Security Control Assessments have become critical tools for organizations due to the growing number of destructive cyberattacks across the world. Increasingly, organizations need to strengthen their defenses against data breaches, cybercrime, and fraud to ensure even the most basic security posture. Frameworks such as NIST, CIS/SANS 20 or ISO 27001 have separated themselves as the best practice frameworks for organizations to assess their current IT security maturity and set goals to improve the procedures that they use to protect sensitive data, perform change management, and provide access to critical assets.
Unfortunately, implementing security controls using even the simplest security control framework can be daunting. CISOs or Security Directors don’t know where to start even with the most basic of security control self-assessments. The sheer volume of individual controls within many of the cybersecurity control frameworks makes implementing the framework time-consuming, confusing and, in many cases, causes IT security staff to lose focus on protecting the critical areas of the business.
We’ve gathered today’s most common security control frameworks down below to simplify the complex world of compliance for you, and help you improve your security maturity and overall defense posture.
NIST Special Publication 800-53, Revision 5
The U.S. National Institute of Standards and Technology (NIST) published Special Publication 800-53 as part of the Special Publication 800-series as a catalog of 20 security and privacy control groups. It outlines controls for federal information systems and organizations in the United States to satisfy privacy and security requirements in the Privacy Act of 1974, the Federal Information Security Modernization Act (FISMA), OMB Policies, etc.
The so-called security and privacy control families outlined by NIST 800-53 are flexible, customizable and can be implemented by organizations as part of their overall risk management strategy. The controls cover areas such as access control, security awareness training, formal risk assessments, incident response or continuous monitoring to support organizational risk management.
Currently, Special Publication 800-53 is undergoing its fifth revision Security and Privacy Controls for Information Systems and Organizations (exact title to be confirmed). Initially, NIST Special Publication 800-53 (Revision 5) was scheduled to be released on March 28, 2017, which has been delayed until December 2017.
According to NIST, “Revision 5 of this foundational NIST publication represents a one-year effort to develop the next generation security and privacy controls that will be needed to accomplish the above objectives”. The objectives of this draft publication are:
- to provide both public and private organizations with guidance and safeguarding measures to make information systems more resistant to cyberattacks,
- to protect the confidentiality, integrity, and availability of the organizations’ information system,
- to limit their negative impact when cyberattacks occur,
- to make these information systems more survivable and resilient in general, etc.
CIS Critical Security Controls
Developed by the SANS™ Institute, “the CIS Critical Security Controls are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today's most pervasive and dangerous attacks”. There are 20 controls in total, spanning priority areas such as secure hardware and software configurations, malware defenses, data recovery, account monitoring and control, incident response and management, penetration tests and Red Team exercises.
Unlike more comprehensive control frameworks such as the NIST Cybersecurity Framework or PCI DSS, the 20 Critical Security Controls were developed to provide organizations with a smaller, prioritized number of actionable controls that should be implemented first to yield immediate results. Rather than implementing dozens of controls, this prioritized approach will help organizations focus on what’s important first to establish a baseline for protection and cyber defense.
Want to learn more about the CIS Critical Security Controls? The SANS™ Institute has put together a handy-dandy “Critical Security Controls Poster” that you can bookmark or pin on your wall for quick reference.
ISO 27001
Developed by the International Standards Organization (ISO), the ISO 27001 standard provides organizations with requirements for how to manage and secure their sensitive corporate information with a so-called Information Security Management System (ISMS). Its latest revision was published in 2013, and the full name of the standard is now ISO/IEC 27001:2013. The ISMS is a risk management framework which helps identify, analyze and address an organization’s information risks to protect against cyberthreats and data breaches, similar in design to management systems for quality assurance (the ISO 9000 series) and environmental protection (the ISO 14000 series).
Unlike NIST 800-171, which is specific to federal agencies in the U.S., or PCI DSS, which is specific to organizations processing credit card payments, the ISO 27001 standard applies to all types organizations, public or private, profit or non-profit, regardless of their size or industry. It is based on a six-step planning process that involves collaboration between several different departments within an organization:
- Define a security policy.
- Define the scope of the ISMS.
- Conduct a risk assessment.
- Manage identified risks.
- Select control objectives and controls to be implemented.
- Prepare a statement of applicability.
In Summary
If you’re not sure about which security compliance framework applies to your organization, keep in mind that all of them are designed for different purposes, industries or geographies:
- NIST Special Publication 800-53, Revision 5 proposes a catalog of 20 different privacy and security control groups to help U.S. federal agencies and organizations better manage their risk.
- The 20 CIS Critical Security Controls are independent of industry type and geography and provide a priority-based and rather technical approach for immediate, high-impact results.
- The ISO 27001 standard is a less technical, more risk management-based approach that provides best practice recommendations for companies of all types and sizes in six defined phases.
- The PCI DSS compliance standard outlines 12 best-practice data security regulations for organizations that process and store payment card details.
No matter which security compliant framework your organization is subject to, a dedicated compliance program can help your organization manage its risks, improve your security posture and demonstrate commitment to quality and continuous improvement.
