Control is a measure to modify (mitigate or reduce) the exposure to the risks. Controls may include any policy, process, device, practice, actions or activity which modify risks. The objective to design a control may include but limited to the below:
To mitigate risks.
To avoid the risk in its entirety.
To prevent the risk from occurring.
To reduce the losses associated.
To transfer the risk to another party in part or entirely.
A Framework, in general, is a data structure for organizing and storing data, which essentially provide details of supporting structure for building a system or object. Referring to this simple definition “Control Framework” simply a data structure that organizes and categorizes controls, which are practices and procedures established to create business value and minimize risk. Control Frameworks are prepared for a variety of purposes, Objectives and business needs such as Financial Reporting, Maintaining Compliance with Regulation and Laws, Meeting Business Requirements and industry best practices, Minimizing Business Risks etc.
Information Security or IT Security or Cyber Security Control Frameworks
An Information Security or IT Security or Cyber Security framework is a series of documented practices, actions or activities, processes used to define policies and procedures around the implementation and ongoing management of information security controls in an organization environment. Information Security or IT Security or Cyber Security frameworks are basically a blueprint for building an information security program to manage risk and reduce vulnerabilities. Information security professional utilizes these frameworks to define and prioritize the tasks required to build security into an organization.
Which Information Security Framework is right for your organization?
The challenges of running an information security program in an organization are overwhelming with so many areas to address from ICT Infrastructure and Application Security, Privacy, Disaster Recovery etc. Compliance with regulatory requirements such as HIPAA, PCI DSS and Sarbanes-Oxley, and many others.
How should security professionals organize and prioritize their efforts to build and maintain an information security program is big question always. And the first answer to comes to professional from type business their organization do as each framework build with a specific purpose, objective, and addressing specifics needs. Some example are below
1. Control Objectives for Information and Related Technology(COBIT)
COBIT is a framework developed by ISACA, an independent organization of IT governance professionals. ISACA currently offers the well-known Certified Information Systems Auditor (CISA) certification for an information security professional. This framework started out primarily focused on reducing technical risks in organizations, but has evolved recently with COBIT 5 to also include alignment of IT with business-strategic goals. It is the most commonly used framework to achieve compliance with Sarbanes-Oxley rules.
2. The ISO/IEC 27001 Family of Standards:
The ISO/IEC 27000-series (also known as the ‘ISMS Family of Standards’ or ‘ISO27K’ for short) comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It provides a very broad information security framework that can be applied to all types, sizes and industries of organizations.
It is broken up into different sub-standards based on the content. For example, ISO 27000 consists of an overview and vocabulary, while ISO 27001 defines the requirements for ISMS. ISO 27002 defines the code of practice for implementation. Many more standards and best practices are documented in the ISO 27000 series. New ISO 27000 standards are in the works to offer specific advice on cloud computing, storage security and digital evidence collection.
3. The NIST SP 800-53 (Security and Privacy Controls for Federal Information Systems and Organizations)
The United States (U.S.) National Institute of Standards and Technology (NIST) has been building an extensive collection of information security standards and best practices documentation. The NIST Special Publication 800 series provides advice on almost every aspect of information security. Even it is not specifically an information security framework, but other frameworks have evolved from the NIST SP 800-53 model. U.S. government agencies utilize NIST SP 800-53 to comply with the Federal Information Processing Standards’ (FIPS) 200 requirements. Even it is specific to government agencies, the NIST framework could be applied in any other industry and should not be ignored by organizations looking to build an information security program.
4. NIST SP 800-171(Protecting Unclassified Information in Nonfederal Information Systems and Organizations)
NIST SP 800-171 has gained in popularity in recent years due to the requirements set by the U.S. Department of Defense that mandated contractor compliance with the security framework by December 2017. Cyberattacks are occurring throughout the supply chain, and government contractors will find their systems and intellectual property a frequent target used to gain access into federal information systems. NIST SP 800-171 was a good choice for this requirement as the framework applies to smaller organizations as well if your organization dealing with multiple small manufacturing vendors and supplier. And you have a high need for a good reference for building a framework for vendors and supplier it could be a great reference as using/implementing this framework is not exactly relevant to your business.
5. NIST Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity
The NIST Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity is yet another framework option from NIST. This standard is different in that it was specifically developed to address U.S. critical infrastructure, including energy production, water supplies, food supplies, communications, healthcare delivery and transportation. These industries have all found themselves targeted by nation-state actors due to their strategic importance to the U.S. and must maintain a higher level of preparedness.
The NIST Cybersecurity Framework differs from the other NIST frameworks in that it focuses on risk analysis and risk management. The security controls included in this framework are based on the defined phases of risk management: identify, protect, detect, respond and recover. These phases include the involvement of management, which is key to the success of any information security program. This structured process allows the NIST Cybersecurity Framework to be useful to a wider set of organizations with varying types of security requirements.
6. CIS Controls
The CIS Controls are on the opposite dimension of the ISO 27001, NIST Cybersecurity, and other Framework. This framework is a long listing of technical controls and best practice configurations that can be directly applied to the IT environment. It does not address risk analysis or risk management like the above-mentioned frameworks and is solely focused on hardening technical infrastructure to reduce risk and increase resiliency.
The CIS Controls are a great addition to the existing security frameworks because they provide direct operative advice. Information security frameworks can sometimes get trapped on the long and laborious risk analysis process and don’t reduce risks immediately. The CIS Controls pair well with these existing risk management frameworks to help remediate identified risks. They are also a highly useful resource in IT departments that lack technical information security experience
HITRUST is a privately held company located in Frisco, Texas, United States that, in collaboration with healthcare, technology and information security leaders, has established the HITRUST CSF, a comprehensive, prescriptive, and certifiable framework, that can be used by all organizations that create, access, store or exchange sensitive and/or regulated data. The HITRUST CSF is a prescriptive set of controls that meet the requirements of multiple regulations and standards. The framework provides a way to comply with ISO/IEC 27000-series and HIPAA standards.
Note: HIPAA (Health Insurance Portability and Accountability Act of 1996) is United States legislation that provides data privacy and security provisions for safeguarding medical information
8. The Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).
The Sarbanes-Oxley Act of 2002 is a federal law that established sweeping auditing and financial regulations for public companies of the US.