[author: Kevin Gorsline]
An information security framework, when done properly, will allow any security leader to more intelligently manage their organization's cyber risk.
The framework consists of a number of documents that clearly define the adopted policies, procedures, and processes by which your organization abides. It effectively explains to all parties (internal, tangential, and external) how information, systems, and services are managed within your organization.
The main point of having an information security framework in place is to reduce risk levels and the organization's exposure to vulnerabilities. The framework is your go-to document in an emergency (for example, if someone breaks into your systems), but it outlines daily procedures designed to reduce your exposure to risk.
Implementing a solid information security framework provides a host of advantages if you are trying to instill confidence in an industry or establish a strong reputation with potential business partners and customers. The framework allows these agents to understand how you will protect their data or services from harm.
See it perhaps like this: if anyone asks you at any time what would you do if X-cyber-disaster happened, any authorized person in your organization would be able to look up the procedure in the framework and present the exact same response to a third party, whether they be a regulator, a customer, a business partner, a third party provider, etc.
Now, there are hundreds information security framework possibilities in existence today. Finding the right one for your organization is not always an easy task for the uninitiated. They are not all compartmentalized across one matrix. There are geographical frameworks, industry-wide frameworks, and technology frameworks.
The first step is to get familiar with the more well-known frameworks available today. Of course, there is a ton of overlap between frameworks, and that is actually an advantage. Once you align with your preferred framework, you can much more easily align with additional ones, such as those that provide certification, for example.
Below we’ve outlined some key frameworks that are widely used.
NIST Security Framework
The NIST (National Institute of Standards and Technology) is a federal agency within the United States Department of Commerce. The NIST’s mission is to develop and promote measurement, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life.
The institute also establishes IT standards and guidelines for federal agencies. Since 2014, the NIST Cybersecurity Framework provides guidance for critical-infrastructure organizations to better manage and reduce cybersecurity risk.
This voluntary framework is completely voluntary, but it is designed to increase the resilience of an organization’s defenses.
The Cybersecurity Framework consists of three main components:
- The Framework Core provides a set of desired cybersecurity activities and outcomes using common language that is easy to understand.
- The Framework Implementation Tiers assist organizations by providing context on how an organization views cybersecurity risk management.
- Framework Profiles are primarily used to identify and prioritize opportunities for improving cybersecurity at an organization.
The NIST offers a guide to help an organization prioritize activities based on importance to business continuity and security. It provides a common language to address cybersecurity risk management, which is understood by those within and outside the organization. It can be particularly useful when discussing the supply chain and providing added assurances that you operate at low risk.
The International Standards Organization developed this ISO 27000 series. Because it is broad in scope, any type or size of organization can benefit from being familiar with it and adopting its recommendations, as appropriate to your industry and business type.
ISO 27000 is a systematic approach to managing sensitive information securely (also known as ISMS). It includes managing risk for people, processes, and IT systems.
ISO 27000 family is divided into different sub-standards, some of which are applicable to specific industries, while others are specific to operational choices (such as whether you have cloud storage or not). It’s plain to see that it is vast in scope.
ISO 27001 for example includes a six-part approach:
- Define a security policy.
- Define the scope of the ISMS.
- Conduct a risk assessment.
- Manage identified risks.
- Select control objectives and controls to be implemented.
- Prepare a statement of applicability.
It is a useful tool to start forming your framework, and many companies may benefit by activity seeking out certification for meeting specific ISO compliance standards.
PCI DSS is the worldwide Payment Card Industry Data Security Standard. It was initiated to ensure businesses process card payments that are secure, as well as to help reduce card fraud.
This is achieved through enforcing tight controls surrounding the storage, transmission, and processing of cardholder data that businesses handle. PCI DSS is intended to protect sensitive cardholder data.
The payment standard has 12 principle requirements, all of which are covered by these six categories:
- Build and maintain a secure network.
- Protect card data.
- Maintain a vulnerability program.
- Implement strong access control measures.
- Regularly monitor and test networks.
- Maintain an information security policy.
More Holistic Frameworks
In addition to the frameworks above, let’s take a look at some holistic frameworks which take a general, risk-based approach to information security by prescribing controls that directly counteract an organization’s defined security risks.
- NIST Special Publication 800-53 is an information security standard developed by the NIST. The federal government and its contractors must adhere to SP 800-53 (and associated implementations in 53a) when handling government data. If your organization is planning to do business with the federal government or its contractors, then you will be required to comply with this standard.
- AICPA Trust Services Principles and Criteria (SOC) is a set of controls that is utilized in SOC 2 and SOC 3 engagements. It is a set of five trust principles with focus on security, availability, confidentiality, processing integrity, and privacy. SOC 2 focuses on a business’s non-financial reporting controls as they relate to these principles, as opposed to SOC 1/SSAE 18 which is focused on the financial reporting controls.
- COBIT (Control Objectives for Information and Related Technologies) is an organizational security and integrity framework that utilizes processes and controls objectives, management guidelines, and maturity modeling to ensure alignment of IT with business. It maps directly to standards required for regulatory compliance (ITIL, ISO 2700X, COSO).
The choice to use a particular IT security framework can be driven by multiple factors. If your organization processes credit cards, then you’re required to meet the PCI DSS controls. If you're handling electronic Personal Health Information (ePHI), then you’ll need to meet the HIPAA regulations. If you’re dealing with the federal government, NIST 800-53 is your starting point. Publicly traded companies will probably select COBIT in order to more readily comply with Sarbanes Oxley (SOX). For the more mature security organization, you may select ISO 2700x as that framework has applicability in any industry, even though the implementation process is long and involved and the certification process is a rigorous one.
Any one of the frameworks we’ve mentioned here may be a good fit for your organization, and there are even more to choose from than those we’ve listed. No matter what your choice, remember: the only wrong choice here is not to choose.