Top 10 IT security frameworks and standards explained

Security frameworks and cybersecurity standards are critical tools in helping protect corporate data. Here’s advice for choosing the right IT security framework for your organization.  

Information security management encompasses many things, from perimeter protection and encryption to application security and disaster recovery. IT security is often made more challenging by compliance requirements, such as HIPAA, PCI DSS, Sarbanes-Oxley and global standards, such as GDPR.  

Basic knowledge of these regulations, standards, and frameworks is important for all information security and cybersecurity professionals. Being able to implement IT security frameworks and standards is essential in protecting sensitive data, maintaining regulatory compliance, and helping prepare for and streamline audit processes. 

Let’s take a look at what IT security standards, regulations, and frameworks are, examine some of today’s most commonly used solutions, and explain how they are used. 

 

IT security standards and regulations: What are they?
Standards are like a recipe; they list out steps that must be performed to achieve compliance. A well-managed IT organization must comply with all requirements set forth in a standard. 

Regulations, in contrast, have a legal binding impact. The way they describe how something should be performed indicates government and public support for the rules and processes set forth in the regulation. Failure to comply with IT-focused regulations can result in financial penalties and litigation. 

 

What is an IT security framework? 

An IT security framework is a series of documented processes that define policies and procedures around the implementation and management of information security controls. These frameworks provide a blueprint for managing risk and reducing vulnerabilities. 

Information security professionals use security frameworks to define and prioritize the tasks required to manage enterprise security. They are also used to help prepare for compliance and other IT audits. Therefore, the framework must support the specific requirements outlined in the standard or regulation. 

Organizations can customize frameworks to solve specific information security problems, such as industry-specific requirements or unique regulatory compliance goals.  

Frameworks also come in varying degrees of complexity and scale, and today’s frameworks often overlap. It’s important to select a framework that effectively supports all of your operational, compliance, and audit requirements. 

 

Types of frameworks

Control Frameworks: 

• Develop a basic strategy for security team 
• Provide baseline set of controls 
• Assess current technical state 
• Prioritize control implementation 

 

Program Frameworks: 

• Assess state of security program 
• Build comprehensive security program 
• Measure program security/ competitive analysis 
• Simplify communication between security team and business leaders 

 

Risk Frameworks: 

• Define key process steps to assess/manage risk 
• Structure program for risk management 
• Identify, measure, and quantify risk 
• Prioritize security activities 

 

TOP-RATED CYBERSECURITY FRAMEWORKS  

There are many different frameworks; however a few dominate the market. In addition to the Payment Card Industry Data Security Standard (PCI DSS), popular frameworks include:  

• NIST CSF – The US National Institute of Standards and Technology framework for improving critical infrastructure cybersecurity 
• CIS – The Center for Internet Security critical security controls 
• ISO/IEC 27001 and 27002 – The International Standards Organization frameworks for best practices around security management and controls 

 

Why are frameworks important? 

Frameworks provide a starting point for establishing processes, policies and administrative activities for information security management. 

Security requirements often overlap, which results in “crosswalks” that can be used to demonstrate compliance with different regulatory standards. For example: 

• ISO 27002 defines information security policy in Section 5 
• Control Objectives for Information and Related Technology (COBIT) defines it in the “Align, Plan and Organize” section 
• The Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework defines it as “Internal Environment”  
• HIPAA defines it as “Assigned Security Responsibility” PCI DSS defines it in the “Maintain an Information Security Policy” section 

Using a common framework, such as ISO 27002, an organization can establish crosswalks to demonstrate compliance with multiple regulations, including HIPAA, Sarbanes-Oxley, PCI DSS, and Graham-Leach-Bliley. 

 

How to choose an IT security framework 

The choice to use a particular IT security framework can be driven by multiple factors. The type of industry or compliance requirements could be deciding factors. Publicly traded companies, for example, may wish to use COBIT to comply with Sarbanes-Oxley, while the healthcare sector may consider HITRUST. The ISO 27000 Series of information security frameworks, on the other hand, is applicable in both public and private sectors. 

While ISO standards are often time-consuming to implement, they are helpful when an organization must demonstrate its information security capabilities via ISO 27000 certification. While NIST Special Publication (SP) 800-53 is the standard required by U.S. federal agencies, it can be used by any organization to build a technology-specific information security plan. 

These frameworks help security professionals organize and manage an information security program. The only bad choice among these frameworks is not choosing any of them. 

 

Examples of IT security frameworks:

 ISO 27000 Series 

The ISO 27000 Series was developed by the International Organization for Standardization. It is a flexible information security framework that can be applied to all types and sizes of organizations. 

The two primary standards–ISO 27001 and 27002–establish the requirements and procedures for creating an information security management system (ISMS). Having an ISMS is an important audit and compliance activity.  

ISO 27000 consists of an overview and vocabulary and defines ISMS program requirements. ISO 27002 specifies the code of practice for developing ISMS controls. 

Compliance with ISO 27000 Series standards is established through audit and certification processes, typically provided by third-party organizations approved by ISO and other accredited agencies. 

The ISO 27000 Series has 60 standards covering a broad spectrum of information security issues, for example:  

• ISO 27018 addresses cloud computing 
• ISO 27031 provides guidance on IT disaster recovery programs and related activities 
• ISO 27037 addresses the collection and protection of digital evidence 
• ISO 27040 addresses storage security 
• ISO 27799 defines information security in healthcare, which is useful for companies that require HIPAA compliance 

 

HITRUST Common Security Framework 

The HITRUST Common Security Framework includes risk analysis and risk management frameworks, along with operational requirements. The framework has 14 different control categories and can be applied to almost any organization, including healthcare. 

HITRUST is a massive undertaking for any organization due to the heavy weight given to documentation and processes. As a result, many organizations end up scoping smaller areas of focus for HITRUST.  

The costs of obtaining and maintaining HITRUST certification adds to the level of effort required to adopt this framework. Also, the certification is audited by a third party, which adds validation. 

 

GDPR 

GDPR is a framework of security requirements that global organizations must implement to protect the security and privacy of EU citizens’ personal information. GDPR requirements include controls for restricting unauthorized access to stored data and access control measures, such as least privilege, role-based access, and multifactor authentication. 

 

NIST 

The NIST Cybersecurity Framework was established in response to an executive order by former President Obama (Improving Critical Infrastructure Cybersecurity) which called for greater collaboration between the public and private sector for identifying, assessing, and managing cyber risk. While compliance is voluntary, NIST has become the gold standard for assessing cybersecurity maturity, identifying security gaps, and meeting cybersecurity regulations. 

NIST has developed an extensive library of IT standards, many of which focus on information security. First published in 1990, the NIST SP 800 Series addresses virtually every aspect of information security, with an increasing focus on cloud security.  

• NIST SP 800-53 is the information security benchmark for U.S. government agencies and is widely used in the private sector. SP 800-53 has helped spur the development of information security frameworks, including the NIST Cybersecurity Framework (CSF).
   
• NIST SP 800-171 has gained popularity due to requirements set by the U.S. Department of Defense regarding contractor compliance with security frameworks. Government contractors are a frequent target for cyber attacks due to their proximity to federal information systems. Government manufacturers and subcontractors must have an IT security framework to bid on federal and state business opportunities.
  Controls included in the NIST SP 800-171 framework are directly related to NIST SP 800-53, but are less detailed and more generalized. Using NIST SP 800-171 as the base, it’s possible to build a crosswalk between the two standards if an organization must show compliance with NIST SP 800-53. This creates flexibility for smaller organizations to show compliance as they grow, using the additional controls included in NIST SP 800-53.
   
• The NIST Framework for Improving Critical Infrastructure Cybersecurity, or NIST CSF, was developed under Executive Order 13636, released in February 2013. It was developed to address U.S. critical infrastructure, including energy production, water supplies, food supplies, communications, healthcare delivery and transportation. These industries must maintain a high level of preparedness, as they have all been targeted by nation-state actors due to their importance. 

 

PCI DSS 

Founded in 2006 as a response to increased credit card fraud, the Payment Card Industry Security Standards Council (PCI SSC) consists of the five major credit card companies, American Express, Discover, JCB International, Mastercard, and Visa, Inc. The Payment Card Industry Data Security Standard (PCI DSS) is a prescriptive security compliance requirement for merchants and financial services providers.  

PCI DSS contains 6 categories of controls: 

1. Build and maintain a secure network and systems 
2. Protect cardholder data 
3. Maintain a vulnerability management program 
4. Implement strong access control measures 
5. Regularly monitor and test networks 
6. Maintain an information security policy 

Within those 5 categories, PCI DSS then sets out 12 detailed requirements: 

1. Install and main a firewall configuration 
2. Do not use vendor-supplied defaults 
3. Protect stored cardholder data 
4. Encrypt cardholder data transmissions across open, public networks 
5. Protect all systems against malware  
6. Develop and maintain secure systems and applications 
7. Restrict access to cardholder data by business “need-to-know” 
8. Identify and authenticate access to system components 
9. Restrict physical access to cardholder data 
10. Track and monitor all access to network resources and cardholder data 
11. Regularly test security systems and processes 
12. Maintain an information security policy 

 

CIS 

CIS was built in the late 2000s by a volunteer expert coalition to create a framework for protecting companies from the threats of cybersecurity. It is comprised of 20 controls that are regularly updated by experts from all fields–government, academia, and industry–to be consistently modern and on top of cybersecurity threats.  

CIS works well for organizations that want to start with baby steps. Their process is divided into three groups: The basics, foundational, and organizational.  

CIS is also a great option if you want an additional framework that can coexist with other, industry-specific compliance standards (such as HIPAA and NIST). This organization works with benchmarks, or guidelines based on commonly used standards, such as NIST and HIPAA, that not only map security standards to help companies comply with them, but also offer alternative basic security configurations for those who don’t require compliance but want to improve their security. 

 

Conclusion 

Cybersecurity frameworks provide a basis for achieving a strong security posture and preventing data breaches. In some cases, they enable an organization to become certified as compliant with a specific regulation. Adopting a framework requires a decision to commit time and resources to the project. The framework offers an organized way to become secure and then continually measure the effectiveness of the security controls established by the framework. When done right, it’s worth it!