An information security framework, when done properly, will allow any security leader to more intelligently manage their organizations cyber risk.
The framework consists of a number of documents that clearly define the adopted policies, procedures, and processes by which your organisation abides. It effectively explains to all parties (internal, tangential and external) how information, systems and services are managed within your organisation.
The main point of having an information security framework in place is to reduce risk levels and the organizations exposure to vulnerabilities. The framework is your go-to document in an emergency (for example, someone breaks into your systems), but it outlines daily procedures designed to reduce your exposure to risk.
Implementing a solid information security frameworks provide a host of advantages if you are trying to instill confidence in an industry or establish a strong reputation with potential business partners and customers. The frameworks allow these agents to understand how you will protect their data or services from harm.
See it perhaps like this: if anyone asks you at any time what would you do if X-cyber-disaster happened, any authorized person in your organization would be able to look up the procedure in the framework and present the exact same response to a third party, be they a regulator, a customer, a business partner, a third party provider, etc.
Now, there are hundreds information security framework possibilities in existence today. Finding the right one for your organisation is not always an easy task for the uninitiated. They are not all compartmentalized across one matrix. There are geographical frameworks, industry-wide frameworks, and technology frameworks.
The first step is to get familiar with the more well known frameworks available today. Of course, there is a ton of overlap between frameworks, and that is actually an advantage. Once you align with your preferred framework, you and much more easily align with additional ones, such as those that provide certification, for example.
Below we’ve outlines some key frameworks that are widely used.
NIST Cybersecurity Framework
NIST (National Institute of Standards and Technology) is a federal agency within the United States Department of Commerce. NIST’s mission is to develop and promote measurement, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life.
The institute also establishes IT standards and guidelines for federal agencies. Since 2014, the NIST Cybersecurity Framework provides guidance for critical-infrastructure organizations to better manage and reduce cybersecurity risk.
This voluntary framework is completely voluntary, but it is designed to increase the resilience of an organization’s defences.
The Cybersecurity Framework consists of three main components:
- The Framework Core provides a set of desired cybersecurity activities and outcomes using common language that is easy to understand.
- The Framework Implementation Tiers assist organizations by providing context on how an organization views cybersecurity risk management.
- Framework Profiles are primarily used to identify and prioritize opportunities for improving cybersecurity at an organization.
NIST offers a helpful guide to help an organization prioritize activities based on importance to business continuity and security. It provides a common language to address cybersecurity risk management, which is understood by those within and outside the organization. It can be particularly useful when discussing the supply chain and providing added assurances that you operate at low risk.
ISO – 27000 family
The International Standards Organization developed this ISO 27000 series. Because it is broad in scope, any type or size of organization can benefit from being familiar with it and adopting its recommendations, as appropriate to your industry and business type.
ISO 27000 is a systematic approach to managing sensitive information securely (also known as ISMS). It includes managing risk for people, processes and IT systems.
ISO 27000 family is divided into different sub-standards, some of which are applicable to specific industries, while others are specific to operational choices (such as whether you have cloud storage or not). It’s plain to see that it is vast in scope.
ISO 27001 for example includes a six-part approach
- Define a security policy
- Define the scope of the ISMS
- Conduct a risk assessment
- Manage identified risks
- Select control objectives and controls to be implemented
- Prepare a statement of applicability
It is a useful tool to start forming your framework, and many companies may benefit by activity seeking out certification for meeting specific ISO compliance standards.
PCI DSS is the worldwide Payment Card Industry Data Security Standard. It was initiated to ensure businesses process card payments were secure, as well as to help reduce card fraud.
The achieves through enforcing tight controls surrounding the storage, transmission and processing of cardholder data that businesses handle. PCI DSS is intended to protect sensitive cardholder data.
The payment standard has 12 principle requirements, all of which are covered by these six categories:
- Build and maintain a secure network
- Protect card data
- Maintain a vulnerability programme
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an Information security policy
More Holistic Frameworks
In addition to the frameworks above let’s take a look at some holistic frameworks which take a general, risk-based approach to information security by prescribing controls that directly counteract an organization’s defined security risks.
- NIST Special Publication 800-53 is an information security standard developed by NIST, a group within the U.S. Department of Commerce. The federal government and its contractors must adhere to SP 800-53 (and associated implementations in 53a) when handling government data. If your organization is planning to do business with the federal government or its contractors, then you will be required to comply with this standard.
- AICPA Trust Services Principles and Criteria (SOC) is a set of controls that is utilized in SOC 2 and SOC 3 engagements. It is a set of five trust principles with focus on Security, Availability, Confidentiality, Processing Integrity and Privacy. SOC 2 focuses on a business’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system, as opposed to SOC 1/SSAE 18 which is focused on the financial reporting controls.
- COBIT (Control Objectives for Information and Related Technologies) is an organizational security and integrity framework that utilizes processes, controls objectives, management guidelines, and maturity modeling to ensure alignment of IT with business. It maps directly to standards required for regulatory compliance (ITIL, ISO 2700X, COSO).
The choice to use a particular IT security framework can be driven by multiple factors. If your organization processes credit cards then you’re required to meet the PCI/DSS controls. If your handling electronic Personal Health Information (ePHI) then you’ll need to meet the HIPAA regulations. If you’re dealing with the federal government NIST 800-53 is your starting point. Publicly traded companies will probably select COBIT in order to more readily comply with Sarbanes Oxley (SOX). For the more mature security organization, you may select ISO 2700x as that framework has applicability in any industry, even though implementation process is long and involved and the certification process is a rigorous one.
Any one of the frameworks we’ve mentioned here may be a good fit for your organization and there are even more to choose from than those we’ve listed. No matter what your choice, remember, the only wrong choice here is not to choose.
TBG Security is here to help.
Hopefully you’ve found this piece useful but knowing how to extract what you need quickly and efficiently takes experience and expertise. If you are short on time or resources, but you want to start building a robust and future-proof cybersecurity framework, drop us a line.