What's a Security Framework, And Does It Benefit My Organization?

In this months blog, we delve into a couple of Security Frameworks that we commonly use with our Clients, whether they are looking to strengthen their Security Posture or to evaluate their defences from attacks such as Ransomware, Denial of Service or Rogue Employee based attacks.

So the question in this months blog, is why use a Security Framework, what benefits do they provide and is there any real benefit in adopting one?

Within Cybersecurity, there exists a whole industry dedicated to promoting and selling Security Frameworks that have the intention of bringing forms of compliance for businesses and organizations to reference and use as a benchmark.

So lets examine the question, what is a Security Framework? Well, if you Google these two keywords, the first thing likely to show up is the NIST Security Framework in Google. However, to explain what a Security Framework is, the best description is its a grouped set of controls designed to outline areas a business should consider when thinking about Cybersecurity. For example, having a central identity system for managing users identity to handle access control and user permissions. Whilst this control is in reality a requirement, security frameworks also outline processes for the management of policies and standards, risk evaluation and management of security within your business.

So to begin with, let’s examine a few commonly used security frameworks we typically use with our clients here at Complete Cyber:

NIST 800-53: The NIST framework is typically the most common framework we use and consists of the implementation of five different stages for implementing a fulll security approach to your business. Within this framework, exists a set of security controls that should be used to determine what good looks like, with each set of control requirements mapped to one of the five stages. NIST is commonly used in America given the government council who manage the framework originate from the US. NIST is also used here in the UK by CNI system owners given its relationship with the NIS Regulations.

ISO 27001: The ISO standard for security framework is compressively used across a lot of IT based industries and has similarities to the NIST 800-53 framework. ISO27001 consists of a number of detailed standards that outline management, process and required controls to be in place for managing security within your business. ISO27001 is commonly seen more by companies wishing to demonstrate their security baseline expectations to support their business in supplying services to other companies that expect a high degree of security maturity.

Cyber Essential/+: Whilst specific to the UK and governed by IASME via the NCSC, the CE/CE+ is seen as light touch compared to ISO27001 and covers five pillars businesses are expected to have in order to obtain certification. CE/+ have been implemented to ensure UK companies meet basic hygiene When it comes to Cybersecurity and to engage with Public Sector, CE/+ is a basic requirement needed for this type of engagement.

PCI-DSS: Although not a framework as such, the PCI standard was created by the three main card providers (VISA/MASTERCARD/AMEX) to form a basic approach to implementing Cybersecurity and specifically protect Card data, otherwise classified as PFI. When card fraud was prevalent in the rise of the internet, PCI was formed and legislated into Law to ensure businesses that processed card data undertook due-dilllence and protected Customers card data and coordinated self/external audits to satisfy these demands. By processing card data through your IT systems and not attesting that you undertake the basic security controls listed in the PCI standard can lead to some significant fines by the PCI council.

Cloud Security Alliance: The CCA was born in the era of Cloud computing and whilst doesn’t stipulate as a framework is close enough and comprehensive to be used for any business. Whilst the framework works explicitly referencinf a detailed list of security control requirements, you can evaluate documentation to understand the process for implantation. CCSA for short, is mapped between ISO27001 and NIST 800-53 along with HIPAA and a few other Health related frameworks, and therefore provides a comprehensive approach to securing your infrastructure.

ISA/IEC 62443 Industrial communication networks - IT security for networks and systems: The ISA 62443 Framework consist of a number of standards governed by the International Socierty of Automation (ISA) and the International Electrotechnical Commission. This framework is used extensively when working with Critical Infrastructure Suppliers (CIS) whereby a different set of Security Requirements and Controls are needed given the Operational impact system changes can cause to Operational Technology (OT) systems. This framework, similiar to ISO 27001, provides a robust set of standards for setting out Security at Board Level down to technical implementation when assessing existing or new CIS.

Frameworks provide benefits in a range of scenarios, mainly a reference of what good looks like and what organizations should be aiming for. Furthermore, maturity of an organization is usually measured on the adoption of a Security Framework, a criteria often required when an organization wants to engage or supply services to other businesses.

Whilst there are many frameworks used to align security best practices, the use of any framework is pivotal to supporting your business or organisation in protecting your infrastructure. Using any of the above frameworks is very dependent on scope and your business needs; However, what we can evaluate from the above is that using a reference Security framework can improve your security landscape by providing detailed practices on what you should be implementing against your IT/OT infrastructure to maintain good cyber hygiene and practices.

For more information on adopting, auditing and/or evaluating the needs of a Security framework, why not get in touch and speak to our expert team on whether you need support in this area?