Imagine you are going to build your dream house. You have an architect who will design the house to merge your wishes with building requirements. The general contractor will orchestrate and manage the various craftsmen that will implement the design and ensure adherence to local building codes. The interior designer will select the finishes and features that will be your primary interaction with the house. In this example, it’s essential that all these participants understand the design goals and agree on how the design is to be realized. If the plumber, electrician, and cabinet installer disagree on how the kitchen should be arranged and function, the result isn’t going to be pretty.
In the building industry, there are standards for blueprints and building requirements to help everyone communicate clearly and consistently. As long as everyone adheres to the established framework, different contractors can come in and do their specialized labor and the final house will match the original design.
The same principle applies in the cybersecurity industry. A cybersecurity framework provides a common language and set of standards for security experts to understand their security postures and those of their vendors. Once a framework is in place, it becomes easier to define the processes and procedures that an organization must have to assess, monitor, and mitigate cybersecurity risk. As you evaluate new technologies and vendors, a common cybersecurity framework allows you to foresee how well the integration process will go and how well the different approaches to security will mesh.
There are several different cybersecurity frameworks that are important to be aware of.
NIST
The National Institute of Standards and Technology (NIST) established the Cybersecurity Framework in 2014 in response to a presidential executive order which called for greater collaboration between the public and private sectors for identifying, assessing, and managing cyber risk. While compliance is voluntary for private companies (it is mandatory for federal agencies), NIST has become the gold standard for assessing cybersecurity maturity, identifying security gaps, and meeting cybersecurity regulations.
The NIST Cybersecurity Framework defines five core functions:
- Identify: Understand the users, resources, and risks that make up the IT environment. Examples include risk assessments and asset management.
- Protect: Develop and implement appropriate safeguards to ensure the delivery of critical services. Examples include identity management and employee training.
- Detect: Develop and implement appropriate activities to identify the occurrence of a cybersecurity event. Examples include event monitoring and malware detection.
- Respond: Develop and implement appropriate activities to take action regarding a detected cybersecurity incident. Examples include disaster response plans and communications.
- Recover: Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. Examples include reimaging and data restoration.
You can see how this framework covers major topics we’ve covered in previous blog posts. That isn’t a coincidence. NIST describes the benefits of the framework like this:
“By providing a common language to address cybersecurity risk management, it is especially helpful in communicating inside and outside the organization. That includes improving communications, awareness, and understanding between and among IT, planning, and operating units, as well as senior executives of organizations. Organizations also can readily use the Framework to communicate current or desired cybersecurity posture between a buyer or supplier.”
If you’d like more information on the NIST Cybersecurity Framework, visit the website here: https://www.nist.gov/cyberframework
Other frameworks include:
ISO 27001 & ISO 27002
The International Organization for Standardization (ISO) 27001 and 27002 certifications are considered the international standard for validating a cybersecurity program — internally and across third parties. With an ISO certification, companies can demonstrate that they have acceptable policies and safeguards in place to manage cyber risk. If a hardware or software vendor is ISO 27001/2 certified, it’s a good indicator that they have mature cybersecurity practices and controls in place. While most smaller businesses won’t need certification themselves, it is a useful tool to use during vendor selection.
SOC2
Service Organization Control (SOC) Type 2 is a trust-based cybersecurity framework and auditing standard developed by the American Institute of Certified Public Accountants to help verify that vendors and partners are securely managing client data. SOC2 specifies more than 60 compliance requirements and extensive auditing processes for third-party systems and controls. Because of its comprehensiveness, SOC2 is one of the toughest frameworks to implement – audits can take a year to complete.
HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) is a cybersecurity framework that requires healthcare organizations to implement controls for securing and protecting the privacy of electronic health information. In addition to demonstrating compliance with best practices, companies must also conduct risk assessments to manage and identify emerging risks.
GDPR
The General Data Protection Regulation (GDPR) was adopted in 2016 to strengthen data protection procedures and practices for citizens of the European Union (EU). The GDPR impacts any business that collects and stores the private data of EU citizens — including U.S. businesses. The framework includes a company’s compliance responsibilities regarding a consumer’s data access rights, data protection policies and procedures, data breach notification requirements, and more. Fines for non-compliance are high; up to €20,000,000 or 4% of global revenue, and the EU is not shy about enforcing them.
What It All Means to You
Whether you want it or not, cybersecurity frameworks are going to be a standard part of your business moving forward. In response to rising cybercrime rates, more industries are creating customized frameworks and requiring compliance with them. As we discussed in last month’s blog post, insurance companies are also requiring cyber frameworks in order to get coverage, and the less compliant you are the higher your insurance rates (until the point your company is uninsurable). This isn’t something your business can afford to ignore.
Clare Computer Solutions can help, we’ll review the most-common frameworks and what they entail. Then we’ll discuss some of the security solutions you can implement that address key requirement of the framework, such as multi-factor authentication, disaster recovery, and data security. Once you have that overview, it’s time to start the assessment process and craft a customized security framework that addresses both the unique needs of your business and the standard requirements of the various cybersecurity frameworks that apply to your business. You can do this yourself, or Clare Computer Solutions can help out. One way or the other, your business can’t afford to do it.