Build a robust IT security infrastructure with security frameworks.
Blueprints are essential for construction projects, outlining the precise specifications that builders and contractors must follow to execute architectural and engineering plans. IT security frameworks serve a similar purpose in the world of information systems.
Security frameworks guide organizations through the process of building robust IT security environments. Based upon industry standards, guidelines and best practices, these frameworks document the processes for implementing, managing and maintaining a comprehensive array of critical security controls.
Frameworks establish standardized practices, creating a common language and set of guidelines for IT security. This standardization facilitates communication and collaboration within the organization and across industries.
According to a Dimension Research survey, 84 percent of organizations in the U.S. use a security framework, and 44 percent use more than one. Benefits cited by respondents include improved compliance (47 percent), measurable security improvements (43 percent) and increased automation of security controls (35 percent).
Top Frameworks
There are dozens of frameworks that companies can use to guide their security processes. Here’s a brief description of seven widely used frameworks:
- National Institute of Standards and Technology Cybersecurity Framework. The NIST framework was developed in 2014 to outline best-practice security for federal agencies and private-sector organizations vital to national and economic security. It is the most widely used security framework in the U.S., with 67 percent of surveyed organizations reporting that they use it.
- The Payment Card Industry Data Security Standard. The PCI DSS standard is perhaps the most well-known and widely used framework. Launched in 2004, PCI DSS mandates strong security for businesses that store, transmit or process credit card information. The framework encompasses 12 key requirements, covering areas such as network security, data encryption, access control and regular security testing.
- The Center for Internet Security Critical Security Controls. The CIS controls were developed in 2008 to address data losses experienced by U.S. defense organizations. This framework consists of a number of defensive actions designed to create a layered security environment. These guidelines were developed through an extensive community of government and industry cybersecurity practitioners.
- The International Organization for Standardization 27001 standard. ISO 27001 is an international framework that details best-practice requirements for establishing and maintaining an information security management system. It emphasizes a risk-based approach, encouraging organizations to identify and assess potential threats. The framework covers a comprehensive set of controls, including access control, cryptography and incident response.
- Control Objectives for Information and Related Technologies. Developed by the Information Systems Audit and Control Association (ISACA), the COBIT framework is designed to bridge the gap between business and IT goals. It provides a set of best practices for IT governance and management, emphasizing the need for alignment between IT and business objectives. COBIT helps organizations effectively control their information systems by defining processes and controls related to IT governance, risk management and compliance.
- MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge). The MITRE ATT&CK framework provides a comprehensive and detailed mapping of the tactics, techniques and procedures adversaries use during different stages of the cyberattack lifecycle. It doesn't prescribe specific controls or policies but serves as a valuable resource for improving threat detection, response and mitigation strategies.
- The Federal Information Security Modernization Act. FISMA is a federal law establishing a comprehensive framework for securing government information systems. FISMA requires agencies to develop, implement and continuously update security programs, and promotes the creation of security plans, risk assessments and continuous monitoring strategies.
Although these frameworks were developed for different audiences — government, business and international organizations — they have some shared aims and common guidance that make them appropriate for a broad range of organizations. At a basic level, they are all meant to create a structured approach to identifying vulnerabilities, detecting threats, assessing risk, controlling access and recovering from any attack.
Securing Today’s Environment
Most importantly, frameworks ensure a coherent and repeatable approach to security to ensure that nothing falls through the cracks. That is particularly important now that organizations must extend their security controls to increasing numbers of remote employees.
For example, access control, identity management and authentication are essential elements of all these frameworks. These are particularly critical practices with remote workers accessing the corporate network with their personal devices.
Employee education and awareness are also standard framework components that are vital for remote employees. Without their usual safety net of company-managed security measures, employees may be susceptible to rising numbers of phishing campaigns and malware attacks.
Data security provisions in these frameworks outline the use of encryption and other measures to protect data, another fundamental requirement for remote workforces. Frameworks also outline how data backups should be conducted, maintained and tested.
As technologies and workforces evolve, so do malicious threats. Creating a security environment that keeps pace with these rapid changes can be difficult. Cybersecurity frameworks provide a valuable instruction manual for reducing risk.
