Searching for an IT Security Framework?
If your company conducts business in finance, energy, or healthcare it’s easy to understand what regulatory and compliance frameworks you need to adhere to. For companies outside of these industries, specifically small and medium businesses, the understanding and awareness of an IT Security framework is more difficult to understand. Many companies spend a lot of time figuring out how to setup their IT organization to best secure their network and data, but lack the confidence of meeting a standard. Historic standards such as ISO 27001 and FISMA Compliance Frameworks were simply too cost prohibitive for SMBs to utilize.
Where did it come from?
The Framework for Improving Critical Infrastructure Cybersecurity is the result of a February 2013 US Executive Order after 10 months of collaborative discussions with more than 3,000 security professionals. It is a risk-based compilation of guidelines that can help organizations identify, implement, and improve cybersecurity practices and creates a common language for internal and external communication of cybersecurity issues.
http://www.nist.gov/cyberframework/
The framework was targeted for critical infrastructure companies providing services like energy, utilities, and infrastructure, but it has also been written to make sense for the smallest of businesses. The framework is regularly updated with input from private-sector parties to ensure that it represents current best practices.
Why do I need a framework?
SMBs are a varied set of organizations. Few have the same level of risk or the same need for response measures, for example. As it stands now, the Framework’s standards are voluntary. SMBs aren’t required to follow them at this time. However, there are distinct advantages to doing so.
- Legal Exposure – As security incidents and breaches become more and more common, the expected standards for reasonable protections are growing rapidly. In the event of a breach, having a security framework in place will go a long way to show that your organization takes cybersecurity seriously and makes reasonable efforts to protect the data of your clients, vendors, employees, and investors.
- Cyber Liability Insurance Claims – Insurance companies have been quick to throw out claims for organizations that do not take cybersecurity seriously. If you think you’ll be covered and compensated after a breach occurs, read the fine print.
- Compliance – Even if your organization is not under compliance requirements today, in the future you may be required to meet new standards. Implementing the NIST framework now puts organizations on solid footing to meet new and changing requirements.
- Vendors – As a third-party provider to organizations, adopting the Framework will improve the services you offer and position your business as the go-to provider in your industry or region. Furthermore, as companies adopt the Framework, they may require vendors and suppliers to follow suit, or they may choose to work with a competitor.
What the framework lacks?
Let’s make sure we face the reality. There are no silver bullets in the land of IT Security. There are no one-size-fits-all recipes for complete safety and protection. The IT Framework does not adequately address data privacy or the various technical security controls needed to properly secure an environment. In addition, a Framework does not automatically ensure protection and minimize risk, but it’s a great starting point for discussion.
It’s also worth noting that this effort is not often easy or cheap. It takes time, discipline, communication, and acceptance from the entire organization.
What comes next?
Now that you are aware of the NISTframework have a discussion with your IT team to understand what framework you are following. Chances are high that they have been desperately trying to make the environment secure without seeking additional resources and funding from Senior Leadership. If your IT department has told you they need to spend excessive funds to make things more secure, insist that the funds only be delivered when a cohesive security framework has been developed and explained. Some organizations will read this notice and worry that they cannot afford to act on the Framework, but the real question is – can you afford not to?
