Security Frameworks – Finding the framework that’s right for you.
There are many security frameworks. Selecting the right framework might feel overwhelming but this information will help. Whatever framework you select it provides guidance for protecting the information security triad of confidentiality, integrity, and availability.
The first thing you should ask yourself is why. Why do I need a security framework? It's quite simple. For years, many organizations have followed the advice of "experts" or observed industry best practices when choosing how to prioritize and select the security controls they implement. As a result, these organizations lack a cohesive plan for evaluating and translating security risk into business risk. As threats increase and become more sophisticated, they're left wondering whether they're doing the right things and investing wisely. The right security framework can help by organizing, systematizing, and in some cases dictating which policies, procedures and controls should be implemented. Since organizations are all different, it's ideal to choose a framework that can be customized or adjusted to meet your specific needs.
The table below matches the framework to a target audience to summarize the options available.
|
Framework |
Target Organization |
|
NIST – National Institute of Standards & Technology |
Multiple frameworks developed with a specific purpose in mind |
|
CMMC - Cybersecurity Maturity Model Certification -https://www.dodcui.mil/CMMC/Cybersecurity-Maturity-Model-Certification/ |
General framework that has many applications |
|
NIST Cybersecurity Framework - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1271.pdf |
Contractors for the Department of Defense |
|
NIST RMF - Risk Management Framework - https://csrc.nist.gov/Projects/risk-management/about-rmf |
Organizations with Federal Contract Information (FCI) and Organizations with Controlled Unclassified Information (CUI) |
|
ISO/IEC 27001 - https://www.iso.org/standard/27001 |
Organizations with a Risk Management program that needs more rigor and discipline |
|
PCI - https://www.pcisecuritystandards.org/ |
One of the best-known programs for establishing an information security management system, (ISMS.) If your company already uses ISO 9000 this is a strong fit. This has a wide audience, any organizations that process/store payment cards and data. |
|
CIS - https://www.cisecurity.org/ |
Any organization that isn’t subject to Government, Financial or Personal Health Information (PHI), requirements. Usually smaller and less complicated organizations. |
|
HIPAA - https://www.hhs.gov/hipaa/index.html |
Any organization that processes and stores patient data, including business associates of those organizations. |
Here is a snapshot of our journey and how we made our decisions. Workgroup Technology Partners first adopted the NIST Risk Management framework, SP800-53, because we had to HIPPA regulations we needed to follow. While working through the implementation process, we realized NIST was not the right framework for us because it was too complex and difficult to manage. We decided to stop and look for a different option.
We looked at other frameworks and we concluded the Center for Internet Security (CIS) offering was exactly what we, were looking for. The implementation of CIS was easier because it is organized into three levels of implementation that consider the type of data that needs to be processed and stored. It also includes prescriptive assessment and policy documentation that facilitates quick adoption. The implementation of CIS was efficient and aligned with our business goals.
We are excited to share our story with you. You will benefit from our experience and expertise. Here are two suggestions to get you started. It is important to consider your resources and regulatory requirements before making your decision. Narrow down your selection to a few options and rank them according to the implementation process, the ongoing management, and the level of compliance needed.
Workgroup Technology Partners wants to assist with your evaluation process and can streamline its implementation for you.