These days information security is on the minds of virtually all technology professionals and business executives alike. But how does an organization ensure that its security profile is adequate. It can certainly help to subscribe to a security framework.
What is a security framework and which should I consider for my organization? A security framework can simply be described as a collection of policies, standards, procedures, controls, tools, and/or guidelines to assist in furthering an organization’s security composition. Which one is right for your organization is not as simple a question to answer. Let’s look at a few of the more prevalent frameworks.
COBIT, first released in 1996, has been applied across a wide range of industries – to generally improve the effectiveness of IT. COBIT 5, published in 2012, has components that specifically address IT governance, risk management, information security, regulatory compliance, and audit assurance. COBIT has been a popular choice for publicly traded companies required to comply with the Sarbanes-Oxley Act of 2002.
The ISO 27000 series, published in 2013, also provides a very broad information security framework that can be applied to all types and size of organizations. By many reports, ISO 27000 is currently the fastest growing security standard applied, in terms of the number of certifications obtained by organizations and consultants.
The NIST Cybersecurity Framework is the result of a February 2013 Executive Order, by President Barack Obama, titled “Improving Critical Infrastructure Cybersecurity”. NIST is an agency of the United States Department of Commerce and its framework represents 10 months of collaboration with more than 3,000 security professionals. Like many frameworks, it is comprised of leading practices from various standards bodies that have proved to be successful when implemented. NIST can generally be applied across industries and there are many writings about its applicability to healthcare and financial services. Of course it is widely utilized by government agencies.
HITRUST CSF, released in 2009, was developed with healthcare and information security professionals and is the first security framework targeted specifically for healthcare information. The framework leverages existing, globally recognized standards, including HIPAA, ISO, NIST, and COBIT. Subscription to the framework includes a very interesting tool, called MyCSF, which provides very prescriptive requirements based on the sizes and type of healthcare organization. The tool also facilitates both a self-assessment and an assessment validated by a certified assessor or auditor.
While this writing does not attempt to be exhaustive in regards to identifying available frameworks, hopefully it provides some useful insights into the benefits of frameworks in general – to help an organization manage its information security program.