With limited technical resources, budget constraints, and a constantly changing threat landscape, it is understandable why many small and mid-sized businesses (SMBs) continue to struggle with information security. Add the challenges of managing regulatory compliance such as PCI DSS, HIPPA, GDPR, and the disruption created by the COVID-19 pandemic, and it’s easy to understand that SMBs are facing a time of unprecedented change.
Implementing and managing an information security program can be complicated and confusing. How can business owners and those tasked with managing security get started organizing and prioritizing what needs to be done? Selecting an information security framework to follow is an excellent place to start.
What is a Security Framework?
A security framework is a formal structured approach that defines how information is managed to protect data and reduce risk. Frameworks provide documented policies, controls, processes, procedures to help the organization manage risk. The frameworks describe “what” an organization will do to manage security risks. These frameworks can be thought of as blueprint or a roadmap.
In a session at the RSA 2019 conference, Frank Kim, founder of security consulting firm ThinkSec and curriculum director at the SANS Institute, presented How to make sense of cybersecurity frameworks. He explained that frameworks can be separated into three categories: Program frameworks, Control frameworks, and Risk frameworks. A summary of the presentation is available in the article How to choose the right cybersecurity framework.
The three types of security frameworks Kim explained:
- Assess the state of the overall security program
- Build a comprehensive security program
- Measure maturity and conduct industry comparisons
- Simplify communications with business leaders
- Identify a baseline set of controls
- Assess the state of technical capabilities
- Prioritize the implementation of controls
- Develop an initial roadmap for the security team
- Define key process steps for assessing and managing risk
- Structure the risk management program
- Identify, measure, and quantify risk
- Prioritize security activities
Program and Control frameworks can be used together to manage the overall security program. Control frameworks contain a catalog of controls an organization can implement to ensure the organization complies with specific regulatory requirements. If the organization needs to comply with multiple regulatory requirements, then they would use multiple control frameworks. Risk frameworks help organizations identify, quantify, and measure risk to prioritize risk.
It is estimated over 200 security frameworks are in use across the globe. Only a handful of these frameworks have been widely adopted. Some frameworks were developed for specific industries or to satisfy individual regulatory compliance requirements. The frameworks can vary significantly in complexity and scale, with some frameworks requiring extensive documentation, long implementation timelines, and large budgets (and teams) to achieve and maintain certification.
Some frameworks are also considered a standard or regulation, adding to the confusion.
How do you select a Security Framework?
Given the number of frameworks that are available, it is not surprising that many organizations have either not chosen a framework to follow or have developed an ad hoc framework. Gartner’s research shows that 21% of clients had not selected a security framework.
When selecting a framework, keep in mind the unique needs of your industry, regulatory compliance requirements, customer expectations, and the IT and security capabilities of your organization. While any of the widely adopted security frameworks can help you with your security program, be cautious when selecting a framework. A framework that is over-kill for your organization or that does not address your specific industry or regulatory compliance requirements can result in security gaps, wasted time, and money and can overload your team.
The primary consideration is to understand your organization’s compliance requirements from a statutory, regulatory, and contractual perspective. Once the minimum set of requirements necessary for compliance is established, you can check to see if a framework has been developed for that regulation(s) or your specific industry.
You can refer to one of the many guides that are available, here are a few:
- Cybersecurity Essentials guide by the Cybersecurity Infrastructure and Security Agency.
- Cybersecurity Resources RoadMap by The Department of Homeland Security.
- Cybersecurity for Small Businesses factsheet by the Federal Trade Commission.
- Security Program Management 101 — How to Select Your Security Frameworks, Controls and Processes, by Gartner, a global research and advisory services firm.
- Cybersecurity for Small Businesses, by PamTen, a global technology services company offering custom software solutions, enterprise integration services, and staff augmentation services.
- 7 Steps To Building An Audit-Ready Cybersecurity & Privacy Program, by Compliance Forge, a leader in the area of cybersecurity and privacy documentation.
Get started on the road to protecting your clients, employees, and your business today be selecting a Security framework!