February 25, 2019
Companies in highly regulated industries are forced to adopt one or more frameworks in order to meet compliance initiatives. There are over 200 security frameworks, regulations, standards and guidelines to choose from that could impact your business at any given time. In no particular order, below are the top security controls frameworks that are pervasive throughout our security industry along with some unique facts about each framework.
Framework # 1: NIST Cybersecurity Framework (NIST CSF)
NIST CSF is pervasively used for small and large businesses and it is also known as the “Framework for Improving Critical Infrastructure”. This framework has been developed by Department of Commerce to help mature the cyber resiliency of the entire country. What is really unique about this framework is that is very easy to implement compared to many other much more complex frameworks. Executives love this framework due its ease of understanding however the most serious cybersecurity professionals are using this as a communication tool. Each requirement of this framework is actually interlinked and mapped to requirements coming from the business or much more expansive framework.
Framework # 2: Federal Financial Institutions Examination Council (FFIEC) Cyber Assessment Tool (CAT)
FFIEC CAT has been developed by the financial regulators specifically for banks and credit unions. This framework has a really unique component of allowing security officer to develop an organizational maturity model and inherent risk model supplemented by a controls catalog. The maturity model provides a baseline maturity and organizations are able to measure their progress to increase the level of maturity of their security program over time. The maturity feature of the FFIEC CAT tool is non-existent in many other frameworks and security officers most often end up using the CCMI maturity model with other frameworks. FFIEC also provides a well-developed scoring model that aids in measuring progress over time. It is an excellent tool for credit unions with minimal resources for information security.
Framework # 3: NIST Risk Management Framework (NIST RMF)
The NIST RMF is the ultimate framework for any security officer explicitly and intently attempting to use a framework and link it down to actual system level settings. However, most security officers do not like this framework due to its level of explicitly and excruciating details compared to other frameworks that allow for much more interpretation. The core content of this framework comes from NIST Special Publication 800-53 (controls catalog). It is also important to note that many professionals in the industry do not have a clear understanding between NIST CSF and NIST RMF. They most often use these frameworks interchangeably in their communication. NIST RMF has over 900+ controls and each control many sub-requirements whereas CSF is only about 100 high level requirements and is not formally for any certification & accreditation of high security military systems.
Framework # 4: Federal Information Systems Management Act (FISMA)
Federal Information Systems Management Act (FISMA) is a legislative framework that was signed into law as part of the Electronic Government Act of 2002. FISMA is the ultimate authority over all military, defense and federal systems with the exception of systems that are categorized as National Security Systems (NSS). FISMA is normally enforced through implementation of one of more frameworks. Prior to 2013, FISMA was enforced through DoD Information Certification & Accreditation Program (DIACAP) however all agencies are taking a unified compliance approach now through NIST RMF as it’s an implementation of FISMA. It is important to note that FISMA is a legal framework that encompasses more than just security though it is often used as the primary authority to implement security.
Framework # 5: Federal Risk and Authorization Management Program (FEDRAMP)
FEDRAMP is a program with one or more modified frameworks designed specifically for Cloud Service Providers (CSPs) interested in working with the U.S Government. The FedRAMP program pulls its legal authority from FISMA while leveraging a modified and specialized version of NIST Risk Management Framework. FedRAMP is a commercial version of what the government performs internally to manage security risks. It was previously known as Certification & Accreditation process however now the new terminology is Authorization and Attestation process. FedRAMP is broad and sweeping standard and most organizations in the commercial environment are struggling with implementing and maintaining this standard. The unique thing about this framework is that the staggering cost can be upwards of $3M to fully implement this framework. Organizations should look to automate FedRAMP as much as possible.
Framework # 6: HIPAA Security Rule (HSR)
Health Insurance Portability and Accountability Act of 1996 was proposed to protect consumers from many different concerns not just security alone. For example. Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. However, for cybersecurity professionals the HIPAA Security Rule is one of the primary concerns. HIPAA Security Rule applies to not only hospitals but anyone who maintains Protected Health Information (PHI). PHI can be managed by hospitals, insurance providers and 3rd party providers such as software development shops and so on. HIPAA is further enforced through fines by Health Information Technology for Economic and Clinical Health (HITECH) Act. The most impressive thing about this framework is that when it was created, it was actually beyond its years. HIPAA Security Rule was one of the first public laws that specifically laid out basic security controls and safeguard such as technical, administrative and physical safeguards. No other legislation has provided this sort of explicit language with the exception of federal and defense security community.
Framework # 7: Cloud Security Alliance (CSA)
The Cloud Security Alliance (CSA) is tailored and dedicated for implementing cloud security best practices. CSA offers a comprehensive mapping matrix encompassing many other frameworks freely to its members. CSA is a coalition led organization and managed by several security officers from many different industries. It is one of the original frameworks in the industry that started to provide mappings for free. CSA is heavily used by many practitioners seeking to map several requirements into an organization specific unified security control framework.
Framework # 8: General Data Protection Regulation (GDPR)
This is a regulatory framework for all companies operating in European Union (EU). GDPR is considered one of the most important changes in data privacy in the last decade. The interesting fact about this regulation that is fundamentally enhances the Fair Privacy Principles (FPP). Many organizations today are looking to map this to their existing frameworks. NIST RMF offers a grouping of controls that were also based off the Fair Privacy Principles (FPP). NIST RMF also provides privacy Impact Assessment and Privacy Threshold Analysis (PIA/PTA) that can help meet some of the requirements of GDRP.
Framework # 9: Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA is a Canadian Federal privacy law set out to lay the ground rules on how organizations must handle private information. Like GDPR, PIPEDA attempts to ensure that personal information is obtained in ways that respect the fundamental right to privacy. One of the most interesting facts about PIPEDA is that the process of enforcement is laid out in a very transparent and organized manner compared to many other legislative frameworks. The Canadian government really took into consideration the end users on explaining exactly how to comply with PIPEDA and how it is enforced.
Framework # 10: Sarbanes Oxley Section 404 (SOX 404)
Sarbanes Oxley Act was passed in 2002 after several financial scandals that took the country by a surprise. Overall it is a comprehensive reform of business financial practices for publicly traded companies in the United States. There are several sections in SOX compliance however section 404 “Management Assessment of Internal Controls” is directly applicable to most information security professionals. Section 404 is one of the most complicated, most contested, and most expensive to implement of all the Sarbanes Oxley Act. Most of the times, COSO and COBIT are used as an implementation standard for SOX 404 along with internal controls defined by management. Security risk and compliance teams rarely merge or map Section 404 with other security frameworks in use.
Framework # 11: Payment Card Industry – Data Security Standard (PCI-DSS)
PCI-DSS is one of the most popular security standards in the world. Most security professionals have worked with this standard in some shape or form through their career. It is managed, owned and administered by Visa, MasterCard, American Express, Discover and JBC through the Payment Card Industry Security Standards Council. The most interesting fact about this standard is that it is actually completely voluntary non-legislative standard enforced through the business versus a regulator. PCI-DSS is considered a form of industry self-governance that actually aids in reduction of legal enforcement.
Framework # 12: Control Objectives for Information and Related Technologies (COBIT)
COBIT is a well-known IT governance framework with wide scope of concerns including security. It is one of the leading frameworks in the industry for aligning business with IT planning. COBIT alone though can seem too high level and broad so it is often supplemented with several frameworks underneath it to help CIOs manage IT strategy across their enterprise. COBIT is often used by large publicly traded firms and is normally recommended by large public accounting firms as a go to framework for IT Management.
Framework # 13 Committee of Sponsoring Organizations of the Treadway Commission (COSO)
COSO is a collaborative initiative by 5 organizations and is considered a broad and sweeping framework that goes far beyond cybersecurity but focuses more in internal controls in many areas. COSO also introduces a methodology to implement Enterprise Risk Management (ERM). Cybersecurity is quickly being aligned underneath risk management. “Enter prise Risk Management — Integrated Framework addresses the evolution of enterprise risk management and the need for organizations to improve their approach to managing risk to meet the demands of an evolving business environment.” One of these evolving needs is properly managing cyber risk. CISOs today may find themselves attempting to implement cybersecurity within a COSO framework. Like COBIT, COSO provides breath but leaves the depth to the implementer and experts.
Framework # 14 Security Controls Framework (SCF)
SCF framework provides free cybersecurity and privacy control guidance to cover the strategic, operational and tactical needs of organizations, regardless of its size, industry, or country of origin. The SCF has been deigned to empower organizations to design, implement, and manage both cybersecurity and privacy principles. SCF is designed for a modern security program. It has 32 domains and approximately 750 controls that are categorized within those domains. Some of the common domains covered in SCF include security and governance, asset management, business continuity and disaster recovery, capacity and performance planning, change management, cloud technology, cloud security, compliance, mobile device management, network security, configuration management, privacy, among others. Through these domains, companies can design, build, and maintain secure processes, systems and applications. SCF use should be viewed as a long-term tool to help ensure security and privacy principles are properly designed and implemented.
Framework # 15 NERC CIP
The North American Electric Reliability Corporation (NERC) Critical infrastructure protection (CIP) is a set of requirements designed to secure the assets required for operating the North America’s bulk electric system. NERC CIP contains 9 standards and 45 requirements designed to enhance the security of electronic parameters and the protection of critical cyber assets. Moreover, the framework focuses on personnel and training, disaster recovery planning, and security management. Other domains under NERC CIP include electronic security parameters, physical security of critical cyber assets, and incident reporting and response planning. Overall, CIP program coordinates efforts such as standards development, compliance enforcement, assessment of risk and preparedness, the dissemination of critical information and raised awareness on crucial security issues. Under NERC CIP, organizations are required to identify critical assets and to regularly perform a risk analysis on the assets. Moreover, firms should define policies for monitoring and changing the configuration of critical assets. Other requirements for the framework involve the use of firewalls for blocking vulnerable ports, as well as the implementation of cyber attack monitoring solutions. Organizations are also recommended to enforce IT controls for protecting access to crucial cyber assets.
Framework # 16 DFARS Clause 252.204-7012/ NIST 800-171
DFARS Clause 252.204-7012 requires contractors and subcontractors to provide adequate security to safeguard covered defense information residing on or transiting through a contractor’s internal information system or network. Additionally, a contractor is required to report cyber incidents that affect a covered contractor information system or the covered defense information residing therein, or that affect the contractor’s ability to perform requirements designated as operationally critical support. This also involves submitting malicious software discovered and isolated in connection with a reported cyber incident to the DoD Cyber Crime Center. Covered defense information in this framework refers to unclassified controlled technical information (CTI) or other information as described in the CUI registry that requires safeguarding or dissemination controls pursuant to and consistent with the law, regulations and government-wide policies. The information includes Federal contract information, controlled unclassified information, and covered defense information.
Under DFARS Clause 252.204-7012, the contractor is also required to implement the NIST SP 800-171 for all contracts awarded. NIST SP 800-171 details the security requirements to protect confidentiality of Federal Contract Information, CDI, or CUI on non-Federal information systems. The requirements mainly focus on policy, processes, and configuring IT securely, but a number of controls may require security-related software or hardware.
Framework # 17 ISO 27000 Series
ISO 27000 series is developed and published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) to provide a globally recognized framework for best practice information security management. This family of information security standards helps organizations to keep their information assets secure. The pillar of the ISO 27000 series is the ISO/IEC 27001:2013, commonly referred to as ISO 27001. It sets out the requirements that can be utilized to audit information security management systems (ISMS). ISO 27001 provides a reliable framework that helps organizations protect their information through effective technology, testing and auditing practices, staff awareness programs, and improved organizational processes. Nevertheless, ISO 27001 is not the only crucial standard in the ISO 27000 series. There other important ones that can also be utilized to achieve additional guidance and support. For instance, ISO 27002 provides best practice guidance on applying the controls recommended in ISO 27001 Annex A. ISO 27005 provides guidance on conducting an information security risk assessment, while ISO 27032 is a general guidance on cybersecurity best practice.
Framework # 18 CIS Critical Security Controls
The Critical Security Controls (CIS) provide a highly practical and useful framework for every organization to use for both implementation and assessment. The framework is effective and authoritative considering that the controls are developed by the community and based on actual threat data. The controls are also industry-based and vendor-neutral. The basic controls provided by CIS include inventory and control of hardware assets, continuous vulnerability management, inventory control of software assets, controlled use of administrative privileges, maintenance, monitoring and analysis of logs, and secure configuration of hardware and software on mobile devices, laptops, workstations, and servers. Others include emails web browser protections, malware defenses, data recovery capabilities, boundary defense, limitation of control of network ports, protocols and services, data protection, wireless access control, and secure configuration for network devices, such as routers, switches, and firewalls. These controls provide a set of actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive and dangerous cyber-attacks. As mentioned, the controls take the best-in-class threat data and transform it into actionable guidance to improve individual and collective security in cyberspace. They are handy in a world where the bad guys seem to be better organized and collaborate more effectively than the good guys.
Framework # 19 Australian Signals Directorate (ASD) Essential 8
Organizations are recommended to implement eight essential mitigation strategies as a baseline that makes it difficult for adversaries to compromise systems. Implementing the Essential Eight pro-actively can be more cost-effective in terms of time, money, and effort than having to respond to a large-scale cybersecurity incident, especially now when no single mitigation strategy is guaranteed to prevent cybersecurity incidents. ASD claims that when implemented effectively, the Essential Eight mitigates 85% of targeted cyber-attacks. The controls of the framework include application whitelisting, patch applications, patch operating systems, restricting admin privileges, disabling untrusted Microsoft Office macros, user application hardening, multi-factor authentication, and daily backups of important data. Overall, these controls feature mitigation strategies to prevent malware deliver and detection, mitigation strategies to limit the extent of cybersecurity incidents, and mitigation strategies to recover data and system availability.
Framework # 20 DISA STIGS
The Defense Information Systems Agency (DISA) is the entity in charge of maintaining the security posture of the Department of Defense (DoD) IT infrastructure. DISA develops Security Technical Implementation Guides (STIGs) that focus on policy requirements for security programs and best practices for information assurance (IA)-enabled applications. Overall, the guides are deployed to make application more secure. All DoD IT assets must meet STIG compliance before they can be allowed to operate on DoD networks and systems. Continuous audits using automated tools are routinely conducted and reported back to DISA Field Security Operations (FSO) to assess security compliance and posture. STIG is developed for numerous packages for operating systems, database applications, network devices, open source software, wireless devices, and virtual software among others. Other requirements in STIG programs include people training and recommendations on running security checks and updates. It is important to note that failure to stay in compliance with the guidelines issues by DISA can result in an organization being denied access to DoD networks.
Framework # 21 CIS Benchmarks
CIS Benchmarks includes 100 plus configuration guidelines developed by a global community of cybersecurity experts with an aim of safeguarding systems against today’s evolving cyber threats. Through an independent consensus process, CIS Benchmarks offers frameworks to helps organizations enhance their security through the adoption of a defense-in-depth model that can be used to prevent and detect malware. The controls recommended in the CIS Benchmarks are a collaboration of the Consensus Community and the CIS SecureSuite members, which is a class of CIS members with access to additional sets of tools and resources. It is important to note that the Consensus Community is made up of experts in the field of IT security who use their knowledge and experience to assist the global internet community. On the other hand, the CIS SecureSuite members are made up of several different types of companies ranging in size.
Framework # 22 ISO 15048
ISO/IEC 15048 establishes the general concepts and principles of IT security evaluation and specifies a universal model of evaluation. The framework provides guidelines for the specification of Security Targets (ST) and gives a description of the organization of components throughout the model. ISO 15408, also known as the Common Criteria, was developed to facilitate consistent evaluations of security product and systems. It is an internal effort to define and IT Security evaluation methodology that can receive mutual recognition between customers and vendors globally. Following recommendations given by the framework can help advance the state of security by encouraging different parties to write Protection Profiles outlining their needs. If users profile desired capabilities that are not currently available, it is expected that vendors will attempt to take up the challenge by introducing the missing capabilities. Overall, this guide encourages the development of systems with enhanced IT security functions. ISO 15048 therefore offers assurance based upon an active evaluation of an IT product that is to be trusted. The Common Criteria framework can effectively be utilized by organizations to show that their products specs, the implementation, and security evaluations have all been done in a repeatable and systematic way. Even though the guide does not guarantee security, it minimizes the risk of developing and distributing vulnerable IT products.
Framework # 23 IEC 62443
IEC 62443 Industrial Network and System Security standards are multi-industry standards listing cybersecurity methods and techniques for industrial control systems that have in the recent past experienced an exponential increase in cyberattacks. IEC 62443 offers guidelines for users and equipment vendors to improve the safety, availability, integrity, and confidentiality of components or systems used in industrial automation and control. The standard is evolving to become key in the industry through defining secure development lifecycle (SDL) requirements related to cybersecurity for products intended for use in the industrial automation and control systems environment and provides guidance on how to meet the requirements described in the elements of the standard. The guide features security requirement definition, secure design, secure implementation, coding guidelines, verification and validation, defect management, patch management, and product end-of-life. The requirements can effectively be applied to new or existing processes for developing, maintaining, and retiring hardware, firmware, or software. Therefore, IEC 62443 effectively applies to the developer and maintainer of a product.
Framework # 24 GLBA
The Gramm-Leach-Bliley Act, also known as the Financial Modernization Act of 1999 is a United States federal law that requires financial institutions to explain how they share and protect their customers’ private information. To be GLBA compliant, financial institutions must communicate to their customers how they share the customer’s sensitive data, inform customers of their right to opt out of they prefer that their personal data not be shared with third parties, and apply specific protections to customers’ private data in accordance with a written information security plan developed by the institution. The GLBA is enforced by the Federal Trade Commission (FTC). The federal banking agencies, and other federal regulatory authorities and state insurance oversight agencies. Becoming GLBA compliant reduces the risk of reputational damage or penalties for organizations. The federal law also offers several security and privacy benefits for safeguarding customers. For instance, GLBA requires institutions to prevent unauthorized access to private information, notify owners of information in case the institution shares data with third parties and give the ability of a customer to opt out of the information sharing plan. Moreover, the law requires financial institutions to track user activity, including any attempts to access protected records.
Framework # 25 23 NYCRR 500
The 23 NYCRR 500 regulation was rolled out by the State of New York requiring financial institutions to implement a detailed framework to improve protection of consumer data privacy. The New York State Department of Financial Services has created this regulation to ensure the safety of the institutions on behalf of customers. The regulation acknowledges the ever-growing threat posed to financial systems by cybercriminals, and is designed to ensure businesses effectively protect customers’ confidential information from cyberattacks. 23 NYCRR 500 requires the entities to assess their cybersecurity risk profiles and implement a comprehensive plan that recognizes and mitigates the discovered risks. Some of the recommendations provided include conducting regular security risk assessments, keeping audit trails of IT asset use, developing defensive infrastructure, maintaining policies and procedures for cybersecurity, and creating an incident response plan. Ultimately, the framework helps organizations prepare for compliance with other data privacy regulations and offers a reactive approach focused on reasonable care and breach response.
The regulation applies to all covered entities meaning “any person operating under or required to operate under a license, registration, charter, certificate, permit, or accreditation under the Banking Law, the Insurance Law or the Financial Services Law.” Violations of 23 NYCRR 500 can incur fines of $250,000 or one percent of total banking assets.
Framework # 26 FDA 21 CFR Part 11
21 CFR Part 11 is the part of Title 21 of the Code of Federal Regulations that establishes the United States Food and Drug Administration (FDA) regulations on electronic records and electronic signatures (ERES). Entities covered under this regulation include medical device manufacturers, biotech companies, drug makers, biologics developers, CROs, and other FDA-regulated industries. The parties are required to implement controls, such as audits, system validations, audit trails, electronic signatures, and documentation for software and systems involved in processing the electronic data that FDA predicate rules require them to maintain. 21 CFR Part 11 provides requirements for using secure data that can offer a high level of confidence as would be the case with traditional paper records. Electronic signatures require that both operators and supervisors can electronically identify themselves in such a way as to be equivalent to the handwritten signatures. The rule further allows the use of biometrics such as fingerprints for identification.
Framework # 27 ITIL
ITIL is a set of detailed practices for IT service management (ITSM) that focuses on aligning IT services with the needs of the business. The guide describes processes, procedures, tasks, and checklists that are not organization or technology specific. Instead, the practices are applied by entities to establish integration with the organization’s strategy, delivering value and maintaining a level of competency. ITIL is one of the most widely-adopted frameworks for service management and it can excellently help businesses manage risks, strengthen customer relations, establish cost-effective practices, and build a stable IT environment that can easily change, grow, and scale. Additionally, the library of volumes describing the framework for best practices for delivering IT services has undergone numerous revisions in its history. Currently, ITIL is composed of five books covering diverse processes and stages of the IT service lifecycle. The framework’s credibility and utility have been recognized. In fact, ITIL’s practices have in the past contributed to and aligned with the ISO/IEC 20000 Service management standard, the first international standard for IT services management.
ITIL 4 released in 2019 maintains the same focus on automating processes, improving service management, and integrating the IT department into the business. The new version further features updates of the framework that accommodates modern technology, software, and tools. Overall, ITIL has helped in the integration of IT department into the business to create an agile, collaborative, and flexible working environment.
Framework # 28 SAP JSIG
In December 2013, the DoD Special Access Program Central Office (SAPCO) issued a mandate requiring the DoD Special Access Program (SAP) Community to transition to the Risk Management Framework (RMF) and to use the Joint SAP Implementation Guide (JSIG), which provides essential guidance to implementing the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 security controls within the DoD SAP Community. Security Risk Management is an essential management function for protecting a DoD SAP element’s ability to perform its mission, not just protect its information assets. Policy and legislation mandate specific minimum security requirements to protect mission, information, and IT assets. Unique mission and technology requirements may drive additional security requirements. Computer systems and networks are constantly under attack, putting missions at risk. Within the DoD SAP Community, balancing security of an IS with the need to accomplish the mission is a critical task. The goal of this transformative effort is to achieve greater interoperability and trust across the DoD SAP Community and with the Intelligence Community (IC). Any systems or applications within the DoD or in Defense in general has to adhere to the NIST RMF and 800-53 security and privacy controls.
Framework # 29 ICD 503
In 2008, the Director of National Intelligence signed IC Directive 503, “Intelligence Community Information Technology Systems Security Risk Management, Certification and Accreditation.” ICD 503 replaced DCID 6/3, and is today the relevant guidance for the risk management and certification of information systems across the Intelligence Community (IC). This standard specifically requires the IC to use NIST or CNSS standards for security certification assessment and testing. CNSS Policy No. 22, “Policy on Information Assurance Risk Management for National Security Systems,” specifically points to FISMA for security audit controls, reinforcing the move to a NIST/FIPS based approach to information security across the IC.
Framework # 30 Sherwood Applied Business Security Architecture
SABSA is a proven framework and methodology for enterprise security architecture and service management. It is used for developing business-driven, risk and opportunity focused Security Architectures at both enterprise and solutions level to effectively support business objectives. SABSA is widely utilized for Information Assurance Architectures, Risk Management Frameworks, and to align and seamlessly integrate security and risk management into IT architecture methods and frameworks. The framework is used to meet diverse enterprise needs, such as risk management, information assurance, governance, and continuity management. In fact, SABSA has evolved since 1995 to become a popular approach in approximately 50 countries and in various sectors, such as banking, nuclear management, information services, communications technology, government, and manufacturing. SABSA methodology ensures that an enterprise’s needs are met and that security services are designed, implemented, delivered, and supported as an integral part of a business and IT management infrastructure. The framework contains a series of integrated frameworks, methods, models, and processes that can be used either independently or holistically in an enterprise. Some of them include Business Requirements Engineering Framework (commonly known as Attributes Profiling), Risk and Opportunity Management Framework, Policy Architecture Framework, Security Services-Oriented Architecture Framework, Governance Framework, Security Domain Framework, and Through-life Security Service Management and Performance Management Framework. SABSA is effectively governed by The SABSA Institute that ensures that SABSA intellectual property can never be sold, SABSA will always remain vendor neutral, SABSA will be free-use in perpetuity, and it will have an ongoing development to meet the needs of business.