Intel Corp. released the first known use case study today detailing a seven-month pilot project to test the use of the Framework for Improving Critical Infrastructure Cybersecurity at the company.
Released a year ago today by the National Institute of Standards and Technology, the framework provides a set of voluntary guidelines designed to help raise the level of cybersecurity preparedness across the widest possible cross section of industry and government. But cybersecurity experts remain split on the value and substance of the framework and have questioned its impact in light of a string of massive data breaches during the past 18 months.
Intel, on the other hand — a company famous for employing physical and cybersecurity controls that are equal to, if not better than, those found in the most sensitive national security settings — tested the framework at two of its major corporate divisions and found that it provided enough benefit to the company’s risk management process that it plans to expand its use in the coming year.
“We felt that there was a real problem for the past few years with the focus that we’ve had on compliance, and we really needed to try to change the dialogue to risk management,” Kent Landfield, director of standards and technology policy at Intel Security, told FedScoop. The company deployed the framework to its Office and Enterprise divisions and discovered it helped to harmonize the company’s risk management technologies and language, improved visibility into Intel’s risk landscape, helped kick-start informed risk tolerance discussions across the company, and enhanced the ability of executives to set security priorities, develop budgets and deploy security solutions.
The pilot project consisted of four phases and cost Intel the equivalent of about 175 full-time employee work hours, Landfield said. It did, however, require some customization to make it work for Intel, but that was to be expected, he said.
One required change was the addition of an ecosystem tier. The framework uses so-called “implementation tiers” to provide context on how an organization views cybersecurity risk and the processes it has in place to manage that risk. “That’s something that we hope NIST will pick up on in a future version of the framework,” Landfield said.
Another area of the framework that Intel had to work on was the threat category. The framework divides its core functions into categories, such as asset management, access control and detection processes. “The categories around threat were really missing,” Landfield said. “And as such, threat and incident response really needed to be beefed up.”
“The nice thing about a framework is it’s very flexible,” he said. “So we were able to make those changes fit nicely into the evaluation process as a whole, and we were able to then pass it on to the folks who were doing the evaluation.”
Intel then identified senior subject matter experts to conduct the independent risk assessment based on the framework. “One of the things that was really important to us was that we wanted to make sure the SMEs were coming at this with a clear mind,” Landfield said. “They did not know what the target scores were, they did not know what we hoped to get of this. They just did the assessment based on the conditions that we were using at the time.”
The success of the pilot project has spurred Intel to consider expanding how they use the framework, both internally in the company’s product life cycle and potentially with business partners, such as suppliers.
“The pilot project resulted in developing tools that we can reuse as we expand the Framework’s use across Intel,” the study states. Those tools included a risk-scoring worksheet, a heat map to quickly identify scores and make a comparison and customized tier definitions for people, process, technology and ecosystem.
Could Intel have discovered these lessons without the framework? Yes, Landfield said. “But the framework was the spark that made the dialogue happen. It’s that dialogue and pulling people from different parts of the organization [that enables] having those conversations about what is the acceptable level of risk in these areas of our business. Without having some spark, sometimes those things don’t happen.”