Diversity as a Blessing and Curse

According to Merriam-Webster’s Dictionary, a framework is “the basic structure of something.” That underlying something can be fairly diverse—for instance, ideas, concepts, guidelines, rules, check lists, requirements, facts, or physical parts. And, in this context, diversity may be a blessing and a curse.

There are a large number of cybersecurity and information technology (IT) risk management frameworks out there. These are issued by technology vendors, professional services firms, public institutions, nonprofit organizations, and public private partnerships—and all provide a different focus. The types of standards and frameworks include:

• Local, regional, and global frameworks.
• Generic and industry-specific frameworks.
• Value-focused and threat-focused frameworks.
• Very technical frameworks, which are of most use to those concerned with the technical aspects of cybersecurity.
• Governance and organizational frameworks.
• Product assurance, process assurance, and environment assurance frameworks.
• Compliance-focused frameworks useful for interactions with regulators.
• High-level maturity frameworks, which tell you where you stand but not necessarily what to do about it.
• Collections of best practices aimed to cover the basics or more.
• Controls focused frameworks, which can be of tremendous use to auditors as they tend to be built around inputs or ingredients which good security would typically need.
• Capability-focused frameworks, aiming more at outcomes of what good security would typically accomplish, which makes them very powerful but also harder to use for assessments.
• Information-sharing frameworks focused on exchange and collaboration of cybersecurity-related information (e.g., threats, breaches, mitigation measures, best practices).
• Specialized cybersecurity frameworks and holistic frameworks aiming to cover also other security domains like information security, IT security (in general or, for instance, network or end-point security in particular), physical security, people security (be that of key executives, their assistants, systems administrators with elevated access privileges, or contractors), or even security of cyber-physical systems touching on safety, health, and environmental protection.

Obviously, all of these types of frameworks have their merits. Frameworks are a tool chest to structure thinking about, and acting on, security in a given context, and a given set of objectives.

No “Best” Cybersecurity Standard

Standards, as “a level of quality, achievement, etc., that is considered acceptable or desirable […] established by authority, custom, or general consent as a model or example” (Merriam-Webster’s), can augment frameworks. Again turning to the Merriam-Webster’s for a definition, we see that standards are “a level of quality, achievement, etc., that is considered acceptable or desirable […] established by authority, custom, or general consent as a model or example.” Standards play a related role whereby they formalize and serve as guiderail for cybersecurity. There is a similar breadth of standards as there is for frameworks.

This variety exists for a reason. As new technologies and delivery mechanisms develop it will continue to accommodate change and expand in order to address fields such as digital, Internet of Things, Big Data, or simply the cloud. So there is no “best” cybersecurity standard or framework. But there are already many good tools for the job at hand—and less appropriate ones.

First Steps

So where was CEO Tom to start?

Before selecting a cybersecurity framework to use, or a standard to follow, a first but important step is to clarify the organization’s objectives or purpose regarding risks and issues that it is attempting to address or mitigate against.

The objectives may range from very operational tasks at hand (e.g., configuration of employee computers) to daily governance issues (e.g., design of an information security policy) and board-level responsibilities (e.g., ensuring that the executive team provides risk oversight for cybersecurity). Other purposes may include:

• To establish a common language and taxonomy allowing technical people, organization people, and risk managers to start communicating around cybersecurity.
• To provide transparency by assessing the current state of cybersecurity against a yard stick accepted by and understandable to the intended target audience (which, in turn, may be any group of people, from technical experts to board members, from customers to regulators).
• To provide a guideline to for action against known gaps, threats, or identified areas for development.
• To ensure and demonstrate compliance with relevant regulation or laws, enable an organization to compete on security, or to establish security beyond compliance.
• To normalize cyber related risk, allowing it to be treated and included in enterprise risk management like any other risk to an organization.

The organization context can be regulated (as, for example, financial services, health care, food and beverage industries, and critical national infrastructure) or nonregulated with respect to cybersecurity requirements. Or it can be at global scale or confined to particular geographies. Or the organization may be running in a “business-as-usual” state or face an exceptional situation (e.g., about to launch a new—possibly digital—product, to execute a corporate transaction like a merger or a carve-out, to bid for an especially large deal). Or the organization may even be facing an emergency (such as having learned that its own security or that of an essential partner in its supply chain has been breached and compromised).

Tailoring a Choice of Frameworks

Since there are many frameworks and standards available, and they typically are largely compatible at the core but differentiated at the fringes, organizations often benefit from an informed combination of several frameworks to best match their particular need and tailored to their objectives, context, and risk profile. The exception to this rule, of course, is if one or the other is required by regulation or particular key customers. For multinationals operating in several jurisdictions, using more than one framework, or complying with more than one standard, may not even be a choice but a must.

So out of the plethora of cybersecurity frameworks and standards, which ones should Tom consider at a minimum? Here, we list a selection of some of the most commonly used frameworks.

ISO/IEC 27000 Family

This framework series, sometimes also referred to as ISO 27k, covers a very broad series of topics, such as providing general vocabulary (ISO 27000), outlining requirements for an information security management program (ISO 27001), giving a code of practice for information security management (ISO 27002) or a description of information security risk management (ISO 27005), providing guidance on fairly technical topics like network security (ISO 27033) or application security (ISO 27034), and implementation guidance for particular industries, like, for instance, the information security management in health using ISO/IEC 27002 (ISO 27799). This is just a small selection, and the framework is in active development, several more standards are in preparation, for instance, to address security in supplier relationships or to provide guidance on analysis and investigation around digital evidence.

The framework is often considered the information security equivalent of ISO 9000, and also provides a certification. Parts of it (like ISO 27005) are also informed by, and can be seen as a specialized addition to, ISO 31000, which provides a family of standards relating to risk management.

Obviously, such broad and deep coverage demands a premium of shelf real estate—it is by far the largest set of standards in this overview. Among all of these standards comprising the ISO 27k family, ISO 27001 would be the best point to start for Tom—even more since at some point he could decide to get certified against this standard.

The organization describes itself as follows:

The ISMS family of standards (see Clause 4) is intended to assist organizations of all types and sizes to implement and operate an ISMS … and specifically, ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.^1,2

• Author/Issuer: International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), Geneva, Switzerland.
• Extent: The whole standard family has over 1,500 pages and parts of it were last updated in 2016; the particular ISO 27001 standard comes on 23 pages and was last updated in 2013.
• Region/Type: Global, international standard.
• Industry: All types of organizations and industries.
• Primary audience: Information security, risk, and IT functions.

COBIT 5 for Information Security

COBIT is a comprehensive IT governance risk management framework especially suited for organizations accustomed to external auditing. It comprises, among other things, process descriptions, implementation guidelines, and extensive descriptions of goals, controls, related metrics, and even Responsible-Accountable-Consulted-Informed-Matrix (RACI) suggestions for IT governance. Several of the processes it documents deal with or touch on information security topics, such as “Evaluate, Direct, and Monitor (EDM) #03: Ensure Risk Optimization,” “Align, Plan, and Organize (APO) #013: Manage Security,” or “Deliver, Service, and Support (DSS) #05: Manage Security Services,” and a version placing an information security “lens” over the framework was published separately as “COBIT 5 for Information Security.” Since it provides a comprehensive set of controls it lends itself well to auditing, and is very often used by firms to achieve compliance with the Sarbanes-Oxley rules.

The organization describes itself as follows:

COBIT 5 is the overarching organization and management framework for governance and management of enterprise IT. COBIT 5 for Information Security provides guidance to help IT and security professionals understand, utilize, implement and direct important information security-related activities, and make more informed decisions while maintaining awareness about emerging technologies and the accompanying threats.³

• Author/Issuer: ISACA (previously known as Information Systems Audit and Control Association but now going by its acronym only to reflect the broad range of professionals it serves), United States.
• Extent: The most current version, COBIT 5, as well as the lens for information security was published in 2012, each comprising about some 220 pages.
• Region/Type: Global quasi-standard.
• Industry: All, especially common in financial services and industries where regulatory compliance is highly important.
• Primary audience: All stakeholders, especially information security, risk, and IT functions.

NIST Computer/Cybersecurity Frameworks

NIST use three Special Publications (SP) subseries to publish guidelines, recommendations and reference materials related to cybersecurity, computer security, and information security: Series SP800: “Computer Security,” Series SP500: “Computer Systems Technology,” and Series SP1800: “NIST Cyber Security Practice Guide.” SP800 appears to be currently the center of gravity of NIST’s security work and can be seen as a repository covering a large body of topics, such as protection of controlled unclassified information (SP800-171), fairly technical things like Secure Virtual Network Configuration for Virtual Machine (VM) Protection (SP800-125B) or a Guide to Industrial Control Systems (ICS) security (SP800-82r2), and also an Information Security Handbook/Guide for managers (SP800-100), or a description of Security and Privacy Controls for Federal Information Systems and Organizations (SP800-53r4). The latter comprises an extensive catalog of controls for security and for implementation of an information security program and is being used, for instance, by U.S. government agencies to comply with the requirements of the Federal Information Processing Standard (FIPS) 200.

SP500 tends to be more technical even and these days focused less on security as such, a Cloud Computing Security Reference Architecture guide (SP500-299) started in 2013 is still in draft. SP1800, finally, has since its inception in 2015 already produced several draft documents for instance on Securing Electronic Health Records on Mobile Devices (SP1800-1) or IT Asset Management in Financial Services (SP1800-5).

In addition to these, NIST also created and continues to develop a Cyber Security Framework aimed at Improving Critical Infrastructure Cybersecurity with guidelines to assess current capabilities and prioritize improvements. So, depending on the industry Tom’s organization is active in, he would find a rich repository of materials to structure his cybersecurity program and focus on security beyond compliance, but to create a plan that can be audited, SP800-53r4 would be a good starting point.

The organization describes itself as follows:

SP800 is NIST’s primary mode of publishing computer/cyber/ information security guidelines, recommendations and reference materials, while SP1800, created to “complement the SP800s; targets specific cybersecurity challenges in the public and private sectors, practical, user-friendly guides to facilitate adoption of standards-based approaches to cybersecurity,” and SP500 was used “prior to the SP800 subseries for computer security publications.” The special “Framework for Improving Critical Infrastructure Cybersecurity” was “created through collaboration between industry and government, the NIST Framework consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk.”^{4, 5}

• Author/Issuer: U.S. National Institute of Standards and Technology (NIST), United States.
• Extent: Several thousands of pages across the repository. For instance, the Guide for Managers (SP800-100) was last updated in 2007 and spans about 180 pages; the “Security and Privacy Controls for Federal Information Systems and Organizations” in its most recent 2015 update (SP800-53r4) takes about 460 pages, and the cybersecurity framework was last updated in 2014 (with a scheduled update in 2016) and comprises about 40 pages.
• Region/Type: U.S. national standard but used globally by practitioners.
• Industry: Often applied or even mandated in a U.S. government context, but applicable to, and used in, all industries.
• Primary audience: Information security, risk, and IT functions, also managers and auditors.

ISF Standard of Good Practice for Information Security

Authored by an international member organization, this framework covers security governance, security requirements, controls, monitoring/improvement and addresses risk from people, processes, and technology. It is broader and more prescriptive than ISO, and aims to also enable compliance with ISO27001/2, COBIT 5 for Information Security, and the SANS Top 20 Critical Controls, and to help comply with the UK Cyber Essentials Scheme and the U.S. NIST Cyber Security Framework. The framework is accompanied by a set of tools and benchmark offerings for ISF members.

The organization describes itself as follows:

The ISF Standard of Good Practice for Information Security (the Standard) is the most comprehensive information security standard in the world, providing more coverage of topics than ISO. It covers the complete spectrum of information security arrangements that need to be made to keep the organization risks associated with information systems within acceptable limits, and presents good practice in practical, clear statements.⁶

• Author/Issuer: Information Security Forum (ISF), United Kingdom.
• Extent: About 300 pages (2011 version) and was last updated in 2014.
• Region/Type: Global quasi-standard with member chapters in several regions of the world.
• Industry: Large organizations from the public and private sector.
• Primary audience: Information security, risk, and IT audit functions, organization and IT managers.

SANS Top 20

The SANS Top 20 CIS Critical Security Controls form deliberately not a complete framework, but rather are a widely adopted list of the top 20, specific and actionable cyber defense controls, based on the NIST framework and on regularly updated industry intelligence of attack patterns and vulnerabilities. In its most recent version, this top 20 list addresses topics such as inventory of devices and software, malware defense, secure configuration, wireless access control, incident response and management, and penetration testing.

While these top 20 controls don’t provide metrics for measuring success, they are broadly accepted as a good starting point for organizations aiming to establish foundational cyber hygiene or embarking on the quest of building a cybersecurity capability, and as an additional check list for security professionals. Looking at the tight deadline, for our CEO Tom, they would be an excellent first step towards his supervisory board meeting, allowing him to structure and communicate his intent.

The organization describes itself as follows:

The CIS Critical Security Controls are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks. A principle benefit of the Controls is that they prioritize and focus a smaller number of actions with high pay-off results. The Controls are effective because they are derived from the most common attack patterns highlighted in the leading threat reports and vetted across a very broad community of government and industry practitioners. They were created by the people who know how attacks work—NSA Red and Blue teams, the US Department of Energy nuclear energy labs, law enforcement organizations and some of the nation’s top forensics and incident response organizations—to answer the question, “what do we need to do to stop known attacks.”⁷

• Author/Issuer: The SANS Institute (registered as The Escal Institute of Advanced Technologies, Inc.)/Center For Internet Security, United States.
• Extent: 94 pages, last updated in 2016.
• Region/Type: Global quasi standard.
• Industry: All.
• Primary audience: Information security, risk, and IT functions.

IT Capability Maturity Framework—Information Security Management (IT-CMF:ISM)

This framework is developed and maintained by practitioners and academics from a large consortium of member companies across all industries, and it aims to become the gold standard for the management of IT value and IT-enabled innovation. The framework is designed around 35 IT capabilities and associated capability building blocks rather than on processes or specific controls. In addition to the capability building blocks, it also provides a maturity assessment methodology, benchmarks, practices, outcomes, and metrics (POMs). Information security management is treated as one such IT capability and the framework is informed by many of the existing information security frameworks and standards. Its purpose is not to replace them but rather to unlock organizations investment in them by moving beyond controls to an organization value focused approach to measuring and optimizing information security maturity.

The organization describes itself as follows:

The IT-CMF provides a concise management roadmap to optimize organization value derived from IT investments. The Information Security Management module includes a comprehensive maturity profile, assessment method, and improvement roadmap, each expressed in business language that can be used to guide discussions on setting goals and evaluating performance. The module helps organizations build a competent and effective organization capability to manage IT security, protect business value and business success and demonstrate effective security for stakeholders and regulators.⁸

• Author/Issuer: Innovation Value Institute (IVI), Ireland.
• Extent: Ten pages plus extensive accompanying materials, last updated in 2014.
• Region/Type: Global, capability framework.
• Industry: Any.
• Primary audience: Information Security and IT management functions.

Payment Card Industry (PCI) Data Security Standard (PCI-DSS)

De facto standard for the protection of credit card account data, widely adopted in financial services and retail. This standard addresses six objectives (from “Build and Maintain a Secure Network and Systems” to “Maintain an Information Security Policy”) by means of 12 actionable key requirements, and combines them with testing procedures, guidelines, and best practices. It is positioned by its authors as a minimum set of requirements for protection of cardholder data, which may be enhanced by additional controls and its specific focus on protection of cardholder data only makes it very actionable. Compliance with PCI-DSS is mandated by law in some countries for payments processing industries and systems, and in any case, most, if not all, credit and payment card issuers require their merchants and service providers to comply with the PCI DSS. So if Tom’s company was to process any card data, chances are he would already have someone in his organization familiar with the standard.

The organization describes itself as follows:

The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).⁹

• Author/Issuer: Payment Card Industry (PCI) Security Standards Council, United States.
• Extent: In its current version 3.2, it comprises about 140 pages and was last updated in 2016.
• Region/Type: Global industry standard.
• Industry: Financial services, retail, and other card data processing industries of any size.
• Primary audience: Information security and IT functions.

World Economic Forum Cyber Risk Framework (WEF-CRF)

This framework provides a holistic high-level approach to addressing and calculating the risk posed by cyber attacks. Looking at value at risk, potential attacker profiles, and organizational maturity, it allows understanding of cyber risks and response readiness and provides recommendation and a roadmap for collaborative action against cyber threats. In a pending framework aimed specifically at boards, the forum is also looking at cyber risk from a supervisory board perspective with the aim to normalize cyber risk.

The organization describes itself as follows:

The Forum approaches the issue from a leadership and governance perspective and outlines a “cyber value-at-risk” framework that seeks to unify all dimensions of cyber threats and encourages organizations to create robust cyber risk models. This should help increase confidence regarding decisions to invest, distribute, offload and/or retain cyber risks.¹⁰

• Author/Issuer: The World Economic Forum, Geneva, Switzerland.
• Extent: Twenty pages plus supporting reports, last updated in 2015.
• Region/Type: Global framework.
• Industry: Any.
• Primary audience: Information security, risk, and IT functions.

European Union Agency for Network and Information Security (ENISA)

The European Union Agency for Network and Information Security (ENISA), appears to be currently focusing on topics related to critical infrastructure protection and national cybersecurity strategies of its member states, while also paying attention to the cybersecurity needs of small and medium-sized enterprises (SMEs), which form the backbone of many economies.

To that end, ENISA has issued, and keeps issuing, a number of publications such as the “Evaluation Framework on National Cyber Security Strategies” (12/2014) or a study on “Information Security and Privacy Standards for SMEs” (12/2015). ENISA is apparently not set on contributing to the proliferation of security framework with another one of their own making, but instead is advocating the use of existing frameworks like the ones mentioned above.

The organization describes itself as follows:

“Securing Europe’s Information Society”: The mission of ENISA is to contribute to securing Europe’s information society by raising “awareness of network and information security and to develop and promote a culture, of network and information security in society for the benefit of citizens, consumers, enterprises and public sector organizations in the Union.

ENISA’s strategic objectives are derived from the ENISA regulation, inputs from the Member States and relevant communities, including private sector.¹¹

• Author/Issuer: European Union Agency for Network and Information Security, Greece.
• Extent: Several specific publications available from the ENISA web site.
• Region/Type: European Union.
• Industry: Government agencies, national critical infrastructure, SMEs.
• Primary audience: Information security, risk, and IT functions.

Good Practice Consistently Applied

But in the end, real security comes from first deciding together within the organization on the appropriate security strategy and its overall objectives (compliance versus security beyond compliance, partnering versus competing on security, etc.), and then adopting an appropriate framework. Usually, any framework needs to be adapted somewhat to the situation at hand and enriched with practices as needed, or augmented with relevant elements from other frameworks. Indeed, many companies follow such an approach. A next step would be to run a risk assessment, then to build a road map for implementation of a cybersecurity/cyber risk management system and to establish the required capabilities to keep all of this functioning, monitored, and up to date. Obviously, it is prudent to prioritize and close obvious or already previously identified gaps quickly, rather than waiting for the end of a more comprehensive cybersecurity transformation project.

Good practice, consistently applied still beats sporadic pockets of best practice. But even then, regardless of the particular framework selected, the consistent pursuit of cybersecurity comes at a cost and will need skilled internal resources, assigned roles and not only documented but also accepted responsibilities support from outside assessors and so on. These requirements should be taken into account when selecting a framework to ensure that its application will be economically feasible and sustainable for the organization.

Given the time at hand, Tom, our hypothetical CEO, would probably be well advised to first run an IT-CMF:ISM assessment or any other enterprise-wide focused cybersecurity health check, explore the SANS Top 20 and then take a step back for a more informed pick among the other, more comprehensive frameworks. With a bit more time, Tom would also be well advised to familiarize himself with the upcoming Cyber Resilience Guidelines for Boards the World Economic Forum is currently developing—because this may well be what the board members who requested his presentation will use to gauge his preparedness.