Cybersecurity Foundations – Frameworks and Policy
OR Did You Read the Instructions?
Cybersecurity, or security of any kind, is a vast and sometimes complicated orchestra of different technologies, departments, budgets, people, and policies. To someone unfamiliar, it can be similar to standing at the base of Mount Everest with a secure environment at the summit. How can you possibly get there?
This entry focuses on the most fundamental aspects of any IT department, Frameworks, and Policy. You may have heard or read about them. You may recognize a few of the names. Every CIO and Director of IT should have some form of both. If not, it should be the very first thing you do…after reading this post!
What are Frameworks? – A framework is exactly what it sounds like. It is the underlying structure where all IT structure is placed, much like the steel framing of a skyscraper. There are many different frameworks available such as COBIT, ISO27001, CIS, and NIST 800. They are guidelines to help companies ensure they understand the needs of IT in a secure way by addressing “outcomes” and “methodologies.”
What are Frameworks Not? – Frameworks are not templates or rules. They do not specify how cybersecurity is implemented or their best practices, more the why. They do not recommend vendors, tasks, or processes. Instead, they create a way of thinking about cybersecurity in an environment.
How Does It Work? –Frameworks ask shareholders and data owners to assess the risks to their data, systems, privacy, and people. By understanding how important these items are, the framework then goes into the methodology of what should be done to protect them. For instance, NIST (National Institute of Standards and Technology – https://www.nist.gov) identifies five (5) Functions to manage risk. They are Identify, Protect, Detect, Respond, and Recover.
Do I Need to Pick One and Stick With It? – Unless you are looking to certify to a specific one, you can mix and match, remove parts or add to match exactly what your organization needs. Fluidity is the best part of a framework! Keep in mind that most frameworks are derived from the NIST guidelines, so make NIST your first stop.
Do I Need Framework Certification? – Depends. Some organizations will pay for testing and certification if required by customers and partners or if they want to provide assurance they are following the framework. Following any framework is more than most companies do. The Cybersecurity Maturity Model Certification (CMMC) framework, being THE definitive guide for certification into US/DOD and FedRAMP access, is a great way for businesses to get started being cyber-clean regardless. (https://www.acq.osd.mil/cmmc/)
How Does a Framework Drive Policy? – The best and worst things about frameworks are they give you a ton of policies to consider. ISO27001 lists 25 policies you should have. Of course, some policies will be much more detailed than others. Your Clear Desk and Clear Screen Policy may be a paragraph, whereas your Asset Management Policy could be a book.
Policy Is The Cornerstone – Policy is the single most important risk mitigation a company has. Policy dictates what the rules for IT usage and process are, as agreed to by management. This policy is, in turn, presented to vendors, employees, contractors, partners, and anyone else that interacts with the company’s IT data, systems, people, or locations. The most important aspect of policy is acceptance. Everyone is required to read, understand, and accept the rules of IT for the company. When everyone knows the rules, claiming ignorance is no longer a valid legal defense.
What Policies Should Every Company Have – This will differ by company, but of the 25 listed by ISO27001, the most important are Risk Management, Access Control, Acceptable Use, and Business Continuity Policies. These will be discussed in-depth in a later post. The policy does not prevent breaches and data loss, but it will drive specific actions to detect, mitigate, and recover from incidents.
Where Do I Start? – The most important first step for Framework and Policy is a Risk Assessment as part of a Business Impact Analysis (BIA). The Risk Assessment requires input from everyone in the company to fully understand IT value. It determines what’s important, how much it would cost if it were lost and required recovery or recreation, what likelihood exists for certain incidents that cause loss, and derives how much to spend to protect it. Far too many businesses don’t know all the applications and services that are operating on their networks – do you? BIA drives that knowledge. From here, policy should be driven.
You may not find a Framework that perfectly fits your organization. Very few do unless driven to meet compliance. However, you should identify with one or two frameworks as guidance. CMMC Level 1 and Level 2 compliance goals go a long way to reaching excellent cyber cleanliness. Every network on the planet should be CMMC Level 1 compliant by default. We will discuss how to get to CMMC Level 1 in a later post. As your organization grows, the frameworks remind you of policies you may not have needed before.
Congratulations! You are on your way up the mountain to a secure IT environment!