As Virtual CISO and Security Trusted Advisor to many of our clients, we are often asked “what framework would you use to perform a security assessment?” Since this question is asked so often we wanted to provide a primer to help you select the right security assessment framework or standards. Keep in mind, there is no ‘one size fits all’ answer and it is highly possible that you need to use more than just one framework in order to get a complete picture. The reality is that the answer to the question will also change with time as the nature of your business continues to evolve, along with business, regulatory, and risk landscapes.
Before we leap from the plane, here are some things to consider that change the ‘color’ of your security assessment parachute(s):
- What industry are we in, and are there industry standards/regulations/laws by which we must abide?
- What do our partners and customers expect of us (oftentimes found in partner/client questionnaires)?
- Are we trying to plant a stake in the ground to demonstrate our security posture?
- Are we trying to implement a security program for the first time and wondering where to start?
The Common Parachutes: Security Assessment Frameworks
Here is an overview of the frameworks that are most commonly used, along with our thoughts on them. While this is not an all-encompassing list, it covers a lot of ground and is a great place to start:
SOC2 (formerly known as SAS70 or SSAE16): This is a common ‘currency’ in the security assessment arena. Many organizations require that their partners undergo this audit, which is typically performed by a financial auditing entity. Oftentimes when the key decision-maker or influencer is from the financial arena (i.e. CFO), this is the certification that they will commonly seek. While a SOC2 audit does not necessarily provide a strong measurement of security posture, it does provide an accurate read on the degree to which you abide by your policies and procedures (or the degree to which you are successful in chasing your own tail). Prior to undergoing this audit, you will want to ensure that you have documented policies and procedures in place and effectively disseminated throughout your organization. A pre-assessment review of all relevant controls with a Trusted Advisor is often an effective precursor to a successful SOC2 assessment.
ISO27001: This standard is the cornerstone for many frameworks. While a relatively small percentage of organizations undergo a full-blown ISO27001/2 audit/accreditation, many security assessments and control frameworks are based on this standard. This type of assessment and certification is often pursued by international entities as a common currency when queried about the effectiveness of their program and operational procedures.
NIST: The National Institute of Standards and Technology (NIST) has created several frameworks to address the development of management, administrative, operational, technical, and physical standards for cost-effective security and privacy. NIST 800-53 r4 framework is the most widely used of the NIST frameworks as it provides a prescriptive framework for security controls. Basically, the framework is a set of controls grouped by specific action objective (i.e. Identify – Protect – Detect – Respond – Recover) that has generally been accepted as a comprehensive, but easy to digest security to-do list. While the intended audience for this publication is the U.S. federal government, it has proven to be a go-to standard for organizations looking for a non-industry-specific framework (i.e. not PCI or HIPAA).
PCI (Payment Card Industry): If your organization is involved with the storage, processing, or transmission of payment card data, you will fall into the purview of the PCI Data Security Standard. The degree to which you must ‘prove’ your compliance varies, depending on the number of credit card transactions you conduct. Organizations who conduct a relatively small number of cardholder transactions can fill out a PCI Self-Assessment Questionnaire (“SAQ”) and submit it to their acquiring bank, while merchants and Service Providers with high numbers of transactions may require a qualified assessor (QSA) to perform the assessment. Being PCI compliant is binary – you either are compliant or you’re not. You must be 100% compliant to be compliant. Anything less means that you are not compliant. The PCI standard is a prescriptive, well established standard that continues to evolve to address current threats, and entities who are not compliant are subject to fines by the Card Brands.
HIPAA/HITECH: If you are a healthcare provider or provide services to a healthcare provider (i.e. a business associate) that involve the access, storage, or transmission of health information, you will be required to comply with the requirements of the HIPAA Security Rule and HITECH. Whereas other standards such as PCI are prescriptive, The HIPAA Security Rule is more descriptive. The HIPAA Security framework is generally a risk management framework that requires organizations to conduct a periodic security assessment and have an associated risk management program. The security assessment program must address risks to the confidentiality, integrity, and availability of ALL ePHI, and organizations are required to implement “reasonable and appropriate” safeguards based on their assessment of risk. Because HIPAA is not prescriptive in methodology, it can align well with other security management frameworks such as ISO and COBIT.
HITRUST: Some entities in the healthcare industry who serve as third party providers to large healthcare organizations must undergo a HITRUST audit. The HITRUST Common Security Framework is a prescriptive framework that includes maturity modelling while encompassing several other frameworks, including HIPAA/HITECH and ISO27001. All HITRUST audits are vetted by the HITRUST Alliance. Given that the overall security posture of the healthcare industry is immature as compared with other verticals, I find that HITRUST is overkill for most organizations in this space and that some of the large healthcare providers are strong-arming their partners into undergoing this audit.
COBIT: The Control Objective for Information and related Technology (COBIT) provides good practice across a domain and process framework, presenting activities in a manageable and logical structure. COBIT is focused more on control and IT process management and less on execution. IT process management is inherently complex and subjective and is best approached through facilitated collaborative assessments that raise awareness and capture consensus. These assessments can be performed either against the maturity level descriptions as a whole or with more rigor against each of the individual statements of the descriptions. The COBIT framework is somewhat complex as it employs a maturity model approach, so it may not be the best fit for an organization undergoing their first security assessment. Alternatively, ISACA does offer a less-rigorous assessment framework for smaller organizations called Octave Allegro.
CIS CSC Top 20: The Center for Internet Security Critical Security Controls Top 20 (CIS CSC Top 20) is a great framework for measuring your technical security posture. These controls are updated, based on actual attacks and effective defenses, and reflect the combined knowledge of experts from every part of the ecosystem (companies, governments, individuals) and various contributors (threat responders, analysts, technologists, solution providers, defenders, users, auditors, etc.) from many industry verticals working together to create, adopt, and support the controls. This helps ensure the effectiveness of the controls/framework by providing a specific set of technical measures to detect, prevent, respond, and mitigate damage from the most common attack vectors. Many organizations adopt CIS controls as part of an overall system baseline and hardening strategies.
FedRAMP:The Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide program that provides a standardized approach to security assessments, authorization, and continuous monitoring for cloud products and services. This approach uses a “do once, use many times” framework that can save time, staff, and money associated with conducting redundant agency security assessments. FedRAMP is the result of close collaboration with cybersecurity and cloud experts from the General Services Administration (GSA), National Institute of Standards and Technology (NIST), Department of Homeland Security (DHS), Department of Defense (DOD), National Security Agency (NSA), Office of Management and Budget (OMB), the Federal Chief Information Officer (CIO) Council and its working groups, as well as private industry. Cloud providers who are interested in winning business may consider having a FedRAMP auditor certify their environment.
There are other regulations and frameworks, such as GLBA (Graham Leach Bliley Act) and SOX (Sarbane Oxley), but they don’t need to necessarily be covered in this primer because most organizations that must undergo these audits are already pretty much in the know.
While it is challenging to determine which framework best aligns with your business model if you’re just starting out, it is even more challenging when your governance and compliance program must address several of these frameworks concurrently. Ideally your program should scale to address multiple applicable frameworks to maximize synergies so that you can avoid the “Groundhog Day Effect” of having to perform one security assessment after another. You can help guarantee a soft landing if your security program is constructed to seamlessly address the framework that best aligns with your business.
Want to chat more about which security assessment is right for your organization? Feel free to reach out to me directly or comment below.
To learn more about Online Business Systems’ Risk, Security and Privacy practice click here.