Since 1995 I’ve connected a lot of computers to many networks. In the early days the functionality was simple: share some files on a server, run an application so that many users could update data or print to a common, expensive printer.
As the years passed and the functions evolved, organizations that once worked without computers found themselves adopting technology to better serve their customers, then relying wholly on that technology to track their performance, finances and operations. In those same years the “criminal element” in our society found that there is tremendous value in the data that resides in those systems. So much so, that the keyboard is quickly replacing the crowbar as the tool of choice to commit a crime.
Your data is valuable and your systems are critical. My mission is to help organizations implement high value security solutions with the least impact to usability and budget. After years of research and practical experience, I’ve found that adopting industry accepted frameworks and standards provides IT and the business with an alignment of processes and goals needed to keep the organization moving forward with an actionable and measurable plan. My experience has also found that one framework doesn’t fit every need or audience. IT staff need rules and concepts that apply to day to day practices and system management. Executives and the business need strategic goals and best practices that strengthen the overall security posture by strengthening risk management practices across the business. The following is a summary of commonly used information security frameworks, their target audience and a brief description of each:
COBIT (Control Objectives for Business IT):
Target audience: Management and executives
COBIT is a framework developed and maintained by the ISACA organization. The guidelines trend towards Management and Governance objectives of a cyber security program. Scoring and implementation is generally focused on identification and management of risk as well as formalization of policies, processes, and continuous improvement.
CIS CSC (Center for Internet Security Critical Security Controls):
Target audience: IT and security operations
The CIS CSC framework originated as a list of the top 20 critical security controls that should be implemented to realize an improved security posture. This list includes topics that are relevant to operations personnel that seek to deploy best practices in their systems to improve the security posture of the organization.
NIST CSF (National Institute of Science & Technology Cyber Security Framework):
Target audience: All levels of the organization
The NIST CSF was deployed as a result of a presidential executive order to supply a common set of guidelines for federal agencies to follow. The intent of the document provided all organizations a government sanctioned document intended to set a standard which any organization could use to enhance their security posture. In many cases it is also used to derive standards that non-Federal agencies must comply with if they want to do business with the Federal government.
Organizations that I have worked with find that the implementation of controls using a framework is synonymous with achieving many of the requirements found in todays’ industry and government regulations (and compliance requirements). While creating security program development plans with customers, we often align controls with compliance statements (or requirements) to ease the burden of compliance management and reporting duties. These mappings are often called “crosswalks” and are readily available from many resources available on the Internet.
The most important factor that we have found for success with our clients is that they properly identify risk and deploy a standard framework to set the pace for future activities. Any program will evolve over time and should adapt to the needs of the business. Many organizations that I have worked with find that there is value in assessing their security programs with one or more frameworks. Your organization should review requirements, evaluate risks, and select the framework(s) the best meets the need.
Interested in the CIS Critical Security Controls? Click here to visit the CIS website.
Interested in the ISACA COBIT framework? Click here to visit the ISACA website.
Interested in the NIST CSF? Click here to visit the NIST CSF website.
If you would like more information on getting a framework in place in your organization, please don’t hesitate to contact us.
