way, it is easy to certify different systems at different times.
In summary, Germany is pursuing a security strategy that is based on international standards, but is itself moving in the direction of automation and standardization of the security landscape. This poses a number of hurdles, particularly in terms of adaptability to the respective company. For companies in the private sector, it may be attractive to look in the direction of the USA and look at some aspects that we still see little focus on in Germany. Not only are NIST’s Risk Management Framework and Cyber Security Framework constantly being further developed and tailored to the respective sector, they also offer the possibility of simple certification in accordance with ISO 27001, as compliance is a given. Other aspects of effectiveness, such as the focus on risk management, the integration of development processes and the focus on the agility of the company, are also becoming increasingly apparent.
Sources:
1 cf. Current status of the modernization of IT-Grundschutz, 08.06.2017, Isabel Münch
2 cf. Act to Increase the Security of Information Technology Systems (IT Security Act), dated 17 July 2015
3 cf. $8a, Gesetz zur Erhöhung der Sicherheit informationstechnischer Systeme (IT-Sicherheitsgesetz), vom 17. Juli 2015
4 see https://csrc.nist.gov/publications/sp800
5 see IT-Grundschutz-Kataloge, 15. Ergänzungslieferung – 2016
6 see BSI Standard 200-2
7 see NIST SP 800-37
8 see NIST SP 800-53