Framework Implementation

---

The National Institute of Standards and Technology created the NIST 800-53 publication for enabling federal agencies to realize effective cybersecurity practices. The framework focuses on information security requirements designed to enable federal agencies to secure information and information systems. Besides, NIST 800-53 provides governmental organizations with the requirements for allowing them to comply with FISMA (Federal Information Security Management Act) requirements. NIST 800-53 is unique as it contains more than 900 security requirements, making it among the most complicated frameworks for organizations to implement. The requirements recommended in the framework include controls for enhancing physical security, penetration testing, guidelines for implementing security assessments, and authorization policies or procedures, among others. NIST 800-53 is a useful framework for organizations maintaining federal information systems, companies with systems that interact with federal information systems, or institutions seeking FISMA compliance.

The NIST Cybersecurity Framework was developed to respond to the presidential Executive Order 13636. The executive order purpose to enhance the security of the country’s critical infrastructure, thus protecting them from internal and external attacks. Although the design of the framework aims at securing critical infrastructures, private organizations implement it to strengthen their cyber defenses. In particular, NIST CSF describes five functions that manage the risks to data and information security. The functions include identify, protect, detect, respond, and recover.

The identify function guides organizations in detecting security risks to asset management, business environment, and IT governance through comprehensive risk assessment and management processes. The detect function defines security controls for protecting data and information systems. These include access control, training and awareness, data security, procedures for information protection, and maintaining protective technologies. Detect provides guidelines for detecting anomalies in security, monitoring systems, and networks to uncover security incidences, among others. The response function includes recommendations for planning responses to security events, mitigation procedures, communication processes during a response, and activities for improving security resiliency. Lastly, the recovery function provides guidelines that a company can use to recover from attacks.

The selection and specification of security controls for a system is accomplished as part of an organization-wide information security program that involves the management of organizational risk---that is, the risk to the organization or to individuals associated with the operation of a system. The management of organizational risk is a key element in the organization's information security program and provides an effective framework for selecting the appropriate security controls for a system---the security controls necessary to protect individuals and the operations and assets of the organization.
The NIST Risk Management Framework provides a process that integrates security and risk management activities into the system development life cycle. The risk-based approach to security control selection and specification considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations. 

The ISO 27001/27002 cybersecurity frameworks consist of international standards which recommend the requirements for managing information security management systems (ISMS). ISO 27001 observes a risk-based process that requires businesses to put in place measures for detecting security threats that impact their information systems. An organization should select proper controls that can mitigate security risks to ensure it remains protected from attacks. In total, ISO 27001 advocates a total of 114 controls, which are categorized into 14 different categories. Some of the categories include information security policies containing two controls; information security organization with seven controls that detail the responsibilities for various tasks; human resource security category with six controls for enabling employees to understand their responsibility in maintaining information security; among others.

FedRAMP (Federal Risk and Authorization Management Program) is a framework designed for government agencies. The framework provides standardized guidelines that can enable federal agencies to evaluate cyber threats and risks to the different infrastructure platforms and cloud-based services and software solutions. Furthermore, the framework permits the reuse of existing security packages and assessments across various governmental agencies. The framework is also based on the continuous monitoring of IT infrastructure and cloud products to facilitate a real-time cybersecurity program. More importantly, FedRAMP focuses on shifting from tedious, tethered, and insecure IT to more secure mobile and quick IT. The aim is to ensure federal agencies have access to modern and reliable technologies, but without compromising their security.

To achieve the desired security levels, FedRAMP collaborates with cloud and cybersecurity experts involved in maintaining other security frameworks. These include NSA, DoD, NIST, GSA, OMB, and other groups in private sectors. The main goals of FedRAMP are to accelerate cloud migrations by reusing authorizations and assessments, enhance confidence in cloud security, ensure that federal agencies consistently apply recommended security practices, and to increase automation for continuous monitoring.

COBIT (Control Objectives for Information and Related Technologies) is a cybersecurity framework that integrates a business’s best aspects to its IT security, governance, and management. ISACA (Information Systems Audit and Control Association) developed and maintains the framework. The COBIT cybersecurity framework is useful for companies aiming at improving production quality and at the same time, adhere to enhanced security practices. The factors that led to the creation of the framework are the necessity to meet all stakeholder cybersecurity expectations, end to end procedure controls for enterprises, and the need to develop a single but integrated security framework.

FISMA (Federal Information Systems Management Act) is a framework designed for federal agencies. The compliance standard outlines a set of security requirements that government agencies can use to enhance their cybersecurity posture. The security standards aim at ascertaining that federal agencies implement adequate measures for protecting critical information systems from different types of attacks. Moreover, the framework requires vendors or third-parties interacting with a government agency to conform to the stipulated security recommendations. The main aim of the security standard is to enable federal agencies to develop and maintain highly effective cybersecurity programs. To achieve this, the standard consists of a comprehensive cybersecurity framework with nine steps for securing government operations and IT assets.

Call us today and let’s talk about how we can help you! 

NY DFS (New York Department of Financial Services) is a cybersecurity framework that covers all institutions operating under DFS registrations, charters, or licenses. The framework consists of several cybersecurity requirements that can enhance the security postures of financial organizations and the third parties they interact with for different businesses. Among others, NY DFS requires organizations to identify security threats that can affect their networks or information systems. Also, the framework necessitates companies to adopt sufficient security infrastructure for protecting all IT assets from the identified risks. Notwithstanding, organizations covered by the NY DFS must implement systems for detecting cybersecurity events.