Planning, creating, and managing security architecture is not an easy process, and it is not one to take on without guidance. Fortunately, guidance exists across a plethora of security frameworks. Some of the frameworks are general, while others are directed at specific uses or industries. It is essential to understand the various frameworks and select the proper one or more that meet compliance, industry, and overall risk management needs.
Before implementing a framework it is important to understand the various types of frameworks that are available and what each of them offers to organisations with regard to their specific industry.Â
What Is a Security Framework?
Nicolas Poggi writesOpens a new window that a cybersecurity framework is “a system of standards, guidelines, and best practices to manage risks that arise in the digital world.†Sometimes standards are mandatory, as with the HIPAA statute and the PCI-DSS. In other cases, the selection of a standard is based on the unique operating environment of an organization and the industry it belongs to.
Frameworks are not all alike. Frank Kim, previous CISO for the SANS institute, classifies frameworksOpens a new window into three categories.
Control Frameworks. These include a complete set of network and workstation controls. They
- Create a security team with a basic strategy
- Identify a baseline set of controls
- Perform a gap analysis
- Prioritize control implementations
Program Frameworks. A program framework is at a higher level than a control framework. It helps set up and manage an overall security program. Program frameworks
- Perform a security program audit: internal or external
- Build a security program appropriate for the organization and associated compliance requirements
- Create metrics for checking for expected outcomes
- Create streamlined communications channels between the security team and management; this is critical for full engagement with data/system owners.
Risk Frameworks. Managing security is managing risk. Understanding risk enables us to prioritize control implementations. Risk frameworks help establish policies, guidelines, and procedures for assessing and managing cybersecurity risk, including
- Creating a risk management program
- Defining risk assessment and management steps
- Assessing risk and prioritizing security activities
To these three, I add a Compliance Frameworks category. Industries and governments continue to provide standards and guidelines that mandate standards for the protection of
- Personal privacy
- Financial privacy
- Critical infrastructure
- Stakeholder transparency
These framework categories make it clear that frameworks are not just about implementing the right safeguards. They also include building overall risk management and information security programs. Selecting the right set of frameworks is a process.
Learn more: Mitigating the Impact of Ransomware Attacks With Business Continuity Planning
What Each Framework Offers
Control Frameworks
The NIST 800-53BOpens a new window is a comprehensive framework. It includes controls that focus on four baselines: low-impact, moderate-impact, high-impact, and privacy control. Organizations can easily apply the proper controls based on system confidentiality and criticality.
The Center for Internet Security’s (CIS) 18 Critical ControlsOpens a new window is a collection of safeguards critical for protecting any organization. Organizations of any size must implement these controls in some way. Sometimes this is just a stop-gap until a more comprehensive control framework is selected. In other cases, this framework might be sufficient for many small businesses.
There is no cost for either of these frameworks.
Program Frameworks
ISO 27001Opens a new window is part of the set of the international 27000 series frameworks and best practices. 27001 guides what is needed to develop an overall organization security program. It includes policies, procedures, and processes for governance and ensuring effective security outcomes.
The NIST Cybersecurity FrameworkOpens a new window (CSF) is a top-rated solution across multiple industries. Like the ISO 27001, it guides an organization as it defines and works toward information security objectives.
The ISO 27001 is available for a fee, and the CSF is free.
Risk Frameworks
Organizations should base program and control frameworks efforts on the results of risk assessments. Risk assessments help prioritize framework implementation tasks based on threat modeling, existing controls, and target value.
NIST SP 800-30Opens a new window is a free and comprehensive risk framework. ISO 27005Opens a new window , part of the same series as ISO 27001, is a popular paid framework. The COSO ERMOpens a new window is a paid framework that is fully integrated into SOC 2 attestation audits.Â
Compliance Frameworks
Compliance frameworks exist at the national and state levels. The HIPAA (Health Insurance Portability and Accountability Act) security ruleOpens a new window provides a framework with mandatory standards and recommended guidelines for protecting personal health information.
The Sarbanes-Oxley Act (SOX) does not include a framework. However, auditing firms use the ISACA COBIT frameworkOpens a new window to assess compliance.
The EU General Data Protection Regulation (GDPR) also does not include a specific framework, but the ISO 27701Opens a new window (a privacy extension to ISO 27001) provides what is needed for compliance.
Finally, the payment card industry requires PCI DSS standard/frameworkOpens a new window compliance for all organizations that process payment cards. Â
This is not a complete list of compliance frameworks. As part of the security requirements definition process, each organization must practice due diligence to identify all relevant standards and frameworks. Best efforts to implement them are usually considered due care by the public and the courts.
Learn more: Is Transparency a Missing Element in Industry Preparedness Against Cyberattacks?
When and How To Select a Framework
The processes for selecting a framework for a new or established business can differ based on the security program’s maturity. Figure 1 shows the complete process. An organization starts its process at the appropriate point. In the real world, an organization might find itself anywhere on this model. The red dashed arrows are paths needed only initially or when business conditions radically change.
Figure 1: Frameworks Selection Process
The first two steps can take place at the same time. They include selecting a risk framework and determining compliance. Determining compliance may also require adopting a compliance framework. For example, entities covered under the HIPAA need to understand the necessary standards before finalizing network and system requirements. Â
The team needs a risk framework to guide the initial and future risk assessments. Each risk assessment includes compliance requirements.
The initial risk assessment uses the compliance requirements and the modeling of probable threats to perform a risk assessment. This process is shown in Figure 2. If the organization has not yet selected a control framework, it should use the CIS 18 critical controls as a baseline until it adopts a more comprehensive framework.Â
Figure 2: Requirements Definition Process (from video Select Systems Controls Based Upon RequirementsOpens a new window )
The team should also evaluate and select a security program framework in these initial stages. The program framework is needed to manage the overall security efforts, and industry and regulatory requirements might determine the framework selected. For example, publicly traded companies might choose the ISACA COBIT framework for both program management and compliance. It is preferable to have the program framework with associated policies before the team finalizes the security requirements. Â
Once the initial requirements are in place, IT designs and builds the infrastructure. At this point, the information resources are operational and enable business functions. Continuous risk assessments are performed for the network and each system during its life cycle. The compliance, program, and control frameworks feed the assessment, requirements management, and design activities.
Learn more: U.S. Cyber Regulations Post Colonial Hack: Will They Be Enough?
Final Thoughts
Smaller organizations can usually get by with a single carefully selected framework. However, larger organizations might need multiple frameworks to manage information resources comprehensively. Â
An organization’s unique operating environment, compliance needs, and system/data sensitivity all play a part in what set of frameworks is needed. This is a careful process that should not be based entirely on recommendations by experts. The selection must depend on due diligence focused on understanding the organization’s needs and how best to achieve reasonable and appropriate governance, risk management, and compliance.
Before closing, it is essential to note a comprehensive framework: the Secure Controls FrameworkOpens a new window . The SCF is an open framework that supporters claim integrates everything I described across all framework types. This is a good tool for organizations that have a moderate level of security program maturity. However, it might be overwhelming for small or new organizations.
Do you think a security framework can help organisations achieve better risk management and compliance? Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!