An information security framework, when done properly, will allow any security leader to more intelligently manage their organizations cyber risk.
The framework consists of a number of documents that clearly define the adopted policies, procedures, and processes by which your organisation abides. It effectively explains to all parties (internal, tangential and external) how information, systems and services are managed within your organisation.
The main point of having an information security framework in place is to reduce risk levels and the organizations exposure to vulnerabilities. The framework is your go-to document in an emergency (for example, someone breaks into your systems), but it outlines daily procedures designed to reduce your exposure to risk.
Implementing a solid information security frameworks provide a host of advantages if you are trying to instill confidence in an industry or establish a strong reputation with potential business partners and customers. The frameworks allow these agents to understand how you will protect their data or services from harm.
See it perhaps like this: if anyone asks you at any time what would you do if X-cyber-disaster happened, any authorized person in your organization would be able to look up the procedure in the framework and present the exact same response to a third party, be they a regulator, a customer, a business partner, a third party provider, etc.
Now, there are hundreds information security framework possibilities in existence today. Finding the right one for your organisation is not always an easy task for the uninitiated. They are not all compartmentalized across one matrix. There are geographical frameworks, industry-wide frameworks, and technology frameworks.
The first step is to get familiar with the more well known frameworks available today. Of course, there is a ton of overlap between frameworks, and that is actually an advantage. Once you align with your preferred framework, you and much more easily align with additional ones, such as those that provide certification, for example.
Below we’ve outlines some key frameworks that are widely used.
NIST (National Institute of Standards and Technology) is a federal agency within the United States Department of Commerce. NIST’s mission is to develop and promote measurement, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life.
The institute also establishes IT standards and guidelines for federal agencies. Since 2014, the NIST Cybersecurity Framework provides guidance for critical-infrastructure organizations to better manage and reduce cybersecurity risk.
This voluntary framework is completely voluntary, but it is designed to increase the resilience of an organization’s defences.
The Cybersecurity Framework consists of three main components:
NIST offers a helpful guide to help an organization prioritize activities based on importance to business continuity and security. It provides a common language to address cybersecurity risk management, which is understood by those within and outside the organization. It can be particularly useful when discussing the supply chain and providing added assurances that you operate at low risk.
The International Standards Organization developed this ISO 27000 series. Because it is broad in scope, any type or size of organization can benefit from being familiar with it and adopting its recommendations, as appropriate to your industry and business type.
ISO 27000 is a systematic approach to managing sensitive information securely (also known as ISMS). It includes managing risk for people, processes and IT systems.
ISO 27000 family is divided into different sub-standards, some of which are applicable to specific industries, while others are specific to operational choices (such as whether you have cloud storage or not). It’s plain to see that it is vast in scope.
ISO 27001 for example includes a six-part approach
It is a useful tool to start forming your framework, and many companies may benefit by activity seeking out certification for meeting specific ISO compliance standards.
PCI DSS is the worldwide Payment Card Industry Data Security Standard. It was initiated to ensure businesses process card payments were secure, as well as to help reduce card fraud.
The achieves through enforcing tight controls surrounding the storage, transmission and processing of cardholder data that businesses handle. PCI DSS is intended to protect sensitive cardholder data.
The payment standard has 12 principle requirements, all of which are covered by these six categories:
In addition to the frameworks above let’s take a look at some holistic frameworks which take a general, risk-based approach to information security by prescribing controls that directly counteract an organization’s defined security risks.
The choice to use a particular IT security framework can be driven by multiple factors. If your organization processes credit cards then you’re required to meet the PCI/DSS controls. If your handling electronic Personal Health Information (ePHI) then you’ll need to meet the HIPAA regulations. If you’re dealing with the federal government NIST 800-53 is your starting point. Publicly traded companies will probably select COBIT in order to more readily comply with Sarbanes Oxley (SOX). For the more mature security organization, you may select ISO 2700x as that framework has applicability in any industry, even though implementation process is long and involved and the certification process is a rigorous one.
Any one of the frameworks we’ve mentioned here may be a good fit for your organization and there are even more to choose from than those we’ve listed. No matter what your choice, remember, the only wrong choice here is not to choose.
Hopefully you’ve found this piece useful but knowing how to extract what you need quickly and efficiently takes experience and expertise. If you are short on time or resources, but you want to start building a robust and future-proof cybersecurity framework, drop us a line.