Summary
It’s common for many organizations to struggle with their cybersecurity operations. Security systems are typically implemented in silos and managers often wonder if they’re covering the full suite of best practices. This article will explain the five steps that any organization can take (including tech startups, not-for-profits, and even large, multi-national corporations) in better securing their environment.
Step 1: Select a Security Controls Framework
What is a Security Controls Framework?
A security controls framework is a checklist to consider when implementing a security program. It prescribes certain tools and processes (collectively, “controls”). For example, all leading frameworks recommend the adoption of network monitoring tools and incident response procedures.
Which Framework is Right for You?
At first glance, these frameworks may seem overwhelming. There are many variations of them, and they may appear to be very similar. Each framework also possesses many individual requirements within it.
Selecting the right framework (see Exhibit 1) is important and should be tied to your industry vertical or compliance requirement, if applicable.
Exhibit 1: Different Security Frameworks
| Framework | Description | Industries |
|---|---|---|
| ISO 27001 | A broadly adopted security framework for U.S. and international organizations | All |
| NIST SP 800-53 | A broadly adopted security framework published by the U.S. federal government | U.S. government and related private industry |
| CIS-20 | A broadly adopted security framework for small to medium-sized organizations | All |
| Payment Card Industry Data Security Standard (PCI-DSS) | A broadly adopted framework for the protection of credit card data | Retail, banking, or other organizations that store, process, and/or transmit credit card data |
| Health Insurance Portability and Accountability Act (HIPAA) | A broadly adopted framework for electronic patient healthcare information (ePHI) | Medical services or other organizations that store, process, and/or transmit ePHI data |
| System and Organizational Controls (SOC) | A broadly adopted framework for third-party service providers | All |
| Cloud Security Alliance (CSA) Controls | A broadly adopted framework for cloud-based service providers | All |
| NIST Cybersecurity Framework (NIST CSF) | A broadly adopted security framework for general use | All |
When selecting a framework, try not to dwell too long on which one to select. As with any framework, it is only a means to an end, which is to secure your organization. Organizations that are implementing security programs for the first time would benefit from selecting a single framework and scaling up. It’s easier to scale multiple frameworks incrementally, rather than tackling them all at once. Remember, the objective is to eventually custom tailor these frameworks to fit your organization through the risk assessment process described below.
Map Control Frameworks
It may be that organizations need to select multiple frameworks based on their nature. A healthcare organization may need both HIPAA and PCI-DSS to baseline their security program. If each framework were to be managed separately, it would become burdensome on an organization’s security or IT department. For example, both frameworks require the approval of granting elevated user permissions. Managing and tracking this control separately for the patient portal (under the scope of HIPAA) and the payment system (under the scope of PCI-DSS) would incur double the time and cost.
To solve this problem, map frameworks into a single version to identify like-kind requirements. This is often called the “controls mapping” or the “controls crosswalk.” Exhibit 2 shows how requirements “map” or overlap with each other.
Exhibit 2: Requirements Mapped Across SOC 2 and ISO 27001
| Systems and Organization Controls 2 (SOC 2) Requirements | ISO 27001 Requirements |
|---|---|
| CC5.3 - Restricts Logical Access—Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative authorities, mobile devices, output, and offline system components is restricted through the use of access control software and rule sets. | A.9.2.3 Management of Privileged Access Rights The allocation and use of privileged access rights shall be restricted and controlled. A.9.4.1 Information Access Restriction Access to information and application system functions shall be restricted in accordance with the access control policy. |
| CC6.7 - Restricts the Ability to Perform Transmission—Data loss prevention processes and technologies are used to restrict the ability to authorize and execute transmission, movement, and removal of information. | A.13.2.1 Information Transfer Policies and Procedures Formal transfer policies, procedures, and controls shall be in place to protect the transfer of information through the use of all types of communication facilities. A.13.2.2 Agreements on Information Transfer Agreements shall address the secure transfer of business information between the organization and external parties. |
| ... | ... |
| N/A | A.6.1.5 Information Security in Project Management Information security shall be addressed in project management, regardless of the type of the project. |
A common challenge is that, depending on the framework, requirements are often misaligned. In the example above, ISO 27001 has a requirement to address security risks via project management standards, but this is not the case for SOC 2. Also, new versions of these frameworks are published at different intervals, frequently adding or substracting requirements resulting in further misalignment. It’s therefore important to periodically update and refresh this mapping.
Note: The word “requirement” is often interpreted as a “must-have.” This couldn’t be further from the truth. Most leading standards take a risk-based approach. These “requirements” are for consideration based on risk. See Step 3 below for additional details
Perform a Self-Assessment: Identify Controls that You Have (and Don’t Have)
Once a framework (or two) is selected, perform a self-assessment. The objective is to quickly identify the existing controls. At this stage, it’s easy to feel overwhelmed. These frameworks contain a long list of control requirements and you may wonder how much of them you really need. This question can be answered in Step 2: Perform a Risk Assessment. For now, the objective is to identify the controls you (think) you have and those you don’t have.