Checklists turn out…to be among the basic tools of the quality and productivity revolution in aviation, engineering, construction – in virtually every field combining high risk and complexity. Checklists seem lowly and simplistic, but they help fill in for the gaps in our brains and between our brains. – Atul Gawande
Just as Checklists solve the complexity of difficult processes, Information Security (IS) frameworks serve a similar purpose for Information Security practitioners, IT managers, business, and risk executives to define the necessity of controls from scratch. The purpose of this post is to provide an introduction of all the important frameworks used in the IS world.
What are IS frameworks?
The Cambridge Dictionary defines a framework as ‘a structure around or over which something is built’; similarly, an IS framework helps the organization to steer, manage, implement, and manage the IS controls. These frameworks provide a holistic list of controls that should be implemented to manage the risks of an organization. At present, there are 10 major IS/Cyber Security frameworks used to reduce the vulnerabilities throughout the organizations.
Why IS frameworks?
In addition, to provide a comprehensive set of ‘must-have’ controls, IS frameworks also provide a minimum benchmark of controls that should be implemented. Depending on the industry, each framework is tailored to suit the requirements to make the controls as effective as possible.
Regardless of the size, industry, nature of business – public, private, non-profit, all can reference the controls mentioned in the framework.
Following are some of the activities supported by using an IS framework:
☀ Control-gap analysis – Comparing the current security controls with an industry-standard reference provides the opportunity to perform a control-gap analysis and make control recommendations to support the primary activities.
☀ Prioritize controls – No organization can have all the controls implemented all the time. By performing the gap-analysis (see above), organizations know exactly the controls that should be prioritized to improve the current gaps and maturity levels.
☀ Determine the current state – Some frameworks, like COBIT 5, includes the level of maturity that could be baselined to periodically assess the maturity level in terms of specified control objectives.
☀ Minimize 3rd party risks – All the frameworks have some controls specifying the minimum requirements for vendors. This also gives a head-start to the vendors to start building on the controls presented in the framework.
☀ Standardized process for all BUs – In a large organization, the collaboration between different business units isn’t cohesive. Guidance from the framework will ensure that all the BUs adheres to the same set of requirements. This also helps in comparing the common KRIs, KPIs & KCIs.
The frameworks:
Following are the most common frameworks an IS practitioner should be aware of:
☀ ISO/IEC 27001/2
☀ NIST Cyber Security Framework (CSF)
☀ NIST Special Publication (SP) 800-53
☀ COBIT 5
☀ HITRUST Common Security Framework (CSF)
☀ ISO/IEC 27001/2
The current version of ISO/IEC 27001/2 series is originated from BS 7799 and ISO/IEC 17799. First published in 2005, the most recent version, ISO/IEC 27001:2013, specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. [1]
ISO/IEC 27002:2013 gives guidelines for organizational information security standards and information security management practices including the selection, implementation, and management of controls taking into consideration the organization’s information security risk environment(s).[2]
To put in simple words, ISO 27001 defines the controls in brevity for the audit requirements that the organization should follow; however, ISO 27002 provides best practice recommendations for implementing and maintaining the ISMS, that the individuals must adhere to support ISO 27001.
Why use ISO 27001/2?
- To get certified by an external auditor, ensuring compliance with ISO/IEC 27002
- Widely recognized framework, extensive guidance available
☀ NIST Cyber Security Framework (CSF)
The latest NIST CSF was released in 2017, following the executive order by the former President Barack Obama. The NIST CSF could be considered as a customized version of ISO 27001, primarily for the US-based organizations. The framework is especially regarded for its simplicity and holistic approach for the understanding of the broad range of industries.
Why use NIST CSF?
- To relate closely to the business drivers and required controls
- The mapping of NIST CSF will enable the leadership team to determine the scope using the NIST CSF and the management team can then focus on implementing the required controls with guidance from the mapping in NIST 800-53 framework.
Further reading: NIST CSF
☀ NIST Special Publication (SP) 800-53
Unlike the NIST CSF, complying with NIST 800-53 is a regulatory requirement, encompassing the processes and controls needed for government-affiliated entities. All the federal agencies that operate under the Federal Information Security Management Act (FISMA) are required to use NIST 800-53. Operating under the NIST 800-53 is also a requirement under the FIPS 200. [3] Therefore, the NIST CSF is voluntary for organizations and allows more flexibility in its implementation.
Why use NIST 800-53?
- All federal agencies and information systems are required to comply with NIST 800-53
- NIST 800-53 is the most comprehensive framework and address all the security controls in detail
Further reading – NIST 800-53
☀ COBIT 5
COBIT 5 is a set of frameworks that guide the governance and management of enterprise IT. Unlike other frameworks, COBIT 5 covers not only Information Security, but IT, Assurance, Compliance, IT Operations, Governance, & Security and Risk Management as well.
COBIT 5 for Information Security [4] is a supplemental guide for the overall COBIT 5 framework overarching business and management framework for governance and management of enterprise IT. [5]
Why use COBIT 5?
- Excellent community support from the ISACA & ISACA members
- Addresses not just Information Security but all the aspects of enterprise IT
☀ HITRUST Common Security Framework (CSF)
The HITRUST CSF was developed to address the multitude of security, privacy and regulatory challenges facing organizations. By including federal and state regulations, standards and frameworks, and incorporating a risk-based approach, the HITRUST CSF helps organizations address these challenges through a comprehensive and flexible framework of prescriptive and scalable security controls. [6]
Why use HITRUST?
- Includes cross-references existing, globally recognized standards, regulations and business requirements, including ISO, NIST, PCI, HIPAA, and State laws
- Follows a risk-based approach offering multiple levels of implementation requirements determined by specific risk thresholds
Further – Webinar explaining the implementation of NIST CSF based on HITRUST – Link
Conclusion:
Having an Information Security/Cyber Security framework could help immensely in benchmarking the current state and deciding on the next steps of the IS program. Notably, all the frameworks are overarching and can be referred to each other while customizing the need for each of the organization. However, the effectiveness of the framework can only be realized when (1) management team has the complete support of the leadership team, & (2) all business units work together to achieve a common goal, supporting the strategy of the organization.
References: