By Andrew Roberts, Chief Cybersecurity Strategist, cStor
Building an effective information security program is a journey. For some organizations, that journey may be headed into uncharted territory. Fortunately, cybersecurity professionals don’t need to wander aimlessly through this process – and they shouldn’t. There are several cyber security frameworks available to help guide you on your way.
Choosing a Cybersecurity Framework
An effective cybersecurity framework will contain a series of processes and objectives that you can use to help define your policies and procedures around information security. It will also guide your implementation of controls and inform the management, measurement, and monitoring of your information security program. The framework will have been developed by a consortium of technology professionals and be subject to regular review and updates.
Some of the best examples include the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF) and the Center for Internet Security’s CIS Critical Security Controls. If you’re in healthcare and have a fairly mature security program, you can also consider the HITRUST Alliance’s Cyber Security Framework (HITRUST CSF®), but if you’re just starting out, NIST or CIS are better starting points.
The frameworks each have their own origins and objectives.
- NIST CSF was developed as a voluntary program to help private sector organizations protect our nation’s critical infrastructure and key resources (CIKR) and are currently in its second iteration (version 1.1).
- CIS Controls found their origins in the SANS Institute and were originally promoted as the 20 critical cybersecurity controls. In May 2021 they released version 8, which realigned some of the structure and reduced the number of controls to 18.
- HITRUST CSF was developed specifically for healthcare organizations and is an amalgamation of several frameworks and regulatory requirements regarding security and privacy applicable to that industry.
Despite their different origins, each of these frameworks takes a holistic view of cyber security and would serve any organization well as the basis for its information security program.
You may have noticed that I have not mentioned PCI-DSS, HIPAA, or the many other acronyms with which we must comply. While each of those requires many specific cybersecurity controls to be implemented, they are not really frameworks in the context of this discussion. They were each developed for a specific purpose. Full compliance will likely improve your environment, but compliance does not equal security. These requirements should not be the basis of your security program; they should be considered in conjunction with it.
While reviewing frameworks to decide which will work best for your organization, it may be tempting to treat them as à la carte menus from which you can pick and choose items to build your own framework. Resist that temptation. Creating a custom framework opens the risk of leaving gaps in your program. Should there be an incident, and it is your framework that fails, you may feel the full brunt of the repercussions. If you really need a blend of frameworks, take one in its entirety and supplement that with controls from other frameworks. You can also supplement the framework with specific requirements (such as those from PCI-DSS) as needed.
Building Out Your Plan
Choosing a framework is just the first step. You need to bring the framework to your executive team. Taking your information security program to the next level will require buy-in from the top. Your executives will need to understand your chosen framework and agree on the course forward.
Now that you know where you are headed, it’s time to understand your starting point. Use your chosen framework as the basis for a gap analysis. This analysis can be performed internally, but it is often more efficient and effective to have a trusted partner complete the legwork and provide an unbiased third-party opinion.
Use the results of your gap analysis to build out your 1-, 3-, and 5-year plans. Tackle the low-hanging fruit first to show some quick, cost-effective wins and build up momentum. If you get bogged down in day-to-day activities, consider using a partner like cStor to help you accomplish your goals. It is important to keep your momentum as your program moves towards the goal of framework compliance.
As you progress on your journey, don’t forget to track your progress and report that back to your executive team regularly. They agreed with your framework and will want to know you are moving forward. They can also provide much-needed help removing roadblocks if forward progress stalls.