Selecting a Security Framework.
Posted on 19/05/20 in
Insights
Here is the second instalment from Abhishek Vyas in our Security series, introducing some of the industry frameworks that are available for organisations to adopt.
If you would like to know more please do get in touch with us.
Security frameworks can play a vital role in executing a security strategy, and in many cases tend to actually underpin them. They provide business context, a common language, and cover a range of security domains that span the organisation.
Advantages of choosing an industry framework include:
- Already well documented and making it easier to adopt
- Consultancies are available to assist in business integration
- Many have certifications associated to them
- Updated in line with Industry trends and best practice
- Adherence can be demonstrated to suppliers and customers
Implementing any framework requires the business to invest resource, time and effort.
- Which framework is likely to be successful for our organisation?
- What cultural changes need to be made for the adoption to be successful?
- Are there any in-house skills that can be leveraged?
- Does it cover all the of business activities?
- How does it interact with the organisations processes and services?
- How much tailoring of the framework is required for my organisation?
Frameworks
There are a number of framework choices available each of which needs to be assessed organisation by organisation to understand the “fit”. ISO27001 (International Organisation of Standardisation)
This involves the implementation requirements that form the Information Security Management System (ISMS) and requires independent external audit for recertification. It has a best practice approach, addressing people, process and technology.
For more guidance, the below article has an implementation guide
https://www.itgovernance.co.uk/blog/iso-27001-checklist-a-step-by-step-guide-to-implementation
NIST (National Institute of Standards and Technologies) Cyber Security Framework
This is focussed on security controls, categorising them into Identify, Protect, Detect, Respond and Recover. The framework encompasses security standards, guidelines and practices. It doesn’t require any external audits.
NIST have published extensive guidance on the framework
https://www.nist.gov/cyberframework COBIT (Control Objectives for Information and Related Technology)
This framework identifies five key process areas — Evaluate, Direct and Monitor (EDM); Align, Plan and Organize (APO); Build, Acquire and Implement (BAI); Deliver, Service and Support (DSS); and Monitor, Evaluate and Assess (MEA). It stripes security requirements across the IT governance and can be integrated both into ISO27001 and the NIST Cybersecurity Framework. It also aligns with ITIL.
More information on COBIT can be found here
https://www.isaca.org/resources/cobit
Framework considerations
The framework needs to be able to cover all the business activities and technologies that are in scope, and where needed should be augmented with specific compliance standards.
Examples include
- PCI DSS (Payment Card Industry Data Security Standard)
- HIPAA (Health Insurance Portability and Accountability Act)
- SOX (Sarbanes-Oxley)
The Cloud
Where it comes to the “Cloud”, the shared responsibility model becomes critical in understanding where the Cloud providers responsibility starts and ends. They are often certified with accreditations and compliance standards. It is also common for them to use industry standard frameworks (like the ones mentioned) and provide audit reports.
Ultimately, data is always the responsibility of the customer, checking contracts for liabilities is advisable.
AWS — https://aws.amazon.com/compliance/shared-responsibility-model/
Azure — https://docs.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility
GCP — https://cloud.google.com/security/overview
Broadly speaking, the cloud platform provides the capabilities, it is up to the customer to configure them in a secure manner, and be satisfied on how their data is protected, continuous assurance activities e.g. monthly penetration tests, posture management etc can help with the on-going efforts.
The adoption of any framework has to ultimately ensure that it will deliver the business requirement, ensuring that it can support your overall governance and better protect your business.