COVID-19 has forever changed the cybersecurity world and the way we must protect our systems. Although all systems are critical if you are one commissioned to protect them, some businesses have moved from regular infrastructure in the world’s eyes to being considered “critical infrastructure” overnight! Now those systems need extra preventive measures! With ransomware spreading everywhere, Cybersecurity disaster recovery is no longer good enough; we must maintain full Cybersecurity protection and disaster prevention!
Our mission at Applied Technology Group is to help organizations implement Cybersecurity solutions with the least impact on usability and budget. After years of research and practical experience, we’ve found that adopting industry-accepted frameworks and standards provides IT and the business with an alignment of processes and goals to keep the organization moving forward with an actionable and measurable plan. Our experience has also found that one framework doesn’t fit every need or audience. IT staff need rules and concepts that apply to day to day practices and system management. Executives and the business need strategic goals and best practices that strengthen the overall security posture by strengthening risk management practices across the company. The following is a summary of commonly used information security frameworks, their target audience, and a brief description of each:
COBIT (Control Objectives for Business IT):
Target audience: Management and Executives
COBIT is a framework developed and maintained by the ISACA organization. The guidelines trend towards the Management and Governance objectives of a Cybersecurity program. Scoring and implementation generally focus on identifying and managing risk and formalizing policies, processes, and continuous improvement.
CIS CSC (Center for Internet Security Critical Security Controls):
Target audience: IT and Cybersecurity Operations
The CIS CSC framework originated as a list of the top 20 critical Cybersecurity controls that should be brought into practice to realize an improved security posture. This list includes topics that are relevant to operations personnel that seek to deploy best practices in their systems to enhance the Cybersecurity posture of the organization.
NIST CSF (National Institute of Science & Technology Cyber Security Framework):
Target audience: All levels of the organization
The NIST CSF is a deployment that results from a presidential executive order to supply a standard set of guidelines for federal agencies to follow. The document’s intent provided all organizations a government sanctioned document intended to set a standard that any organization could use to enhance their Cybersecurity posture. In many cases, it’s used to derive measures that non-Federal agencies must comply with if they want to do business with the Federal government.
Organizations we have worked with found that implementing controls using a framework is synonymous with achieving many of the requirements found in todays’ industry and government regulations (and compliance requirements). While creating security program development plans with customers, we often align controls with compliance statements (or requirements) to ease the burden of compliance management and reporting duties. To some degree, Cybersecurity protection task-load can be offloaded from IT personnel and placed in these frameworks to add a much higher protection level. These mappings are often called “crosswalks” and are readily available from many resources available on the Internet.
The most crucial factor that we have found for our clients is that they correctly identify risk and deploy a standard framework to set the pace for future activities. Any program will evolve and should adapt to the needs of the business. Many organizations find that there is value in assessing their security programs with one or more frameworks.
Interested in the CIS Critical Security Controls? Click here to visit the CIS website.
Interested in the ISACA COBIT framework? Click here to visit the ISACA website.
Interested in the NIST CSF? Click here to visit the NIST CSF website.
If you would like more information on getting a framework in place in your organization, please don’t hesitate to Contact Us.