IT Focus Area: security
October 29, 2018
Benchmarking Posture with Cybersecurity Frameworks
As organizations expand their digital footprints the attack surface grows, and more tools are needed to address evolving threats. Consistently evaluating security controls has become critical to ensuring even the most basic security posture. The National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity—commonly known as the Cybersecurity Framework—and the Center for Internet Security (CIS) Controls (formerly known as the SANS Top 20), have evolved into best practice frameworks that can be used by organizations in all industries.
Together, the Cybersecurity Framework and CIS Controls help security teams assess current security controls and maturity, and set goals to improve the procedures that they use to protect sensitive data, perform change management, and provide access to critical assets.
The Cybersecurity Framework was developed in 2013 in response to an executive order calling for the development of a voluntary, risk-based cybersecurity framework—a set of existing standards, guidelines and practices to help organizations charged with providing America's financial, energy, healthcare and other critical systems better protect their information and physical assets from cyber attacks.
The framework documents a set of control objectives which can be read as a definition of cybersecurity, a term that has always been somewhat vague, and it started a national conversation about cybersecurity and the control measures necessary to improve it.
It contains guidance based on existing standards, guidelines, and practices, and provides a common language and systematic methodology for managing cybersecurity risk. The Core details activities to be incorporated into a cybersecurity program that can be tailored to meet the organization’s needs. The framework is designed to augment, not replace, existing cybersecurity programs and risk management processes.
Version 1.1 includes updates on authentication and identity, self-assessing cybersecurity risk, managing cybersecurity within the supply chain, and vulnerability disclosure.
The voluntary NIST Cybersecurity Framework should be every company’s first line of defense. Adopting version 1.1 is a must-do for all CEOs. —Secretary of Commerce Wilbur Ross
The CIS Controls are a more concise set of practices that outline what organizations should do as their first steps in cybersecurity. They have been proven to mitigate 85 percent of the most common vulnerabilities. The controls, which are aligned to NIST guidance, are developed by experts based on first-hand experience in the security field, and updated regularly to keep pace with the threat landscape.
Unlike the more comprehensive Cybersecurity Framework, the CIS Controls provide organizations with a smaller, prioritized number of tools that should be implemented first, with the goal of providing immediate results. This targeted approach helps companies eliminate the vast majority of vulnerabilities, and establish a solid baseline for cyber defense. The controls are, in essence, a technical on-ramp to the Cybersecurity Framework. The latest version of the controls—version 7—has a strong focus on automation and orchestration, an emphasis on application whitelisting and multi-factor authentication (MFA), and a shift to just one ask per control.
Many organizations don’t know where to start with security control self-assessments. Vendor-independent Security Program Assessments can help you leverage cybersecurity frameworks to achieve a high-level, strategic view of existing capabilities to prevent, detect and respond to security incidents, and detail specific actions that can be taken to mature your capabilities and take a risk-based approach to managing cybersecurity.