Selecting a Security Framework.

Posted on 19/05/20 in
Insights

Here is the second instalment from Abhishek Vyas in our Security series, introducing some of the industry frameworks that are available for organisations to adopt.

If you would like to know more please do get in touch with us.

Security frameworks can play a vital role in executing a security strategy, and in many cases tend to actually underpin them. They provide business context, a common language, and cover a range of security domains that span the organisation.

Advantages of choosing an industry framework include:

Implementing any framework requires the business to invest resource, time and effort.

Frameworks

There are a number of framework choices available each of which needs to be assessed organisation by organisation to understand the “fit”. ISO27001 (International Organisation of Standardisation)

This involves the implementation requirements that form the Information Security Management System (ISMS) and requires independent external audit for recertification. It has a best practice approach, addressing people, process and technology.

For more guidance, the below article has an implementation guide

https://www.itgovernance.co.uk/blog/iso-27001-checklist-a-step-by-step-guide-to-implementation

NIST (National Institute of Standards and Technologies) Cyber Security Framework

This is focussed on security controls, categorising them into Identify, Protect, Detect, Respond and Recover. The framework encompasses security standards, guidelines and practices. It doesn’t require any external audits.

NIST have published extensive guidance on the framework

https://www.nist.gov/cyberframework COBIT (Control Objectives for Information and Related Technology)

This framework identifies five key process areas — Evaluate, Direct and Monitor (EDM); Align, Plan and Organize (APO); Build, Acquire and Implement (BAI); Deliver, Service and Support (DSS); and Monitor, Evaluate and Assess (MEA). It stripes security requirements across the IT governance and can be integrated both into ISO27001 and the NIST Cybersecurity Framework. It also aligns with ITIL.

More information on COBIT can be found here

https://www.isaca.org/resources/cobit

Framework considerations

The framework needs to be able to cover all the business activities and technologies that are in scope, and where needed should be augmented with specific compliance standards.

Examples include

The Cloud

Where it comes to the “Cloud”, the shared responsibility model becomes critical in understanding where the Cloud providers responsibility starts and ends. They are often certified with accreditations and compliance standards. It is also common for them to use industry standard frameworks (like the ones mentioned) and provide audit reports.

Ultimately, data is always the responsibility of the customer, checking contracts for liabilities is advisable.

AWS — https://aws.amazon.com/compliance/shared-responsibility-model/

Azure — https://docs.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility

GCP — https://cloud.google.com/security/overview

Broadly speaking, the cloud platform provides the capabilities, it is up to the customer to configure them in a secure manner, and be satisfied on how their data is protected, continuous assurance activities e.g. monthly penetration tests, posture management etc can help with the on-going efforts.

The adoption of any framework has to ultimately ensure that it will deliver the business requirement, ensuring that it can support your overall governance and better protect your business.

Related posts

The digital evolution

13/02/23
Insights

Understanding your Digital Ecosystem

01/04/21
Insights

Video killed the radio star and ambiguity killed my project

09/06/20
Insights

Get in touch.