Frameworks Provide a Structured Approach for Reducing Risk

Several years ago, former National Security Agency Director Fred Chang described a simple and foolproof approach for ensuring computer security: “Turn it off, disconnect it from the Internet, encase it in cement and bury it 100 feet below the ground.”

Of course, that won’t work very well for all of us who actually need to use computers, networks, applications and data to run our businesses and do our jobs. We need a more practical approach for dealing with daily threats of ransomware, denial of service attacks and data breaches.

IT security frameworks support a realistic solution. They create the structure for designing, implementing and maintaining a secure IT environment. Based on industry best practices, frameworks help organizations establish a methodical and repeatable approach for managing cyber risk and reducing vulnerabilities.

Evaluating Frameworks

There are hundreds of different security frameworks used globally. Although they may have been developed for different audiences, they have some shared aims that make them appropriate for many different industries. At a basic level, they establish a structured approach for identifying vulnerabilities, detecting threats, assessing risk, controlling access and recovering from any attack.

Some of the more widely used frameworks include:

• National Institute of Standards and Technology Cybersecurity Framework. Developed in 2014 to provide guidance for federal agencies and industries vital to national and economic security, the NIST framework has since been widely adopted by small and large businesses across all industries. It’s estimated that two-thirds of U.S. enterprises use at least some of its recommended security controls.
  
• The Center for Internet Security Critical Security Controls. Originally developed to help U.S. defense organizations address data losses, the CIS framework is now applied to public- and private-sector organizations. It suggests a number of data protection and malware prevention techniques for creating a layered security environment.
  
• The International Organization for Standardization 27001 standard. ISO 27001 establishes the requirements for creating an overarching management system for all security controls. It is one of 60 different ISO standards covering a wide range of security practices, including cloud security, disaster recovery and incident response.
  
• Control Objectives for Information and Related Technologies. The COBIT framework establishes guidelines for information management and governance to ensure the quality and reliability of information systems. Organizations often use it to evaluate their Sarbanes-Oxley compliance.
  

Prioritizing Risk

One of the great benefits of following a framework is that it allows you to define and prioritize cybersecurity initiatives instead of continually reacting to the latest threat. Security tools can generate overwhelming numbers of security alerts, and IT teams must have a logical way to determine which require immediate attention.

According to a recent Pulse survey, 86 percent of IT security executives say they primarily rely on third-party vulnerability severity data to prioritize vulnerabilities. That’s not always a reliable approach, however. An unpatched collaboration application might be a critical vulnerability for some companies but a minor inconvenience for others.

Frameworks establish a well-defined risk evaluation process to help ensure your remediation efforts and investments are directed toward the most significant threats for your organization. For example, the NIST framework suggests organizations develop a risk register — a centralized database for identifying and prioritizing cyber risks. Vulnerabilities are ranked by risk potential, noting how they might be exploited and the potential damage that might result. This removes the guesswork from deciding which vulnerabilities require fast action.

Cybersecurity has never been more difficult, but shovels and cement aren’t the answer. IT security frameworks provide a valuable guidebook for building and maintaining a robust security environment. Our cybersecurity team can help you evaluate all of the major frameworks and develop a strategy for minimizing your risk.