What are Security Frameworks?
Security frameworks provide a calculated approach to determining risk, setting up a security strategy, and allocating security resources. They are (or should be) measurable, repeatable, and are often standardized by industry. With all the frameworks available…NIST, ISO, NERC CIP, PCI…which is right for your organization? Well the answer is…it depends.
Where to Begin?
The first step is to determine applicable rules, laws, or regulations specific to your company or industry. Retail merchants must comply with PCI. Defense contractors will have to protect information according to government acquisition regulations, NIST 800-171 or perhaps FedRAMP. Banks and financial institutions comply with FFIEC, and in some cases individual state regulations.
While compliance is important, checking the boxes in a mandatory framework is only one measurement of risk. Considering business impact and the cost of downtime may mean that a company does MORE than is required by the framework.
If you don’t have any specific compliance requirements but still want to set best practices for your security and company’s data, one of the best options is the Center for Internet Security’s (CIS) Critical Security Controls – formerly the SANS Top 20. Aligning your IT environment with this set of 20 controls can help you identify critical security gaps and properly prioritize the deployment and efficiency of security controls. The CIS Controls focus on security maturity with technical measures, rather than just policy and process-oriented directives.
A specific framework doesn’t guarantee safety from every form of cyber-attack, but it does provide a measurable, repeatable baseline to show where you stand compared to other organizations, as well as a defined set of best practices for your organization to follow. By measuring up to a standard, you can improve your security capabilities and better track your goals, objectives, and eventual progress.
How Sera-Brynn Can Help!
If you are considering how to improve your security posture, we can help. Making sense of security frameworks is what we do. Contact us today for a free consultation.
By Crystal Silins, Sera-Brynn Senior Security Analyst.
Starting next week, Sera-Brynn analysts will be posting a series of articles on the FedRAMP process. As a FedRAMP 3PAO, we can help simplify the process and offer a free consultation if you are considering FedRAMP.