Cybersecurity is a top concern for businesses today, with data breaches and malware becoming increasingly common threats to privately held information. Addressing these risks is a top priority for IT organizations, and it is a necessity for these organizations to have a framework to work within. The importance of having a framework isn’t a question, however, which framework works best for the organization is something to decide with care.
Benefits of Cybersecurity Frameworks
Organizations have compliance requirements for cybersecurity including risk assessments that will reveal under-addressed risks and help organizations develop mitigation plans. A cybersecurity framework can be used as a way to unify the efforts to meet these compliance requirements. Organizations can use frameworks to determine their current cybersecurity capabilities and create target goals and a plan to reach them.
Cybersecurity frameworks can be tailored to an organization’s size, complexity and cybersecurity risk profile. This customization can allow for organizations to narrow their focus to their individual needs, resources and tolerance for risk. The foundation of a framework is to identify missing cybersecurity controls, from implementing the monitoring and detection of anomalies to defining actions to be taken to support timely recovery from business interruptions. Furthermore, a framework matures existing cybersecurity controls so they work to their full potential.
Types of Frameworks
There are questions an IT organization must ask when determining which framework to use. Do they want to give senior management a checklist of compliance results or present a report on the maturity of the organization’s controls? How does the IT organization want the maturity levels or benchmarks assessed? Frameworks reflect a progression from informal responses to innovative responses that determine how well risk-informed decisions are being managed. The decision to report on compliance or maturity will drive the overall cybersecurity audit plan.
In assessing the various frameworks, the IT organization should use a risk-based approach to determine its information security scope. Not every requirement or assessment factor may be applicable for the organization. Current risk management practices, the threat landscape, legal and regulatory requirements and organizational challenges should play a part in the assessment.
Frameworks can be customized to solve specific problems; there are frameworks that were developed for specific industries as well as different regulatory compliance goals. They also come in varying degrees of complexity and scale. However, when developing the scope, management should ensure they document anything that is out of scope so the IT organization can justify its approach to senior management and other stakeholders. This practice will help certify that audit coverage is complete and right for the organization.
(Figure: Framework Comparison Sheet, Brown Smith Wallace LLP)
The National Institute of Standards and Technology (NIST) Cybersecurity Framework is a set of control objectives used to create a common language for cybersecurity. The framework sets technology standards and guidance for governmental agencies. Organizations adopt the framework to determine their current level of cybersecurity, set goals for cybersecurity that are in sync with their business environment and establish a plan for improving or maintaining their cybersecurity objectives.
The NIST framework is designed to implement internal controls to identify, protect, detect, respond and recover. Because it is meant to be an overall consensus for guidelines, reflecting a broad range of public and private sector industries, it is comprehensive and draws from several standards. This means the framework requires great effort for any sized company to implement in whole, and the results from the framework are also on a wider scale.
CIS Top 20
The Center for Internet Security (CIS) sets cybersecurity best practices across all industries, and the CIS Top 20 is a framework of 20 prioritized, prescriptive actions to improve your cybersecurity position. The CIS controls have the benefit of being prioritized and relevant, as well as updated regularly to stay in step with evolving threats. The framework focuses on strengthening applications and network security, and it results in actionable items.
One of the biggest strengths is that it can map into other frameworks and compliance requirements. In fact, the CIS controls can work alongside the NIST CSF to generate a specific action plan. However, it is not as comprehensive as other frameworks and works best when it is mapped onto a larger framework.
HITRUST was born from the need to align various health care compliance requirements. It centralizes requirements from HIPAA, HITECH, and other state and federal healthcare regulations. Since its inception, HITRUST has continued to mature and borrow common cybersecurity controls from other frameworks and compliance requirements. As a result, organizations beyond the health care industry have adopted the HITRUST Cybersecurity Framework (CSF). Where HITRUST CSF differentiates itself is that it is prescriptive in nature, unlike the NIST CSF. Unlike most frameworks, the HITRUST CSF is governed by a for-profit organization – the HITRUST Alliance. The framework also measures control maturity from having an informal process all the way to a repeatable and measured process.
For organizations seeking HITRUST certification, the road to compliance can be long. An organization must register with the HITRUST Alliance to begin their compliance journey. For many organizations, the cost to be certified can be a significant investment for both self-certification and independent assessments. The implementation of all 75 controls can also be challenging depending on the organization’s size and complexity.
Whether you need to protect credit card payment data, ACH data, protected health information, or customer data, you’ll likely run into compliance requirements. In addition to the compliance requirements, organizations are expecting more security from their business partners and vendors. If this sounds familiar, then adopting a cybersecurity framework will help align your security objectives while meeting compliance and vendor requirements. These frameworks can be challenging to navigate, so consider hiring a service provider or consultant to help align and implement the framework to your organization.