By Bruce Forman, CISO, UMassMemorial Health Care
The implementation of a cyber security framework establishes a standard that allows for a structured approach to cyber security and a simplified, repeatable process to developing, managing, and maintaining the cyber security program. Standardizing on a framework allows an organization to be sure that all relevant categories of security are considered, and that strategy, direction, and status are clearly communicated with stakeholders. Many cyber security frameworks are available and whereas selecting one to standardize on and work with creating value for an organization, the particular one selected is of lesser import. This is because the categories and subcategories of each are similar and map neatly one to another. Some examples include:
- NIST CSF (National Institute of Standards Cyber Security Framework)
- ISO 27001/27002 (International Standards Organization)
- COSO/COBIT (The Committee of Sponsoring Organizations of the Treadway Commission / Control Objectives for IT)
Consider All Categories
Frameworks define categories that must be included as part of the program. The chosen framework, whether it be NIST, ISO, PCI, or COSO, is organized to create a structured risk-based approach to establishing and maintaining a cyber security strategy. By leveraging a framework, an organization can be assured that all categories are at least considered. All the frameworks seek to address risk management and asset management as cornerstone components. Other categories, such as vulnerability management, network security, and physical security are also identified. Basing a program on a framework provides an organization comfort in stating that their program and strategy has at least considered all categories (or areas) that need to be addressed.
Develop Logical Documentation
With the possible exceptions of the disciplines of asset management (you can’t protect what you don’t know about), and risk management (scarce resources, time, and budget must be allocated based on mitigating the greatest risks), cyber security documentation is probably the most difficult area to get “right.” A framework helps to define specific policies that must be created. Policies are written at a high-level, don’t change very often, and are standard across an organization. Policies define “what” that is – what is the description of the category, as such much of the policy statement is already defined by the framework and can be customized and edited for the organization Policies reference Processes. Processes define “Why” as in why are we doing this, why do we care about this. Processes build upon policies and establish an understanding of the importance of a particular direction. Processes reference detailed procedures. Procedures may change somewhat often based on the underlying technology and changes to the organization. Procedures define “how.” Within procedures, controls are identified. These controls provide the proof or validation that the procedures are effectively being followed.
Basing communication of the strategy and status on a framework provides consistency and predictability in delivery of the message. Each project or set of projects is associated with a category defined by the framework. For example, projects related to multi-factor authentication or identity and access management can be associated with the category “Access Management.” Similarly, program and project status reporting follow the same model and are associated with the selected frameworks’ categories.
Utilizing a cyber security Framework will establish the completeness of a cyber security program and establish a consistent model for managing and communicating the program. Success is demonstrated by effectively managing risk and communicating progress by category based on the agreed upon framework.