Since there is an alphabet soup of cybersecurity frameworks that can be daunting to maneuver, Tom Allen (Technical Lead of Foresite’s Governance Risk and Compliance team) put together some short notes to help you navigate the landscape.
NIST – NIST stands for the National Institute of Standards and Technology. NIST was founded in 1901 as a non-regulatory body within the US department of commerce.
NIST sets out special publications (SPs) that direct federal agencies how to securely manage their IT infrastructure. Of special note are the following:
SP 800-53 (Security and Privacy Controls for Federal Information Systems and Organizations) is an exhaustive set of 18 controls that govern IT. This is specifically for federal government agencies but the principles can be applied to private organizations.
SP 800-171 (Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations) this is a new standard for private companies that the government shares information with. It is not as exhaustive as 53 but cross references 53 in many places. This goes into effect Dec 31, 2017, and has 14 families of controls.
SP 800-66 (An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule) as the name states this is the framework for people that fall under HIPAA and only includes the security rule not the privacy rule. The security rule relates only to the electronic information and operationalizes protections contained in the privacy rule.
NIST – CSF (Cybersecurity Framework) is a collaboration between government and the private sector to promote the protection of critical infrastructure. It consists of 5 logical categories 97 subcategories.
There are other SPs that become very specific on certain topics such as firewalls, and incident response. NIST SPs are available for free download.
ISO – The International Standards Organization (ISO) is an international body of 161 members that is the framework of choice for companies that do business internationally. ISO started in 1945 when delegates from 25 countries met in order to attempt to unify standards. It is well known for its quality control standard ISO 9001.
ISO 27001 was developed to allow managers to monitor and control their systems. Therefore while many people look to it for cybersecurity, it is important to note that it is a management system first.
ISO 27001 has 114 controls and 14 control groups. In order to be certified a company must go through an audit by a certified registrar. These audits require the verification of records to prove that the management system is effective, in use and known to all.
COBIT – Control Objectives for Information and Related Technology (COBIT) was created by the Information Systems Audit and Control Association (ISACA) as a framework and a supporting tool set that allows managers to bridge the gap between control requirements, technical issues and business risks.
COBIT is in version 5, and can be purchased from the ISACA web site. Previous versions can also be downloaded complimentary after registration. COBIT is one of the most commonly used frameworks for demonstrating compliance with Sarbanes-Oxley.
SSAE-16 – Statement on Standards for Attestation Engagements (SSAE) 16 is largely an American standard, but it mirrors ISAE 3402. Similarly SSAE 16 has two different kinds of reports; a SOC 1 Type 1 report is an independent snapshot of the organization’s control landscape on a given day, whilst a SOC 1 type 2 report also adds a historical element, showing that controls were managed over time. SOC 1 reports are primarily focused on internal financial controls over reporting. Whereas SOC 2 controls are focused on controls at a service organization relevant to security, availability, processing integrity confidentiality, or privacy.
SSAE-16 SOC 2 utilizes a control set called the Trust Services Principles which has seven privacy principles and four non-privacy principles. The actual audit must be administered by a member of the AICPA (American Institute of CPAs). One of the most common applications of SSAE-16 is for validation of a data centers controls or a hosted service platform as a huge risk for a client of these types of organizations is if the company poorly manages its finances and suddenly goes out of business, the client is left without the service and possibly its data.
There are numerous other frameworks and management approaches we did not touch on, but hopefully this overview at least helps with a basic understanding of the common frameworks. We can help if you need assistance determining which framework is the best fit for your own cybersecurity platform.