Which Framework Fits Your Organization’s Goals?
February 26, 2018
25 min read
Cyber Security Framework
A cyber security framework lays the foundation for your entire program and is the most important foundational element to a comprehensive and robust security program.
The framework is responsible for two critical functions within a security program:
First, it organizes all the requirements that the cyber security program will be built on.
Then, it establishes all the hierarchical relationships between different documents and security program elements.
The framework essentially serves as the table of contents for a security program, often listing out the requirements an organization must adhere to regarding business requirements, state and federal regulations, best practices, industry requirements, and other requirements that may be specific to an organization.
It’s important to note the difference between the “security framework” that we’re talking about here, and different frameworks of best practice approaches.
Best practice approaches such as NIST and ISO — which we’ll explore in more detail below — provide a set of requirements that an organization can adhere to, but not all these requirements will necessarily apply to a given organization.
The security framework that we talk about building can be considered more like a framework of frameworks, which includes all the requirements that apply to an organization, often by aggregating from these best practice approaches, business requirements, state and federal regulations, and other sources.
Best Practice Security Frameworks
Some of the most common sources of requirements for security frameworks comes from different best practice approaches.
These best practice guides give organizations strong lists of requirements from which they can derive their organizational framework to align with these practices. Some of the most popular guides include ISO 27001, the CISO Top 20, and NIST 800-53.
Unfortunately, many of these guides operate in isolation from each other.
This means that the organization must determine whether they need one or multiple best practice frameworks to address their needs.
The problem with these best practice frameworks is that It often takes expert-level knowledge to determine what framework(s) are applicable for an organization, but this knowledge may not always be available within each organization.
Many of these best practice approaches also center on risk management, which may not always be the best way to build a cyber security framework.
Cyber Security Regulations
Some regulations are essentially the same as the best practice frameworks but are instead derived from state and federal laws.
These regulations vary based on the locations in which an organization does business or the types of information they manage, store, or process.
Since some of these regulations are general laws, they’re often centered on compliance, rather than holistic.
These regulations often require both security and legal expertise to interpret the regulations to use them effectively in developing a cyber security policy framework.
The Payment Card Industry Data Security Standard (PCI DSS)
The PCI DSS is an example of an industry-specific regulation formed in 2004 by leading credit card companies.
It applies to any organization that stores, processes, or manages credit card information.
The PCI DSS establishes a solid suite of requirements an organization can use to establish a security policy framework, but it focuses primarily on securing credit and debit card transactions, as well as any associated information.
If your organization maintains multiple types of data, however, such as a medical clinic that processes co-payments, the PCI DSS isn’t enough to establish a comprehensive set of requirements for your program’s framework.
Cyber Security Certification Organizations
Certification organizations also provide a set of requirements an organization must meet to receive a certification from the assessing organization.
The ISO27001 and the HiTrust certification — which is heavily focused on the healthcare industry — are some of the most common certifications in cyber security.
Organizations that are looking for certification should use the corresponding set of requirements explicitly in their own security policy frameworks to make sure that they have the best path to certification.
Although these certifications are important, there is no empirical research that shows these certifications reduce the threat or impact of a cyber attack.
Unified Compliance Framework
A unified compliance framework can help your organization establish all the global requirements your organization has to use with their best practice frameworks and regulations.
This compliance framework also aggregates all the requirements and regulatory statements across multiple documents into a primary policy or standard statement.
As its name implies, this type of framework takes a compliance-centric approach. It’s also comprehensive and flexible so the organization can choose the requirements that they want to include in their policies.
Building an effective and cohesive security program is impossible without a framework that’s tailored to your company’s goals. The most effective frameworks don’t always fall into a single category, but take applicable portions of best practice frameworks, regulatory requirements, and others.
If you’re ready to start building a framework without all the confusion, learn more about CISOSHARE’s cyber security solution to get started.