The challenges of running an information security program can be overwhelming with so many areas to address --...
from encryption, to application security to disaster recovery. The complication of compliance with regulatory requirements such as HIPAA, PCI DSS and Sarbanes-Oxley, to name a few, adds to the mix. How should security professionals organize and prioritize their efforts in order to build and maintain an information security program?
This is where IT security frameworks and standards can be helpful. To help manage the process, let's delve into what an information security framework is and discuss a few of the more popular frameworks and how they are used.
What is an IT security framework?
An IT security framework is a series of documented processes used to define policies and procedures around the implementation and ongoing management of information security controls in an enterprise environment. These frameworks are basically a blueprint for building an information security program to manage risk and reduce vulnerabilities. Information security pros can utilize these frameworks to define and prioritize the tasks required to build security into an organization.
Frameworks are often customized to solve specific information security problems, just like building blueprints are customized to meet their required specifications and use. Some frameworks were developed for specific industries, as well as different regulatory compliance goals. They also come in varying degrees of complexity and scale. You will find that there is a large amount of overlap in these frameworks in terms of general security concepts as each evolves.
Examples of IT security frameworks
Control Objectives for Information and Related Technology (COBIT) is a framework developed in the mid-90s by ISACA, an independent organization of IT governance professionals. ISACA currently offers the well-known Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM) certifications. This framework started out primarily focused on reducing technical risks in organizations, but has evolved recently with COBIT 5 to also include alignment of IT with business-strategic goals. It is the most commonly used framework to achieve compliance with Sarbanes-Oxley rules.
ISO 27000 series
The ISO 27000 series was developed by the International Standards Organization. It provides a very broad information security framework that can be applied to all types and sizes of organizations. It can be thought of as the information security equivalent of ISO 9000 quality standards for manufacturing, and even includes a similar certification process. It is broken up into different substandards based on the content. For example, ISO 27000 consists of an overview and vocabulary, while ISO 27001 defines the requirements for the program. ISO 27002, which was evolved from the British standard BS 7799, defines the operational steps necessary in an information security program.
Many more standards and best practices are documented in the ISO 27000 series. ISO 27799, for example, defines information security in healthcare, which could be useful for those companies requiring HIPAA compliance. New ISO 27000 standards are in the works to offer specific advice on cloud computing, storage security and digital evidence collection. ISO 27000 is broad and can be used for any industry, but the certification lends itself to cloud providers looking to demonstrate an active security program.
NIST Special Publication 800-53
The U.S. National Institute of Standards and Technology (NIST) has been building an extensive collection of information security standards and best practices documentation. The NIST Special Publication 800 series was first published in 1990 and has grown to provide advice on just about every aspect of information security. Although not specifically an information security framework, other frameworks have evolved from the NIST SP 800-53 model. U.S. government agencies utilize NIST SP 800-53 to comply with the Federal Information Processing Standards' (FIPS) 200 requirements. Even though it is specific to government agencies, the NIST framework could be applied in any other industry and should not be overlooked by companies looking to build an information security program.
NIST Special Publication 800-171
NIST SP 800-171 has gained in popularity in recent years due to the requirements set by the U.S. Department of Defense that mandated contractor compliance with the security framework by December 2017. Cyberattacks are occurring throughout the supply chain, and government contractors will find their systems and intellectual property a frequent target used to gain access into federal information systems. For the first time, manufacturers and their subcontractors now have to implement an IT security framework in order to bid on new business opportunities.
NIST SP 800-171 was a good choice for this requirement as the framework applies to smaller organizations as well. It is focused on the protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations, which aligns well with manufacturing or other industries not dealing with information systems or bound by other types of compliance. It may not be a good fit by itself for industries dealing with more sensitive information such as credit cards or Social Security data, but it is freely available and allows for the organization to self-certify using readily available documentation from NIST.
The controls included in the NIST SP 800-171 framework are directly related to NIST SP 800-53, but they are less detailed and more generalized. It is still possible to build a crosswalk between the two standards if an organization has to show compliance with NIST SP 800-53 using NIST SP 800-171 as the base. This allows a level of flexibility for smaller organizations that may grow over time as they need to show compliance with the additional controls included in NIST SP 800-53.
NIST Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity
The NIST Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity is yet another framework option from NIST. It was recently developed under Executive Order (EO) 13636, "Improving Critical Infrastructure Cybersecurity" that was released in February 2013. This standard is different in that it was specifically developed to address U.S. critical infrastructure, including energy production, water supplies, food supplies, communications, healthcare delivery and transportation. These industries have all found themselves targeted by nation-state actors due to their strategic importance to the U.S. and must maintain a higher level of preparedness.
The NIST Cybersecurity Framework differs from the other NIST frameworks in that it focuses on risk analysis and risk management. The security controls included in this framework are based on the defined phases of risk management: identify, protect, detect, respond and recovery. These phases include the involvement of management, which is key to the success of any information security program. This structured process allows the NIST Cybersecurity Framework to be useful to a wider set of organizations with varying types of security requirements.
CIS Controls (formerly the SANS Top 20)
The CIS Controls exist on the opposite spectrum from the NIST Cybersecurity Framework. This framework is a long listing of technical controls and best practice configurations that can be applied to any environment. It does not address risk analysis or risk management like the NIST Cybersecurity Framework, and is solely focused on hardening technical infrastructure to reduce risk and increase resiliency.
The CIS Controls are a welcome addition to the growing list of security frameworks because they provide direct operational advice. Information security frameworks can sometimes get caught up on the risk analysis treadmill but don't reduce overall organizational risk. The CIS Controls pair well with these existing risk management frameworks to help remediate identified risks. They are also a highly useful resource in IT departments that lack technical information security experience.
It is well known that the HITECH/HIPAA Security Rule has not been successful in preventing data breaches in healthcare. The original HIPAA compliance requirements were written in 1996 and set to apply to a broad set of technologies and organizations. More than 230 million people in the U.S. have had their data breached by a healthcare organization, according to the Department of Health and Human Services. The overly general requirements included HIPAA and the lack of operational direction as partly to blame for this situation. HITRUST CSF is attempting to pick up where HIPAA left off and improve security for healthcare providers and technology vendors. It combines requirements from almost every compliance regulation in existence, including the EU's GDPR. It includes both risk analysis and risk management frameworks, along with operational requirements to create a massive homogenous framework that could apply to almost any organization and not just those in healthcare.
HITRUST is a massive undertaking for any organization due to the heavy weighting given to documentation and processes. Many organizations end up scoping smaller areas of focus for HITRUST compliance as a result. The costs of obtaining and maintaining HITRUST certification adds to the level of effort required to adopt this framework as well. However, the fact that the certification is audited by a third party adds a level of validity similar to an ISO 27000 certification. Organizations that require this level of validation may be interested in the HITRUST CSF.
The beauty of any of these frameworks is that there is overlap between them so "crosswalks" can be built to show compliance with different regulatory standards. For example, ISO 27002 defines information security policy in section 5; COBIT defines it in the section "Plan and Organize;" Sarbanes-Oxley defines it as "Internal Environment;" HIPAA defines it as "Assigned Security Responsibility;" and PCI DSS defines it as "Maintain an Information Security Policy." By using a common framework like ISO 27000, a company can then use this crosswalk process to show compliance with multiple regulations such as HIPAA, Sarbanes-Oxley, PCI DSS and GLBA, to name a few.
IT security framework advice
The choice to use a particular IT security framework can be driven by multiple factors. The type of industry or compliance requirements could be deciding factors. Publicly traded companies will probably want to stick with COBIT in order to more readily comply with Sarbanes-Oxley. The ISO 27000 series is the magnum opus of information security frameworks with applicability in any industry, although the implementation process is long and involved. It is best used, however, where the company needs to market information security capabilities through the ISO 27000 certification. NIST SP 800-53 is the standard required by U.S. federal agencies but could also be used by any company to build a technology-specific information security plan. The HITRUST CSF integrates well with healthcare software or hardware vendors looking to provide validation of the security of their products. Any of them will help a security professional organize and manage an information security program. The only bad choice among these frameworks is not choosing any of them.