So What Is A Security Framework Anyway?
A security framework is the basic “blueprint” for building an information security program to manage risk. The good news is no one needs to do this from scratch. The most mature and commonly used frameworks are The U.S. National Institute of Standards and Technology (NIST), Control Objectives for Information and Related Technology (COBIT) and International Standards Organization (ISO) 27000. And so no one gets stuck in committee trying to decide which framework is best, all three increasingly overlap and seem to be converging with each revision, particularly NIST and ISO, e.g. asset inventory, security policy, patching program, etc. Consequently, some organizations have gone as far as mapping their security program to multiple frameworks for audiences where it still matters. Case in point, Workday, a cloud-based HR and finance application company, refers to multiple security frameworks on their website.
Historically, many publicly traded companies who have needed to comply with Sarbanes-Oxley have utilized COBIT 5. ISO has been popular among multinational companies. NIST is often used by organizations either working with the U.S. government or subject to federal regulation (HIPAA, FISMA, etc.). Under the “hood” of each framework, there are remarkable similarities. Full disclosure, it takes time and resources to fully embrace any of these frameworks. To get started, some companies have been successful using the SANS Top 20 Critical Security Controls, as their security framework. Although SANS Top 20 is a subset of the larger frameworks, it aligns nicely with NIST, ISO and COBIT 5; asset inventory is and always will be foundational. Consequently, there is no re-work when the company is mature enough to fully adopt a more comprehensive framework.
So How Does A Security Framework Help?
Adhering to a security framework is like sticking to a map on a long trip in unfamiliar territory. It guides the overall security program by prioritizing resources in a disciplined way based on risk. In the absence of a framework, organizations become trapped in a never-ending game of security incident “whack-a-mole” or allowing regulatory compliance deadlines to rule the day. Incidentally, it should be noted here that compliance is not security. HIPAA and SOX are laws, not frameworks. Any parent of a teenage driver can explain the difference between having a driver’s license and being a safe driver. PCI-DSS is not a law or a framework; it is an industry standard. Target and Home Depot were PCI compliant on the day they were hacked. “Check box” compliance only creates the illusion of security.
Instead of reactive fire fighting or settling for check-box compliance as a surrogate for real security, organizations should focus on security frameworks to provide structure, clarity, direction and metrics; in a word, hope. Steve Jobs once said, “You have to work hard to get your thinking clean to make it simple. But it’s worth it in the end because once you get there, you can move mountains.” A security framework allows an organization to adopt the collective “clean thinking” of all past contributors. Finally, expect your vendors to adhere to a security framework as well. Their risks are your risks; just ask Target.
Choose or Recommit To A Security Framework
Zig Ziglar said, “If you aim at nothing, you will hit it every time.” Adopting and operationalizing a security framework like NIST, COBIT or ISO is crucial for organizations to keep their focus on the real prize. If these frameworks seem overwhelming, the SANS Top 20 is a realistic place to start. Fire fighting security incidents is a Band-Aid and compliance checklists are a fact of life, but not an end game. Organizations that select and remain genuinely committed to a security framework over the long-term have the best chance of managing and reducing their IT security risks.
Chief Information Security Officer
University of Miami Medical Center