Recent cybersecurity facts are alarming. Globally, attacks on IoT devices tripled in 2019, and more than $17,000 is lost every minute due to phishing attacks. What’s even more disturbing is that 60 percent of breaches involved security vulnerabilities that had a patch available. Unfortunately, the available patches were not installed. This is why a cybersecurity program is essential to every organization, regardless of size or industry.
A critical consideration when building your security program is the cybersecurity framework that your organization chooses or is required to adhere to. In fact, some organizations must comply with multiple frameworks due to state, international, and industry-specific requirements. It can become confusing to know the framework(s) that are right for your business and how to manage them as part of a comprehensive cybersecurity program.
Here we will answer the top questions we have heard from our clients over the years and share our expert answers so you can be confident in your cybersecurity framework choices.
Q: What is a cybersecurity framework?
A: A cybersecurity framework is a set of security controls or rules that outline best practices to follow in order to effectively manage an organization’s cybersecurity risk. Adhering to such a framework reduces your company’s exposure to a breach and allows you to evaluate and measure how your overall cybersecurity program is performing over time. A cybersecurity framework will guide you through a continual improvement process in your security program. Deciding to enter into a framework is a big decision and one that should not be taken lightly, as it will help shape your program for years to come.
Q: Why is a cybersecurity framework important?
A: A cybersecurity framework gives your organization the ability to conduct an assessment on the state of your cybersecurity posture, implement remediations to fulfill controls, and establish a priority for conducting these actions. Many industries, such as the healthcare and financial sectors, require organizations to comply with specific cybersecurity frameworks, making them mandated.
Q: What are the most common cybersecurity frameworks?
A: The most commonly used cybersecurity frameworks include:
National Institute of Standards Technology (NIST) Cybersecurity Framework (CSF)—A voluntary framework that helps organizations manage cybersecurity risk. The NIST 800-53 specifically provides a set of security and privacy controls for all U.S. federal information systems. The NIST 800-171 lays out standards for Controlled Unclassified Information (CUI), which is a requirement for many Department of Defense contractors.
International Standards Organization ISO/IEC 27001—Provides requirements for implementing an information security management system (ISMS), so organizations can securely manage such assets as financial data and intellectual property.
Center for Internet Security (CIS) Critical Security Controls—A list of 20 prioritized actions that organizations can take to improve their defense against the most common cybersecurity threats.
Payment Card Industry Data Security Standard (PCI DSS)—Regulates how credit and debit card information is handled and applies to any organization that stores, processes, or transmits this type of data.
Soc 2—A piece of the American Institute of CPAs Service Organization Control reporting platform. It focuses on the security, availability, processing integrity, confidentiality, and privacy of customer data.
SOC for Cybersecurity—Focuses on the effectiveness of cybersecurity risk management programs. These reports help you gain a better understanding of your organization’s cybersecurity efforts and how ready you are for a cyber attack.
Healthcare Insurance Portability and Accountability Act (HIPAA)—Regulates how healthcare organizations (and any company handling confidential health data) must secure their network and applications to maintain data security.
Q: What should I consider when deciding which compliance framework will work for my organization?
A: There are many factors to consider when selecting a compliance framework for your organization. The four most important factors to look at are:
1) Business needs — In many cases, the industry in which you operate will dictate a specific cybersecurity framework you must follow. For example, if you process credit cards, you are subject to PCI compliance. Or a major customer may require SOC 2 compliance. If you do work with the Department of Defense, you are subject to complying with NIST 800-171, and possibly NIST 800-53 (depending on the nature of the work). Regardless of whether you need to adopt a certain cybersecurity framework, we recommend adopting a core framework first and using the mandated framework as supplemental.
2) Granularity/scope — Many frameworks are incredibly intricate, while others are not. One of the most granular is the NIST 800-53, known as the “Granddaddy of all frameworks,” with very specific controls on a wide array of topics. The ISO27001(A) has a more reasonable scope, while SOC 2 has a very wide scope without specific measurables. It’s important to do some research up front and decide the best scope for your company. Generally speaking, the CISv7 framework provides a solid middle ground, providing some level of detail and a reasonable scope. Another option we highly recommend is the NIST CSF, which is a more granular version of the CISv7 focusing on a similar theme.
3. Prescriptiveness — Very young cybersecurity programs can benefit from less prescriptive frameworks because the flexibility they provide enables them to make up ground toward fulfilling controls without getting mired in the details. Other organizations need more detail; they need to be told what to do and how to do it. The level of prescriptiveness demanded by your organization and industry should inform your choice of a framework. SOC 2 is one of the least-prescriptive frameworks. Another less prescriptive option is the CISv7, which balances more flexibility on interpretation while still providing a solid foundation. The NIST CSF framework is a good middle ground, providing guidelines and actions for each control without being too rigid. PCI DSS contains a good level of detail on what needs to be accomplished to fulfill a control. The most prescriptive framework is NIST 800-53.
4. Transferability – Not all frameworks have the ability to easily transfer across control sets. Sticking with known public standards is a great place to start. The ability to reference other controls to get a better understanding of their goals and to determine if your implementation fulfills them is very important. If you need to comply with multiple frameworks and cross-map them, there are tools that can help with this (and we address this in our final question).
Q: What is a zero trust framework?
A: As its name implies, a zero trust framework is one in which an organization doesn’t trust anyone or anything automatically. All devices, accounts, and people both inside and outside the network must be verified before being given access to the company’s network or any of its applications. As such, zero trust does not refer to any particular cybersecurity framework, but rather an overall approach to cybersecurity that aims to keep your company and data as secure as possible. As cybersecurity attacks continue to increase, the zero trust approach is becoming more and more common and one we highly recommend. You can never take cybersecurity too seriously.
Q: Are there tools to help with cybersecurity framework compliance?
A: Whether your organization needs to comply with one cybersecurity framework or several, managing requirements can be a struggle. Failure to comply can result in hefty penalties, loss of business, and reputational damage. Fortunately, there are tools available to make compliance more efficient and easier to manage. The right tool enables you to centralize your cybersecurity program, gain compliance, and monitor progress towards implementing controls. The Alpha Comply platform from Blue Team Alpha is the tool we use when working with our clients that allows us to select a framework you would like to conform to—then use the tool to design your program. The platform also supports compliance with multiple frameworks through Intelligent Framework Mapping. It is simple to map your SOC 2 to PCI, or NIST CSF to GDPR. This feature is unique in the industry and saves an appreciable amount of time and energy. The AlphaComply platform also allows for the creation of custom control sets to measure your security program and run reports against your various customer requirements or industry-specific needs. You can also manage your tasks, audits, and risks. Supported frameworks include:
- NIST 800-171
- NIST 800-53
- NIST CSF
- HIPAA Privacy
- ISO 27001
- NYDFS 500
- PCI DSS
- SANS Top 20
- SOC 2
Compliance with specific cybersecurity frameworks is a critical step in securing your organization and its data against an attack. Contact us if you have additional questions about security frameworks or your larger cybersecurity program.