When the time comes for a business to implement a cybersecurity compliance framework, it is essential to consider your business sector and what data you need to protect. When dealing with payment cards, it will be PCI-DSS, the health industry will be HIPAA, and so forth. But what if none of those apply to your business? This blog will look at some NIST Frameworks and their applications for commercial Companies.
Why do I need a Compliance framework?
A standardized framework will help your organization identify priorities. Having a Framework can also assist in budgeting and getting funding for the Cyber Security initiatives. Rather than starting from scratch in developing a robust cyber security environment and identifying the steps to take, businesses are better off using a well-known and proven Framework. Regarding Frameworks, businesses do not need to reinvent the wheel. Having a framework takes the guesswork on how and what companies need to implement to have a resilient Cybersecurity posture. The benefits of security frameworks are numerous, like the continuous protection of business and customer data, recognition of security implementation efforts, improved customer and partner trust, identification of security and compliance gaps, and a clear structure to establish and implement a resilient security plan.
How do I choose a framework?
There are a variety of frameworks available for businesses to implement, all available online. To choose a framework, a company needs to know what they want the outcome to be. Are you starting this journey from scratch? Do you want to improve and strengthen the current program, or do you have a mature program and want to dot the I’s? The most detailed framework is the National Institute of Standards and Technology, NIST 800-53, but it’s inconvenient. NIST SP 800-53 is a large document with over 450 pages of text. For many young companies, this framework is overwhelming.
Instead, the NIST Cybersecurity Framework (CSF) is a more implementation-friendly standard. It is functional and classifies risk through 5 phases of the NIST Lifecycle: Identify, Protect, Detect, Respond, and Recover. NIST CSF is customizable, allowing the organization to determine best how to meet each outcome.
DO NOT REINVENT THE WHEEL
Other popular frameworks are COBIT, SANS Top 20, and the ISO 27001 Information Security Management framework.
Frank Kim, previous CISO for the SANS institute, classifies frameworks into three categories.
These include a complete set of network and workstation controls. Control frameworks create a baseline and basic strategy to reduce risk. It prioritizes control implementations and performs a gap analysis. NIST 800-53B is a Control Framework.
A program framework is at a higher level than a control framework. It helps set up and manage an overall security program. Program frameworks promote security program audits. It builds a security program appropriate for the organization and associated compliance requirements. This framework creates metrics to check for expected outcomes and streamlines communications between the security team and management. ISO 27001 is an example of a Program Framework.
Managing security is managing risk. Risk frameworks help establish policies, guidelines, and procedures for assessing and managing cybersecurity risk and encompass a risk management program that defines risk assessment and management steps. NIST SP 800-30 is an example.
Suppose you need help deciding which framework to choose. In that case, you are better off talking to a security professional like Servadus, who can look at your business processes and advise which framework will suit you best.
National Institute of Standards and Technology Frameworks
The decision to implement a NIST framework is a relatively easy one. NIST Frameworks are free to download and are backed by an experienced team of developers from the U.S. Department of Commerce. The most common NIST Frameworks in Cybersecurity are NIST SP 800-53, NIST SP 800-171, NIST SP 800-172, and the NIST CSF.
NIST SP 800-53
The NIST SP 800-53 Framework contains over 900 requirements and is the “heaviest” or largest cybersecurity framework a company can implement. This Framework is comprised of 20 control families more than 1,000 controls. NIST SP 800-53 works together with NIST SP 800-37. NIST SP 800-37 provides the framework to assess and manage risk, while the NIST SP 800-53 provides the necessary controls to control these risks.
The NIST SP 800-53 is popular in federal agencies and organizations that operate or maintain federal information systems, as well as any company seeking to comply with the Federal Information Security Management Act (FISMA). Non-federal companies seeking a comprehensive security implementation solution can also implement this framework.
NIST SP 800-171
NIST SP 800-171 is based on the NIST SP 800-53 Framework and contains 14 requirement families and 110 requirements. NIST SP 800-171 specifies how defense contractors and subcontractors handle controlled, unclassified information or CUI. This includes personal data, intellectual property, equipment specifications, logistical plans, and confidential federal defense-related information.
Contractors must develop a system security plan (SSP) and associated Plan of Action to meet the NIST SP 800-171 requirements. The SSP must clearly define how the company meets the 110 controls. If any controls are unmet, the company must create a Plan of Action and Milestones (POA&M) for that control. A POA&M outlines the organization’s steps to meet that control and the deadlines for those actions. POA&Ms can only be used for a limited number of NIST 800-171 controls and must be closed within 180 days.
Complying with NIST SP 800-171 is critical to meeting the CMMC standard. Compliance with CMMC level 2 is based on meeting NIST 800-171; thus, achieving NIST 800-171 compliance is the best way to ensure a company is ready to pass CMMC.
Though NIST SP 800-171 is adopted within the Department of Defense and its contractors, it is a helpful Framework that can easily be implemented within other organizations.
NIST SP 800-172
NIST SP 800-172 is a supplement publication to NIST SP 800-171 and does not function independently. It strengthened supply chain resilience against sophisticated cybersecurity attacks or APTs. Advanced Persistent Threat (APT) is defined in the NIST SP 800-172 publication as an adversary with the resources and expertise to attack systems through different attack vectors.
NIST SP 800-172 contains a series of 35 enhanced security controls in 14 requirement families to safeguard high-risk unclassified information on non-federal systems. NIST SP 800-172 controls are usually selected as applicable, and only those controls are implemented in the organization’s security program. Compliance with CMMC level 3 is based on meeting NIST 800-172 enhanced security controls.
The NIST CSF (CyberSecurity Framework) for Small Business is a collection of suggestions-based guidelines, standards, and best practices that enterprise companies use to minimize cybersecurity risks. The NIST CSF is widely recognized and considered a gold standard for building a solid cybersecurity program or improving an existing one. NIST CSF is not a one-size-fits-all guidance. Different sectors can customize the framework to address specific risks, needs, and situations within the organization.
The framework is aimed at small businesses or less-regulated entities. It is designed to be cost-effective and is available as a PDF, spreadsheet, and reference tool.
There are five levels: Identity, Protect, Detect, and Respond, and 21 categories. There are also four tiers of maturity, tier 1 being the lowest. NIST CSF is easily combined with PCI DSS, HIPAA, and Sarbanes-Oxley regulations.
International Organization for Standardization (ISO) Frameworks
ISO (International Organization for Standardization) is an independent, non-governmental international organization. ISO is comprised of members that represent their country as part of ISO. Each country can only have one member. The ISO 27000 group is geared towards cyber security.
This standard is part of the ISO 27000 series, containing the implementation requirements for an (information security management system) ISMS. ISO 27001: 2013 is the only standard in the series that organizations can be audited and certified against. It contains an overview of everything you must do to achieve compliance, which is expanded upon in each of the following standards. It follows a systematic approach to implementing information security. ISO 27001 can be adopted by businesses of any size operating in any business sector. ISO 27001 has 93 controls divided into four sections.
Other standards within the ISO 27000 series complement the ISO 27001 standard. ISO 27002 provides guidelines for the implementation of controls listed in ISO 27001. It is helpful because it gives details on how to implement these controls. ISO 27004 provides guidelines on how to measure information security objectives. ISO 27005 provides guidelines for information security risk management and details how to perform risk assessments and treatments.
YOU ARE NOT LOST
Smaller organizations can get by with a single carefully selected framework. However, larger organizations might need multiple frameworks to manage information resources comprehensively. This is a careful process dependent on understanding the organization’s needs and how best to achieve a reasonable and appropriate security program. When a company does not see the trees in the forest of frameworks, the cost-effective solution is to team up with a cybersecurity consulting firm. Not all who wander are lost; that being said, if you are roaming and lost within the framework realm, Servadus can help guide you in the right direction.
Learn more about the Servadus Consulting services or Book with our time.
You can obtain copies of the NIST Publications at nist.gov.