What is a common security framework (CSF) and why is it important to your organization’s enterprise security?
A CSF (sometimes referred to as a Cybersecurity Framework) is a set of documented policies and controls that govern the implementation and ongoing management of an organization’s security. Think of it as a blueprint for security.
Many organizations are pursuing a common security framework to improve their overall security posture and frequently to aid in meeting the requirements of various compliance and/or regulatory measures.
There are a variety of frameworks in use today and we will look at a few in a minute. Choosing the right framework can be challenging with so many available options covering different priorities, vertical markets, and levels of complexity.
How common security frameworks differ from compliance measures
One point worth discussing is that CSFs and compliance measures, such as the Payment Card Industry Data Security Standard (PCI–DSS), are not the same. While PCI-DSS certainly has elements that describe security measures, it is not a common security framework. There are two primary differences:
- Limited Scope. The scope of many compliance measures is limited (PCI-DSS certainly falls into this category).
- Limited Models. These compliance models are not holistic in looking at security, as they only address measures that are specific to the objectives of that compliance framework (for example, PCI-DSS applies primarily to cardholder data).
Common security frameworks cover a wide area of security considerations across the entire enterprise and are generally not very specific with respect to technologies. For example, many CSFs will indicate that you must deploy Multi-Factor Authentication, but will not provide any opinion on which specific solutions you should evaluate or whether those solutions should be on premise, cloud–based, etc.
Examples of common security frameworks
Here are some of the more common examples of common security frameworks in use today. Please note that this list is from a U.S. perspective. That said, CSFs are generally more globally applicable than compliance, since they’re designed to provide a blueprint for overall security, not just to comply with local laws or regulatory measures.
- NIST Cybersecurity Framework and SP 800 series. Initially developed in 1990, NIST SP 800 series has matured into a well-respected and frequently used CSF. The series consists of several publications addressing specific issues within security. For example, SP800-50 addresses Building an Information Security Awareness and Training Program and SP800-52 covers Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. The most commonly referenced publication to support the Cybersecurity Framework is SP800-53 Security and Privacy Controls for Federal Information Systems and Organizations.
Although the U.S. government developed it and most US government agencies are required to comply with it, the NIST 800 series has seen wide adoption globally by commercial organizations. Many other CSFs have started as offshoots from the NIST publication. It also provides compliance with Federal Information Processing Standard (FIPS) 200.
- ISO 27000 series. This CSF evolved from the British Standard framework (BS7799) that is popular due to the global recognition of ISO across a variety of standards, although the complexity and cost of pursuing ISO certification are sometimes deterrents. There are three basic guidelines within this standard:
– 27000 – Defines the overall terms and objectives of the framework
– 27001 – Defines the requirements and policies
– 27002 – Defines the operational steps necessary for compliance.
Additionally, there are additional standards available for organizations wishing to adopt them, such as ISO 27799 which relates to healthcare–specific concerns.
- SANS 20/CIS 20. This is a great framework that organizations frequently pursue when they want the most important areas of security covered, but don’t want to incur the expense and labor requirements required for a more exhaustive framework like NIST or ISO. As the name implies, this framework prescribes twenty key areas of focus for security.
- HITRUST. HITRUST was developed leveraging components from NIST, ISO, and others. It is specific to the Healthcare industry and is receiving wide adoption within that industry, particularly in the U.S.
- COBIT. Heavily utilized in the financial sector and by public companies, COBIT provides a security framework as well as individual certifications around IT, such as Certified Information System Auditor (CISA) and Certified Information Security Manager (CISM). This framework is frequently used to meet the security requirements of organizations that must comply with Sarbanes-Oxley (SOX).
How do organizations use common security frameworks?
In general, we see organizations leveraging CSFs in one or more of the following four ways:
- To improve overall security. Leveraging the CSF blueprint to ensure they address the most important aspects.
- As a competitive differentiator. Establishing a competitive advantage due to the greater focus on security and protection of their own and customer assets.
- To meet compliance and/or regulatory requirements. Often necessary in specific vertical industries like healthcare or financial.
- To free up budget and purchasing ability around security. Once a business decision has been made to pursue a CSF, the subsequent budget required to meet the CSF requirements is frequently easier to receive.
Logicalis: Your security frameworks expert
The three top questions I get from customers concerned about security are:
- Where do we start?
- Where should we focus?
- What should we do next?
To that end, Logicalis has developed a Security Maturity Guide that’s loosely based on the common security frameworks discussed here. Whether you want to improve your overall security posture, create a competitive advantage, comply with regulatory and other requirements, or need justification to pursue a security agenda for your organization, this easily executed model can narrow your pathway so you can achieve your business objectives.
The Logicalis Security Frameworks Workshop will help you work through the Security Maturity Guide with your key stakeholders, and help you select the security framework that best meets your needs. We’ll also conduct a gap analysis to help you understand what steps may be needed to meet the requirements of your chosen CSF and any remediation efforts necessary to address deficiencies.
Register for your complimentary Security Frameworks Workshop.
Ron Temske is Vice President of Security and Network Solutions, responsible for growing Logicalis’ security and network business both domestically and globally and helping our customers leverage security both as protection and as a business enabler.