Which Security Framework is right for you?

Like just about everything in security not all solutions are equal nor are they right for every organization. The image above shows how each framework rates from weakest to strongest so keep this in mind as you read on.

So how does one select a security framework? And what does it mean for your security program and ultimately your security posture? As mentioned in my previous article “Understanding Risk through BIA & Risk Assessment Processes” you should have a handle on what your risk appetite and tolerances are. The caveat is determining this is done through a combination of processes including a risk assessment.

However, assessments are not agnostic and they must align to a framework to quantify and help identify risks and gaps needing controls but also allowing an organization to meet their business objectives. So the following are questions to keep in mind as you ask select a framework to build your security program around and the right 3rd party assessor to perform your assessment.

5 Questions to ask yourself before selecting a framework and a 3rd party assessor:

What are implementation tiers or groups, baselines(low, medium or high) and must I define Minimum Compliance Requirements (MCR) or Discretionary Security Requirements (DSR)?

• NIST-CSF has 4 implementation tiers and creating a profile based on your goals and objectives will help you select the implementation tier that is right for you.
• CIS states this pertaining to implementation groups; “IG1 is defined as “essential cyber hygiene,” the foundational set of cyber defense Safeguards that every enterprise should apply to guard against the most common attacks.” And IG2 builds upon IG1 and IG3 contains all controls and safeguards.
• NIST 800-53 states baselines as; “Predefined sets of controls specifically assembled to address the protection needs of groups, organizations, or communities of interest. See privacy control baseline or security control baseline.”

Do I plan on obtaining military or government contracts?

• This will further help you select the applicable framework and right level of controls to implement. NIST 800-171 “CMMC”, NIST 800-53 (Mod - High Baselines), FedRamp or SCF maybe the best options.

Are you a Critical Infrastructure Sector?

• This may further dictate what controls are acceptable.
• The Cybersecurity & Infrastructure Security Agency (CISA) explains; “There are 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof. Presidential Policy Directive 21 (PPD-21): Critical Infrastructure Security and Resilience advances a national policy to strengthen and maintain secure, functioning, and resilient critical infrastructure.”

Is my industry mandated by regulations like PIC, HIPPA, GLBA, GDPR, HITRUST etc.?

Will I now or in the future fall under any of the items listed above?

• Best to plan for the most restrictive framework even if it means initially accepting a lower level of controls.