An effective cybersecurity strategy requires thought, planning, and execution. But with so many security tools, services, and standards to choose from, figuring out a course of action can be daunting.
Companies need a frame of reference – a model they can follow to make the right security investments. That’s why cybersecurity frameworks exist; they provide standards and practices to build and maintain cyber defenses and develop good cyber hygiene.
So, which security framework should you choose? It comes down to a set of variables, including assets that need protection, your company’s risk profile, and industry regulations. It’s important to note; you may have to choose more than one! You should select a great baseline framework, but also add in the industry and regulatory specific frameworks which apply to your business.
Choosing Your Framework
Some security frameworks are industry-specific and others more general. To better understand cybersecurity frameworks, let’s examine some commonly used frameworks and how they are developed.
NIST Frameworks
The National Institute of Standards and Technology (NIST) is a government agency that has developed several frameworks, each addressing specific aspects of security:
- The NIST Cybersecurity Framework (CSF) provides organizations with guidelines and best practices focused on five primary elements – identify, protect, detect, respond and recover.
- NIST Special Publication 800-53 provides guidelines for federal agencies on how to meet Federal Information Security Modernization Act (FISMA) requirements to build security and resiliency in their information systems. There are three baselines for 800-53: Low, Moderate, and High, ranging from ‘less secure’ to more secure. NIST SP 800-171 consists of guidelines for manufacturers that work with the government to ensure the protection of sensitive information.
DOD’s CMMC
The Cybersecurity Maturity Model Certification (CMMC) borrows from several frameworks to provide unified standards for cybersecurity across the Defense Industrial Base. The goal is for companies to demonstrate they can protect sensitive unclassified information.
CIS Cybersecurity Framework
Created by the non-profit Center for Internet Security (CIS), this framework lists 18 best practices for developing and implementing a layered cybersecurity strategy. CIS aligns with the NIST CSF with actionable points for NIST’s five elements.
ISO 27001
ISO 27001 is the international standard for information security, providing guidance for organizations to “establish, implement, operate, monitor, review, maintain, and continually improve” their security systems.
As we mentioned, many frameworks are driven by regulations or industry requirements. Examples include:
HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) is one of the best-known regulations-based frameworks because it affects everyone. Enacted by Congress in 1996, it sets out rules for protecting medical records and individuals’ private health information.
HITRUST CSF
The Health Information Trust Alliance (HITRUST) is a non-profit organization that developed a framework with more than 40 security and privacy-related regulations and standards to achieve compliance with ISO and HIPAA standards, among others. Although HITRUST has traditionally been focused on healthcare, the framework is now resonating with other industries as an enterprise risk management and/or third-party risk assurance solution.
PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) applies to any organization that handles credit and debit card transactions. It consists of 12 requirements to protect payment card data, including protection against malware, restricting access to the data, and periodically checking security controls.
GDPR
Europe’s General Data Protection Regulation (GDPR) is the world’s most comprehensive privacy regulation, stipulating the types of personal data companies can collect and when, and how long they can keep it.
What Happens After I Select a Framework
Once you decide which framework – or combination of frameworks – suits your specific needs, the next step is to assess the company’s existing IT security solution against the framework(s) in order to identify gaps.
This can be an involved process that for many companies requires help from an outside source, such as a managed security service provider (MSSP) with virtual Chief Information Security Officer (vCISO) services. Some gaps are glaring, while others are more subtle. More often than not, an assessment reveals gaps you didn’t know about, and that helps you build a more actionable plan.
There are some great free resources that you can use to get started with a gap analysis, including the CIS cybersecurity assessment tool (CSAT).
Build a Roadmap
After you identify your security gaps, you need a plan to address them. This requires a combination of strategic thinking and pragmatism. Long term, you want to achieve the best security posture possible but, short term, you should tackle the basics. Immediate steps include patching systems, implementing strong password policies, and restricting user privileges. The most sensitive data should be accessible to only those who need it.
From there, you can move on to other measures, such as upgrading outdated systems, investing in new security tools, and launching user awareness programs to prevent phishing and ransomware attacks.
Security investments deliver a different type of ROI. It involves measuring what you put in against what you would lose in a data breach. A cyber attack can cost millions of dollars from lost sales and productivity, remediation, and legal costs. Less tangible costs include reputational damage and loss of customer trust. Taking all these into account, cybersecurity is a necessary investment.
Next Steps
Building a robust cybersecurity posture is complex, but you don’t need to go it alone. Buchanan offers a full suite of cybersecurity services and consulting to guide you through the process of choosing and achieving compliance with a security framework and getting you on the journey to better security.
Services include cyber risk assessments, virtual CISO consulting, vulnerability management, and cybersecurity training. Buchanan also offers security monitoring tools and services so that you – or we on your behalf – can keep a constant eye on your environment to prevent cyber attacks. Contact us to learn more.
