Compliance frameworks provide the link between regulatory mandates and the business practices required to support them. Frameworks provide a model and structure that organizes and categorizes risk and associated internal controls to help organizations monitor and measure the effectiveness of their activities and investments. This goal is typically achieved through a set of control objectives outlined in the framework, which allows the organization to assess the security posture and set goals to improve procedures to protect systems and data. Another significant benefit of leveraging a compliance framework is that it can help an organization prioritize and coordinate activities, not only for a single regulatory mandate but across multiple compliance mandates as well.
It is important to note that throughout the years, information technology professionals have seen an increase in required regulatory mandates that must be supported, and they are also presented with an increasing number of potential frameworks and methodologies for managing information technology risk in a verifiable and measurable way. Living frameworks such as NIST, ISO 27001, CIS, and HITRUST have become widely accepted as best practices for organizations to assess, monitor, and measure the effectiveness of their security and compliance investments. While some frameworks such as the SANS 20 are technically oriented and explicit in the technologies and security controls, others refer more to best practices and recommended guidelines. Regardless of the approach, the goal of the framework is to provide recommendations and guidance to enable practices and procedures to be established to create business value and minimize risk. While this book will not go into the details of every framework, it is important that security personnel be familiar with the common frameworks they will likely encounter. Table 20-1 outlines the most common frameworks and their use cases. As you read through them, you will see the overlap that is not business vertically dependant.
Leveraging industry standards provides a level of assurance that best practices are followed both by the organization and by business partners to protect systems and data. There is no “one size fits all” when it comes to selecting a security framework, and in most cases, the most appropriate framework may be in place prior to initiating the vulnerability program. When initiating a vulnerability management project, it is important to understand which regulatory mandates the organization must comply with; and which risk management frameworks have already been implemented. In some cases, frameworks such as ISO 27001 can complement the existing ISO framework implementations. In other cases, industry vertical and compliance mandates may play a more important role in the framework selection. For example, COBIT may be better aligned to comply with SOX. ISO 27000 offers breadth and applicability across industries but is more likely to be adopted when a company needs to market ISO certification. NIST SP 800-53 controls were designed specifically for U.S. government agencies, but NIST SP 800-53 also provides information security standards that are applicable across industry verticals and organizations.
Table 20-1 Common Risk Management Frameworks
Organization | URL | Framework Name | Security Controls |
|---|---|---|---|
PCI Security Standards Council | Payment Card Industry Data Security Standard (PCI DSS) | 12 Requirements organized into six groups of control objectives. | |
Description: Initially developed in 2004, the Payment Card Industry Data Security Standard (PCI DSS) is an information security standard outlining 12 security requirements for every organization that accepts credit cards such as Visa, MasterCard, American Express, and others. The PCI Security Standards Council is a global forum for the ongoing development, enhancement, storage, dissemination, and implementation of security standards for account data protection. By adhering to PCI regulations, you can secure critical systems and protect sensitive cardholder data. | |||
Center for Internet Security (CIS) | CIS Critical Security Controls | CIS 20 controls | |
Description: Originally developed in 2008 and currently on version 6.1, The Center for Internet Security’s Critical Security Controls for Effective Cyber Defense (known as the CIS Top 20 Controls) are “a recommended set of actions for cyber defense that provide specific and actionable ways to thwart the most pervasive attacks.” | |||
Open Web Application Security Project (OWASP) | OWASP Top 10 | Top 10 controls | |
Description: The Open Web Application Security Project (OWASP) is a not-for-profit worldwide charitable organization focused on improving the security of application software. The OWASP Top 10 Web Application Security Risks provides guidance to developers and security professionals that target the most critical vulnerabilities that are commonly found and exploited in web applications. The OWASP Top 10 is not an exhaustive list of risk elements but provides a solid starting point for organizations looking to strengthen the security posture of their web application environment. | |||
National Institute of Standards and Technology (NIST) | NIST 800 series Framework for Improving Critical Infrastructure Cybersecurity | NIST Special Publication 800-53 NIST Special Publication 800-171 | |
Description: NIST SP 800-53 outlines a comprehensive strategy combined with various security controls for continuous monitoring designed to enable better risk-based decision making. Another popular set of NIST controls is 800-171. The primary difference between NIST 800-53 and 800-171 is that the latter was developed specifically to protect sensitive data on contractor and other nonfederal information systems. | |||
International Organization for Standardization (ISO) | ISO/IEC 27000 family – Information security management systems | ISO/IEC 27001 | |
Description: ISO provides a family of standards to help organizations secure information assets. Each standard is designed to provide guidance in relation to a specific set of activities focused on a specific set of objectives. For example, building the foundation of a security program is covered in ISO 27001, implementing detailed controls is covered in 27002, and risk management is covered in 27005. | |||
UK Government's Office of Government Commerce (OGC) | Information Technology Infrastructure Library (ITIL) | ITIL itself does not provide prescriptive guidance on controls and relies on other frameworks such as ISO for that aspect of security management. ITIL focuses more on the broader activities and relationship with security of service delivery and support. | |
Description: (ITIL) is a framework of best practices for delivering IT services. ITIL v3 is comprised of five distinct volumes: ITIL Service Strategy; ITIL Service Design; ITIL Service Transition; ITIL Service Operation; and ITIL Continual Service Improvement. | |||
FAIR Institute | Factor Analysis of Information Risk (FAIR) | ||
Description: FAIR is a framework for understanding, analyzing, and measuring information risk. Basic FAIR provides a framework comprised of 10 steps in 4 stages designed to quantify and communicate risk consistently across the organization | |||
Software Engineering Institute, Carnegie Mellon | OCTAVE | ||
Description: OCTAVE was developed by Carnegie Mellon University’s computer emergency response team (more commonly known as CERT.) This security framework offers a strategic approach to information security. | |||
Information Systems Audit and Control Association (ISACA) | COBIT | COBIT5 Governance and Management Practices | |
Description: COBIT is a management and governance framework that defines and organizes implementable controls that are organized into IT-related processes. | |||