Running a security program can be an overwhelming task. There are so many factors to consider including: encryption, application security, disaster recovery and let’s not forget adherence to compliance mandates such HIPAA and PCI DSS . How then do security professionals prioritize and maintain their efforts to build the most effective security program for their business?That’s where an IT security framework comes in.
What is an IT Security Framework?
A security framework is a comprehensive strategy for going toe-to-toe with potential threats while keeping data secure. It is a tool that provides methodology and a calculated process for assessing risk to determine where resources need to go to protect the information systems within an organization.
Examples of IT Security Frameworks
While there is a plethora of security frameworks out there, this blog aims to highlight the most common frameworks leveraged today including:
Created by the federal government, this voluntary Framework consists of standards, guidelines, and best practices to manage cybersecurity-related risk. The Cybersecurity Framework’s prioritized, flexible, and cost-effective approach helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security.
ISO 27001 ISMS
The ISO/IEC 27000 is a key international information security standard aimed to help organizations manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties.
ISO/IEC 27001 is the best-known standard in the family providing requirements for an information security management system (ISMS).
There are more than a dozen standards in the 27000 family, you can see them here.
What is an ISMS?
According to ISO, An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process
The Center for Internet Security (CIS) Top 20 Critical Security Controls (previously known as the SANS Top 20 Critical Security Controls) are a prioritized set of actions that collectively form a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks.
A principal benefit of the Controls is that they prioritize and focus a smaller number of actions with high pay-off results. The Controls are effective because they are derived from the most common attack patterns highlighted in the leading threat reports and vetted across a very broad community of government and industry practitioners. The Controls take the best-in-class threat data and transform it into actionable guidance to improve individual and collective security in cyberspace
A complete overview of the top 20 controls can be found here.
Choosing the Right Security Framework to Fit Your Business
A structured approach to selecting a security framework starts with understanding the security requirements and risks that are unique to your business and your industry. Many industries including healthcare, government, education and financial have industry specific security compliance regulations they must adhere to.
If your organization is not bound by any industry specific mandates pick a framework and ride it. Ensure you educate yourself on the entire framework, but don’t overwhelm your organization and try to tackle every control at once. Pick the pieces that you will have quick wins… in other words pick a control in which you can obtain quickly and start there.
Katie McCullough, Chief Information Security Officer at OneNeck, suggests that CIS top 20 is a great place to start. “As noted by the CIS, its top 20 is relatively small number of prioritized, well-vetted, and supported security actions that organizations can take to assess and improve their current security state.” McCullough. “CIS Controls 1 through 6 are essential to success and should be considered among the very first things to be done. We refer to these as “Cyber Hygiene” – the basic things that you must do to create a strong foundation for your defense.”
Don’t go at it alone
OneNeck, is here to help you address the broad scope of security and compliance needs that today’s businesses face. We have a depth of experience in assisting our customers with their security needs, and our team is made up of security experts who stay current on the emerging threats so you don’t have to.
Understanding your security gaps is key to addressing regulatory obligations and protecting your organization from breach. We can help by conducting assessments designed to identify vulnerabilities in your IT systems and gaps in your security program, followed by a thorough gap analysis that will leave you with a roadmap to remediation and compliance.
OneNeck Security Assessment and Strategy services include:
- Cybersecurity Assessment
- Framework assessment & implementation
- Policies & Standards Penetration Testing
- Vulnerability Management
Contact us to learn more .
Topic: NIST framework cybersecurity