There is no one-size-fits-all solution when it comes to information security frameworks and guidelines.
Understanding all of the different security and risk frameworks can be daunting. This is a simplified guide intended to help you understand the basics of different information security frameworks, why you might need them, and how to go about choosing the right one for your business, while still considering relevant industry standards, laws, and regulations.
*Spoiler alert– no option exists that will solve all of your risk mitigation and security problems, or even solve a narrow slice of them- on its own. It must be operationalized by people. If you need support with this, we can help, but let’s first start with an understanding of where to begin.
There are 4 primary steps that you need to take in order to align the right information security framework with your organization’s unique customer and business outcomes.
Step 1: Understand which framework best aligns for your needs
If you’re new to the idea of security frameworks, it may be helpful to think about it as a structure that supports the work of securing your digital assets and information. There are many types of information security frameworks for different purposes, but (at the risk of overgeneralizing) each of them is essentially a system of guidelines and best practices that will help you keep your organization secure. Depending on your industry, sector, business domain, and organizational profile, here are the most common industry recognized frameworks for you to consider.
NIST Cybersecurity Framework (NIST CSF)
The National Institute of Standards and Technology (NIST) developed NIST CSF to manage cybersecurity risk by providing standards, guidelines, and best practices to identify, protect, detect, and respond to cybersecurity threats. NIST CSF was developed with critical infrastructure in mind, but it has proven flexible enough to be utilized by a range of companies across all industry sectors.
As part of the NIST Risk Management Framework (RMF), NIST 800-53 is a set of procedures and criteria for assessing and documenting threats and vulnerabilities. NIST 800-53 provides direction for implementing security measures to minimize the risk of adverse information security events.
ISA 62443 is a series of standards, technical reports, and related information that defines procedures for implementing electronically secure Industrial Automation and Control Systems. This is applicable to industrial communication networks to secure networks, embedded devices, and other relevant applications.
ISO 27001 is an international standard and can be used by internal and external parties to assess the organization’s ability to meet the organization’s own information security requirements.
Open Web Application Security Project is a worldwide not-for-profit-organization focused on improving the security of web applications. OWASP publishes the OWASP TOP 10, an awareness document for web application security.
The Center for Internet Security (CIS) Controls are a prioritized set of actions aligned with the latest cyber threat data and are designed for use by any organization to improve their cybersecurity posture.
The COBIT framework assists in the governance and management of enterprise IT with guidance and benchmarks.
The Cloud Security Alliance (CSA) offers security guidance for the purpose of improving security and mitigating risk in the adoption of cloud computing technologies
Step 2: Consider industry standards
Depending on your scenario, there may be specific industry standards that you need to consider based on your product, service, and/or business operations.
FedRAMP is a standardized approach to security assessment, authorization, and continuous monitoring of cloud products and services for cloud service providers (CSPs) working with US government agencies
Payment Card Industry (PCI) Security Standards Council is a global forum that creates security standards for payment account security. It maintains, updates, and promotes the Payment Card Industry Security Standards and provides tools for implementation of the standards.
Step 3: Review laws and regulations
Some industries have clear regulatory requirements that must be adhered to, often requiring validation by audit or certification for ongoing compliance. But even if your business isn’t subject to specific regulations, it can be helpful to maintain an awareness of different regulatory requirements in the event that your customers reside in specific geographic areas, or you do business with a partner who does.
California Consumer Privacy Act (CCPA)
Consumers have the right to receive details about personal information collected about them. CCPA protects the constitutional right of privacy by giving consumers more control over the personal information that businesses collect about them, including sources and third parties with which the information is shared. CCPA also requires businesses to give consumers certain notices explaining their privacy practices.
Did you know HIPAA stands for Health Insurance Portability and Accountability Act? (No? You’re welcome.) This legislation was passed by the United States in 1996. It provides health information privacy and security provisions for the protection of patients.
General Data Protection Regulation (GDPR)
The European Union General Data Protection Regulation (GDPR) provides privacy protection to EU citizens as a fundamental right, allowing the individual to direct how their personal data may and may not be used, and directing companies in providing such protections.
The Sarbanes-Oxley Act is a United States Act to protect investors by improving the accuracy and reliability of corporate financial reporting.
Step 4: Evaluate and consider
Take time to evaluate and consider what the right solution is for your business, and you’ll be well on your way to the next step in information security maturity. If you’d like help talking through pros and cons of different scenarios and solutions, we can help.
Whichever framework makes sense in your scenario, any solution must be operationalized. It requires a solution that brings together all of the necessary framework components into an effective information security program. The way this happens, is through people.
Kalles Group has walked this path with many of our clients, and we can bring enterprise company concepts into right-sized solutions for your organization. We can help you reach the next level of maturity by simplifying these concepts in order to internalize, action, and improve your cybersecurity posture.
If you need help talking through your scenario with an expert, or if there is more you’d like to see addressed in this article, contact us today.