The many challenges related to building and running an information security program can be overwhelming. The chief information security officer (CISO) is responsible for running identity and access management (IAM), data loss prevention (DLP) and many other security programs. On top of those daunting considerations are the complex areas of governance, risk and regulatory compliance.

One of the most effective ways to build and maintain these programs is to use a hybrid security framework that is customized to meet business objectives, and to define policies and procedures for implementing and managing controls in the organization. It should be tailored to outline specific security controls and regulatory requirements that impact the business.

Common Security Frameworks

To better understand security frameworks, let’s take a look at some of the most common and how they are constructed.

NIST SP 800-53

First published in 1990, National Institute of Standards and Technology Special Publication 800-53 (NIST SP 800-53) provides guidance to help U.S. federal government agencies comply with Federal Information Processing Standards (FIPS). Although the framework establishes security standards and guidelines for government agencies and federal information systems, it is also widely followed in the private sector. It is considered to generally represent industry best practices.

COBIT

The Information Security Audit and Control Association (ISACA) produced the Control Objectives for Information Related Technology (COBIT) framework in 1996 to focus on risk reduction in financial organizations. It is also commonly used to comply with the Sarbanes-Oxley Act (SOX). With the latest revision, COBIT has evolved to address best practices for aligning information technology functions and processes, and linking them to business strategy.

ISO 27000 Series

International Organization of Standardization (ISO) 27000 is a set of broad standards covering an array of privacy, confidentiality and IT security best practices published jointly with the International Electrotechnical Commission (IEC). These standards are designed to help organizations address their risks with appropriate controls.

The series includes several subset frameworks specific to various industry types. For example, ISO 27799 defines standards and best practices for the healthcare industry.

CISQ

The Consortium for IT Software Quality (CISQ) developed standards for automating the measurement of software size and structural quality. These standards, which are based on exploits identified by the SANS Institute, the Open Web Application Security Project (OWASP) and Common Weakness Enumeration (CWE), are commonly used to manage risks such as application security.

Building a Hybrid Security Framework

Organizations can also leverage a hybrid framework by choosing specific controls from other frameworks to meet their compliance requirements and business needs. Typically, hybrid models consist of cherry-picked controls from other standards that are driven by industry compliance requirements. For example, the Health Information Trust Alliance (HITRUST) framework and ISO 27799 are both used in the healthcare sector. The Cloud Security Alliance’s Cloud Control Matrix (CCM) is another hybrid framework commonly used in cloud computing.

Many frameworks have redundant characteristics, enabling security teams to map certain controls to satisfy compliance with an array of regulatory standards. An organization could, for instance, use a combination of ISO 27001, NIST 800-53 and COBIT, selecting the controls that best help it meet its business objectives.

Other hybrid examples include:

  • The Federal Risk and Authorization Management Program (FedRAMP);
  • The Health Insurance Portability and Accountability Act (HIPAA);
  • The North American Electric Reliability Corporation (NERC) critical infrastructure protection (CIP) plan;
  • The Payment Card Industry Data Security Standard (PCI DSS);
  • The American Institute of Certified Public Accountants (AICPA) Service Organization Control (SOC);
  • The Center for Internet Security (CIS) Top 20 Critical Security Controls; and
  • The FBI’s Criminal Justice Information Services Division (CJIS).

The Road Ahead

There is no such thing as a one-size-fits-all approach to security, and each framework has its pros and cons. Organizations vary in their complexity and maturity, from small, niche industries to global conglomerates and governments. For this reason, it’s important to research the available security frameworks and balance the benefits and drawbacks of each approach.

A hybrid framework can help organizations meet their unique business objectives and compliance requirements. This approach enables flexibility and ensures continued functionality as the technology and threat landscapes shift. Organizations with more basic needs might opt to become certified in an individual standard such as ISO 27000 or PCI DSS.

Whichever framework or combination of frameworks your organization selects, a comprehensive strategy to defend against potential threats while keeping data secure is more crucial than ever.

More from Risk Management

Most organizations want security vendor consolidation

4 min read - Cybersecurity is complicated, to say the least. Maintaining a strong security posture goes far beyond knowing about attack groups and their devious TTPs. Merely understanding, coordinating and unifying security tools can be challenging.We quickly passed through the “not if, but when” stage of cyberattacks. Now, it’s commonplace for companies to have experienced multiple breaches. Today, cybersecurity has taken a seat in core business strategy discussions as the risks and costs have risen dramatically.For this reason, 75% of organizations seek to…

How IBM secures the U.S. Open

2 min read - More than 15 million tennis fans around the world visited the US Open app and website this year, checking scores, poring over statistics and watching highlights from hundreds of matches over the two weeks of the tournament. To help develop this world-class digital experience, IBM Consulting worked closely with the USTA, developing powerful generative AI models that transform tennis data into insights and original content. Using IBM watsonx, a next-generation AI and data platform, the team built and managed the entire…

How NIST Cybersecurity Framework 2.0 Tackles Risk Management

4 min read - The NIST Cybersecurity Framework 2.0 (CSF) is moving into its final stages before its 2024 implementation. After the public discussion period to inform decisions for the framework closed in May, it’s time to learn more about what to expect from the changes to the guidelines. The updated CSF is being aligned with the Biden Administration’s National Cybersecurity Strategy, according to Cherilyn Pascoe, senior technology policy advisor with NIST, at the 2023 RSA Conference. This sets up the new CSF to…

Why consumer drones represent a special cybersecurity risk

3 min read - Cybersecurity staff at an East Coast financial services company last summer detected unusual activity on its internal Atlassian Confluence page originating inside the company’s network. The MAC address used locally belonged to an employee known to be currently using the same MAC address remotely, according to a security specialist named Greg Linares, who had secondhand information about the attack. So, the team used a Fluke AirCheck Wi-Fi Tester device to identify the device logged in, which led the team to…