The challenges of running an information security program can be overwhelming. There are so many areas to address
-- from encryption, to application security, to disaster recovery. Then there is the complication of compliance with regulatory requirements such as HIPAA, PCI DSS and Sarbanes-Oxley, just to name a few. How should security professionals organize and prioritize their efforts in order to build and maintain an information security program?
Frameworks are often customized to solve specific information security problems just like building blueprints are customized to meet their required specifications and use.
This is where IT security frameworks and standards can be helpful. In this tip, we delve into what an information security framework is and discuss a few of the more popular frameworks and how they are used.
What is an IT security framework?
An information security framework is a series of documented processes that are used to define policies and procedures around the implementation and ongoing management of information security controls in an enterprise environment. These frameworks are basically a "blueprint" for building an information security program to manage risk and reduce vulnerabilities. Information security pros can utilize these frameworks to define and prioritize the tasks required to build security into an organization.
Frameworks are often customized to solve specific information security problems, just like building blueprints are customized to meet their required specifications and use. There are frameworks that were developed for specific industries as well as different regulatory compliance goals. They also come in varying degrees of complexity and scale. However, you will find that there is a large amount of overlap in general security concepts as each one evolves.
Examples of frameworks
Control Objectives for Information and Related Technology (COBIT) is a framework developed in the mid-90s by ISACA, an independent organization of IT governance professionals. ISACA currently offers the well-known Certified Information System Auditor (CISA) and Certified Information Security Manager (CISM) certifications. This framework started out primarily focused on reducing technical risks in organizations, but has evolved recently with COBIT 5 to also include alignment of IT with business-strategic goals. It is the most commonly used framework to achieve compliance with Sarbanes-Oxley rules.
ISO 27000 Series
The ISO 27000 series was developed by the International Standards Organization. It provides a very broad information security framework that can be applied to all types and sizes of organizations. It can be thought of as the information security equivalent of ISO 9000 quality standards for manufacturing, and even includes a similar certification process. It is broken up into different sub-standards based on the content. For example, ISO 27000 consists of an overview and vocabulary, while ISO 27001 defines the requirements for the program. ISO 27002, which was evolved from the British standard BS7799, defines the operational steps necessary in an information security program.
There are many more standards and best practices documented in the ISO 27000 series. ISO 27799, for example, defines information security in healthcare, which could be useful for those companies requiring HIPAA compliance. New ISO 27000 standards are in the works to offer specific advice on cloud computing, storage security and digital evidence collection. ISO 27000 is broad and can be used for any industry, but the certification lends itself to cloud providers looking to demonstrate an active security program.
NIST SP 800 Series
The U.S. National Institute of Standards and Technology has been building an extensive collection of information security standards and best practices documentation. The NIST Special Publication 800 series was first published in 1990 and has grown to provide advice on just about every aspect of information security. Although not specifically an information security framework, NIST SP 800-53 is a model that other frameworks have evolved from. U.S. government agencies utilize NIST SP 800-53 to comply with the Federal Information Processing Standard's (FIPS) 200 requirements. Even though it is specific to government agencies, the NIST framework could be applied in any other industry and should not be overlooked by companies looking to build an information security program.
The beauty of any of these frameworks is that there is overlap between them so "crosswalks" can be built to show compliance with different regulatory standards. For example, ISO 27002 defines information security policy in section 5; COBIT defines it in the section "Plan and Organize"; Sarbanes Oxley defines it as "Internal Environment"; HIPAA defines it as "Assigned Security Responsibility"; and PCI DSS defines it as "Maintain an Information Security Policy." By using a common framework like ISO 27000, a company can then use this crosswalk process to show compliance with multiple regulations such as HIPAA, Sarbanes Oxley, PCI DSS and GLBA, to name a few.
Advice and final thoughts
The choice to use a particular IT security framework can be driven by multiple factors. The type of industry or compliance requirements could be deciding factors. Publicly traded companies will probably want to stick with COBIT in order to more readily comply with Sarbanes Oxley. The ISO 27000 series is the magnum opus of information security frameworks with applicability in any industry, although the implementation process is long and involved. However, it is best used where the company needs to market information security capabilities through the ISO 27000 certification. NIST SP 800-53 is the standard required by U.S. federal agencies but could also be used by any company to build a technology-specific information security plan. Any of them will help a security professional organize and manage an information security program. The only bad choice among these frameworks is not choosing any of them.
About the author:
Joseph Granneman is SearchSecurity.com's resident expert on information security management. He has more than 20 years of technology experience, primarily focused in health care information technology. He is an active independent author and presenter in the health care information technology and information security fields. He is frequently consulted by the media and interviewed on various health care information technology and security topics. He has focused on compliance and information security in cloud environments for the past decade with many different implementations in the medical and financial services industries.