J.S. Held Strengthens Forensic Accounting and Financial Investigations Expertise and Expands Suite of Services in Canada with Acquisition of ADS Forensics
Read MoreAn information security framework, when done properly, will allow any security leader to more intelligently manage their organization's cyber risk.
The framework consists of a number of documents that clearly define the adopted policies, procedures, and processes by which your organization abides. It effectively explains to all parties (internal, tangential, and external) how information, systems, and services are managed within your organization.
The main point of having an information security framework in place is to reduce risk levels and the organization's exposure to vulnerabilities. The framework is your go-to document in an emergency (for example, if someone breaks into your systems), but it outlines daily procedures designed to reduce your exposure to risk.
Implementing a solid information security framework provides a host of advantages if you are trying to instill confidence in an industry or establish a strong reputation with potential business partners and customers. The framework allows these agents to understand how you will protect their data or services from harm.
See it perhaps like this: if anyone asks you at any time what would you do if X-cyber-disaster happened, any authorized person in your organization would be able to look up the procedure in the framework and present the exact same response to a third party, whether they be a regulator, a customer, a business partner, a third party provider, etc.
Now, there are hundreds information security framework possibilities in existence today. Finding the right one for your organization is not always an easy task for the uninitiated. They are not all compartmentalized across one matrix. There are geographical frameworks, industry-wide frameworks, and technology frameworks.
The first step is to get familiar with the more well-known frameworks available today. Of course, there is a ton of overlap between frameworks, and that is actually an advantage. Once you align with your preferred framework, you can much more easily align with additional ones, such as those that provide certification, for example.
Below we’ve outlined some key frameworks that are widely used.
The NIST (National Institute of Standards and Technology) is a federal agency within the United States Department of Commerce. The NIST’s mission is to develop and promote measurement, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life.
The institute also establishes IT standards and guidelines for federal agencies. Since 2014, the NIST Cybersecurity Framework provides guidance for critical-infrastructure organizations to better manage and reduce cybersecurity risk.
This voluntary framework is completely voluntary, but it is designed to increase the resilience of an organization’s defenses.
The Cybersecurity Framework consists of three main components:
The NIST offers a guide to help an organization prioritize activities based on importance to business continuity and security. It provides a common language to address cybersecurity risk management, which is understood by those within and outside the organization. It can be particularly useful when discussing the supply chain and providing added assurances that you operate at low risk.
The International Standards Organization developed this ISO 27000 series. Because it is broad in scope, any type or size of organization can benefit from being familiar with it and adopting its recommendations, as appropriate to your industry and business type.
ISO 27000 is a systematic approach to managing sensitive information securely (also known as ISMS). It includes managing risk for people, processes, and IT systems.
ISO 27000 family is divided into different sub-standards, some of which are applicable to specific industries, while others are specific to operational choices (such as whether you have cloud storage or not). It’s plain to see that it is vast in scope.
ISO 27001 for example includes a six-part approach:
It is a useful tool to start forming your framework, and many companies may benefit by activity seeking out certification for meeting specific ISO compliance standards.
PCI DSS is the worldwide Payment Card Industry Data Security Standard. It was initiated to ensure businesses process card payments that are secure, as well as to help reduce card fraud.
This is achieved through enforcing tight controls surrounding the storage, transmission, and processing of cardholder data that businesses handle. PCI DSS is intended to protect sensitive cardholder data.
The payment standard has 12 principle requirements, all of which are covered by these six categories:
In addition to the frameworks above, let’s take a look at some holistic frameworks which take a general, risk-based approach to information security by prescribing controls that directly counteract an organization’s defined security risks.
The choice to use a particular IT security framework can be driven by multiple factors. If your organization processes credit cards, then you’re required to meet the PCI DSS controls. If you're handling electronic Personal Health Information (ePHI), then you’ll need to meet the HIPAA regulations. If you’re dealing with the federal government, NIST 800-53 is your starting point. Publicly traded companies will probably select COBIT in order to more readily comply with Sarbanes Oxley (SOX). For the more mature security organization, you may select ISO 2700x as that framework has applicability in any industry, even though the implementation process is long and involved and the certification process is a rigorous one.
Any one of the frameworks we’ve mentioned here may be a good fit for your organization, and there are even more to choose from than those we’ve listed. No matter what your choice, remember: the only wrong choice here is not to choose.
We would like to thank Kevin Gorsline for providing insight and expertise that greatly assisted this research.
Kevin Gorsline is a Managing Director in J.S. Held's Global Investigations Practice who joined following J.S. Held's acquisition of TBG Security. For several years, Kevin served as the Chief Operating Officer and head of the Risk and Compliance practice at TBG Security, where he was responsible for providing the leadership, management, and vision necessary to ensure that the company had the proper operational controls, administrative and reporting procedures, and people systems in place to effectively grow the organization and to ensure financial strength and operating efficiency. His experience and leadership throughout his career have been focused on developing and delivering information security services and solutions, providing outstanding client service, and driving profitable revenue growth. Kevin brings established proficiency as an IT leader with extensive experience in risk and compliance services, applications development, and implementation projects both in the United States and abroad.
Kevin can be reached at [email protected] or +1 843 890 8596.
In Part II of addressing cyber claims challenges, we identify gaps in coverage and quick fixes for a smoother claims process....
A Virtual Chief Information Security Officer (vCISO) can be a cost-effective solution to AI cyberattacks....
To safeguard our digital lives, both the "inside out" security approach and the “outside in” prevention approach are needed....