INTERNATIONAL STANDARDS & FRAMEWORKS
Given the threats to an organisation's information, it is essential that both large and small organisations implement effective but workable controls, to ensure that their information is kept secure but at the same time not hinder the ability of employees to do their job.
The first step for all organisations is to carry out a comprehensive risk management for its information assets.
Synovum recommends use of either ISO/IEC 27005:2011 or NIST's SP800-30r1.
Following the initial risk assessment process, an organisation should implement a number of controls (logical/technical, physical, and administrative ) to mitigate any identified risks, unless it has decided to either accept or avoid the risks previously identified.
The international standards/framework described below can, if implemented, provide some measure of confidence that the most common attack vectors have been mitigated to some extent.
ISO/IEC-27001:2013 is an internationally-recognised information security management (ISMS) standard. It can be used by any organisation. It doesn’t matter what size it is or what it does. The purpose of ISO IEC 27001 is to help organisations to establish and maintain an information security management system (ISMS).
An ISMS is a set of interrelated elements that organisations use to manage and control information security risks and to protect and preserve the confidentiality, integrity, and availability of information. These elements include all of the policies, procedures, processes, plans, practices, roles, responsibilities, resources, and structures that are used to manage security risks and to protect information.
An ISMS typically addresses employee behaviour and processes as well as data and technology. It can be targeted towards a particular type of data, such as customer data, or it can be implemented in a comprehensive way that becomes part of the company's culture.
ISO-27001 does not mandate specific actions, but includes suggestions for documentation, internal audits, continual improvement, and corrective and preventive action.
In the United States, the National Institute of Science & Technology (NIST) published SP 800-53 Revision 4, in April 2013, to reflect the evolving technology and threat space, including mobile, cloud computing and insider threats.
The publication provides a comprehensive set of security controls, three security control baselines (low, moderate, and high impact), and guidance for tailoring the appropriate baseline to specific needs according to the organisation's missions, environments of operation, and technologies used.
Whilst aimed mainly at organisations that are either part of or do business with the US government, this standard can also be used by organisations working exclusively in the private sector to provide a framework within which to implement security controls.
In February 2013, President Obama called for development of a risk-based Cybersecurity Framework (CSF) to help organisations manage cybersecurity risk.
The CSF focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes. The CSF consists of three parts: the Framework Core, the Framework Profile, and the Framework Implementation Tiers.
When comparing SP 800-53 and the CSF, the latter provides high-level information and references ISO-27001 and SP 800-53 (in addition to COBIT5) for further details when it comes to implementing controls. It is therefore more suited to senior management than SP800-53 given its less 'technical' nature.
NIST 800-53 is a regulatory document, encompassing the processes and controls needed for a government-affiliated entity to comply with the FIPS 200 certification. In contrast, the Framework is voluntary for organisations and therefore allows more flexibility in its implementation.
It should also be noted that the CSF does not replace security standards like NIST 800-53 or ISO-27001, but is a starting point for organisations looking to improve their cyber security.
In 2008, the SANS organisation devised a list of 20 critical security controls (CIS-20) - this prioritised the available security controls.
Used correctly, these controls could assist to stop most known attacks. This list of controls is still in use, albeit under the stewardship of the Centre for Internet Security.
The first five controls focus on basic 'cyber-hygiene' so all organisations should look to implement these at the very least irrespective of size.
Implementation of the remaining controls is very much dependent on the size, complexity and infrastructure of the organisation.
In terms of the relationship between the CIS-20 and NIST 's CSF, the latter uses the former as a reference to provide assistance to those implementing the framework using an already existing methodology.
Implementation of the CIS-20 is often in conjunction with CIS Benchmarks, which provide guidelines for hardening specific operating systems, software applications and network devices. Details of the CIS Benchmarks can be found here.
Working with the above guidelines, frameworks and standards, Synovum can help your organisation to become 'cyber-secure' and protect your information assets through comprehensive review and implementation of the necessary controls. Please contact us for more information.
“He constantly provides outstanding results and is always looking to be proactive in achieving his aim
Andy is an expert in his field.”
Eric McCann, EC Safety Solutions