Managing and Assessing Compliance to Cyber Security Standards and Frameworks

How do you ensure your organisation is flexible and responsive to cyber attacks? 

Have you put strategies in place to ensure that you are not only protecting against cyber attacks but also reducing your exposure to risks and learning from incidents, whether they be intentional or unintentional?   

Do you have checks and measures in place to ensure continuous reporting of your cyber resilience?

How do you ensure continual improvement in this rapidly changing and evolving area?

Our last article discussed the set of cyber security mitigation strategies known as the Essential Eight.  This article we’ll take you through other security standards and frameworks that can be managed and assessed using Service Improvement Manager (SIM).

Which standard or framework to choose?

It really depends on each individual organisation as to which standard or framework to follow: it may be a combination!  Assessing against a best practice framework or standard will provide you with a comprehensive basis to start from or to compare yourself against.

SIM’s Information and Cyber Security library bundle contains all the questions / controls required to assess compliance to the following standards and frameworks:

ISO/IEC 27001: 

This standard defines the audit requirements for implementing an Information Security Management System, and for obtaining independently verified certification if required.  ISO/IEC 27002 contains additional detail, to help establish controls and build a comprehensive IT security program. Certification of ISO/IEC 27001 is usually sought if there is a direct requirement to meet certain business or contractual requirements and is complementary to other standards such as ISO/IEC 20000 for Service Management.

PCI:

Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.

NIST Cyber Security Framework (CSF):

The National Institute of Standards and Technology is a US agency for industry standardisation and measurements.  It provides guidance for organisations to effectively manage and reduce their cyber security risk, using common language to make it easy for people to implement no matter their level of experience. Guidelines provide a clear and consistent approach, making it an excellent choice for organisations that are new to Cyber Security and considering which standard or framework to use. NIST CSF includes 5 functions which act as the backbone for creating a successful Cyber Security Strategy.  They are Identify, Recover, Respond, Detect, and Protect. 

CIS-20: 

The Center for Internet Security Critical Security Controls for Effective Cyber Defense was initially developed by the SANS Institute, a private US organisation specialising in Cyber and Information Security and is now owned by the Center for Internet Security (CIS). It contains 20 key actions designed which, if implemented, serve to block or mitigate known attacks.  Like NIST, they provide a common language set of actions that are easily understood by IT personnel.

The Essential Eight:

Developed by the Australian Cyber Security Centre (ACSC), the Essential Eight focuses attention on a set of mitigation strategies that should be implemented as a baseline to manage Cyber Security.  (Read more about the Essential Eight here.)

Other best practice libraries also provide additional guidance and may provide useful and/or complementary to those listed above.  These include COBIT and ITIL, amounts others, should an integrated framework approach be beneficial for your needs.

Do any of these standards fit together?

Many frameworks and standards have overlapping (common) controls and guidance.  Whilst there’s no “one-size-fits-all-model” to suit every organisation, many consultants will often suggest starting with just one or two popular/recommended libraries that best align with your initial requirements, and then select the best of complimentary frameworks to help build and grow your capability over time.

An article called “Do you need to choose, to make the frame-work?” published In the July 2019 Issue of Australian Cyber Security Magazine, written by David Stafford-Gaffney considers the benefits of using ISO/IEC 27001 or the NIST Cyber Security Framework (CSF). He discusses the merits of a hybrid approach: 

…maintaining your environment based on guidance from one or the other of these approaches will result in an improvement to your security posture.  However, when you raise the hood and gaze into the engine compartment, they complement each other perfectly”.  

He goes on to say that

together, CSF and ISO combine to provide effective reporting that all stakeholders can understand.  So, don’t think you have to choose one or the other, they are stronger together than the simple sum of their parts.

Solisma’s Service Improvement Manager (SIM) solution helps you to effectively bring these standards and frameworks together. With SIM, you can quickly perform an initial gap assessment, comparing your existing practices against one or more frameworks and then begin building a roadmap that is aligned to your business requirements.  It is extremely important to align any security initiatives to business initiatives.  This means that attention will remain focused on applying industry best practices for cyber security as it becomes a competitive advantage and/or market differentiator.

Why use a tool?

It is important that a CISO validate that the current security controls are functioning in the way they were intended. The key to limiting the impact on productivity in the security organisation is to utilise a governance, risk and compliance tool to provide automation and a baseline for comparison

https://searchsecurity.techtarget.com/feature/Fitting-cybersecurity-frameworks-into-your-security-strategy

Using a tool like SIM helps to extend the reach of Information Security to other areas of the organisation and assigning ownership to those areas can help to improve overall compliance. Further, using SIM means that compliance is not simply an ‘comply once, then forget’ exercise.  Continual validation is important, particularly in the area of Information Security as it is changing and evolving rapidly.

SIM provides the tools to complete a gap and risk analysis, but also enables users to automatically develop a prioritised roadmap to close those gaps, manage risks, identify and continually improve controls to remain compliant and protected, and report progress to the executive team. 

Ensure your organisation can effectively manage Information and Cyber Security…  get started today!

 

Join our mailing list to get the latest news sent straight to your inbox!

* Technology photo created by pressfoto – www.freepik.com