What is a Common Security Framework (CSF)?

USA, Apr 7, 2017

An update to this post is available…read it out now!

What is a Common Security Framework (CSF) and why is it important to your organization’s enterprise security?

 A CSF (sometimes referred to as an IT Security Framework or an Information Security Management System) is a set of documented policies and procedures that govern the implementation and ongoing management of an organization’s security. Think of it as a blueprint or operator’s guide for security. Many organizations are pursuing a Common Security Framework to improve their overall security posture and frequently to aid in meeting the requirements of various compliance and/or regulatory measures.

There are a variety of frameworks in use today and we will take a look at a few in a minute. Choosing the right framework can be a difficult task with so many available options covering different priorities, vertical markets, and levels of complexity.

One point worth discussing up front is that CSF’s and compliance measures are not the same. There is a common misunderstanding that something like the Payment Card Industry Data Security Standard (PCI DSS) is a security framework. While PCI-DSS certainly has elements that describe security measures, it is not a Common Security Framework. There are two primary reasons for this:

  1. Limited Scope. The scope of many compliance measures is limited (PCI-DSS certainly falls into this category).
  2. Limited Models. These compliance models are not holistic in looking at security, as they only address measures that are specific to the objectives of that compliance framework.

Common Security Frameworks were developed to address both issues – covering a wide area of security considerations across the entire enterprise. CSF’s are generally not very specific with respect to technologies. For example, many CSF’s will indicate that you must deploy Multi-Factor Authentication, but will not provide any opinion on which specific solutions you should evaluate, whether those solutions should be on premise or cloud based, etc.

Here are some of the more common examples in use today. Please note that this list is from a U.S. perspective, other frameworks exist and may possess different adoption rates outside the U.S. That said, CSF’s are generally more globally applicable than compliance, since they’re designed to provide a blueprint for overall security, not just to comply with local laws or regulatory measures.

  • NIST SP 800 series. Initially developed in 1990, this has matured into a well-respected and frequently used CSF. The series consists of several publications addressing specific issues within security, for example SP800-50 addresses Building an Information Security Awareness and Training Program and SP800-52 covers Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. Although the U.S. government developed it, the NIST 800 series has seen wide adoption globally by commercial organizations. Many other CSF’s have started as offshoots from the NIST publication. Most US government agencies are required to comply with NIST and it also provides compliance with Federal Information Processing Standard (FIPS) 200.
  • ISO 27000 series. This evolved from the British Standard framework (BS7799) that is popular due to the global recognition of ISO across a variety of standards, although the complexity and cost of pursuing ISO certification are sometimes a deterrent. There are three basic guidelines within this standard: 27000 is an overview defining terms and objectives of the framework, 27001 defines the requirements and policies, and 27002 defines the operational steps necessary to be compliant. Additionally, there are optional sets of additional standards available for organizations wishing to adopt them. For example, ISO 27799 relates to Healthcare specific concerns.
  • SANS 20 / CIS 20. This is the framework organizations pursue when they want the most important areas of security covered, but don’t want to incur the expense and labor requirements required for a more exhaustive framework like NIST or ISO. As the name implies, this framework prescribes twenty key areas of focus for security.
  • HITRUST. HITRUST was developed leveraging components from NIST, ISO, and others. It is specific to the Healthcare industry and is receiving wide adoption within that industry, particularly in the U.S.
  • COBIT. Heavily utilized in the financial sector and by public companies, COBIT provides a security framework as well as individual certifications around IT, such as Certified Information System Auditor (CISA) and Certified Information Security Manager (CISM). This framework is frequently used to meet the security requirements of organizations that must comply with Sarbanes-Oxley (SOX).

In general, we see organizations leveraging CSFs in one or more of the following four ways:

  1. To improve overall security. Leveraging the CSF blueprint to ensure they address the most important aspects.
  2. As a competitive differentiator. Establishing a competitive advantage due to the greater focus on security and protection of their own and customer assets.
  3. To meet compliance and/or regulatory requirements. Often necessary in specific vertical industries like healthcare or financial.
  4. To free up budget and purchasing ability around security. Once a business decision has been made to pursue a CSF, the subsequent budget required to meet the CSF requirements is frequently easier to receive.

Where to Begin

I’m often asked where to begin when it comes to reviewing the strength of a current framework. The most common method is for an organization or its security provider to conduct a gap analysis to help understand what steps may be needed to meet the requirements of their chosen CSF and any the remediation efforts necessary to address deficiencies.

 

Topic

Related Insights