Implementing a security framework

There's a possibility that your organization may have an information security framework in place today. If not, it's highly recommended that you begin to implement one straight away to help lay the foundation of your security program and strategy. There are many different frameworks available for implementation and the direction you take may depend on multiple factors as it relates to your business type, industry requirements, and regulations.

An information security framework is designed to build a well-defined basis for your organization's security program. One of the primary reasons to implement an information security framework is to help reduce risk as much as possible. It will help cover the foundation of everything you need to be aware of within your security program and help to identify any gaps within the organization.

Implementing an information security framework isn't done easily and can be extremely complex and require a major investment of time. Implementing a framework won't just happen overnight; it will take a lot of planning and many months, and even years, to implement correctly. It is important to think of the framework as a journey as you continue to evolve and improve over time.

A significant benefit of implementing a framework within your organization is the ability to provide a well-constructed overview of your security program and strategy to executive management and leadership. A framework will help provide the executive team with a comprehensive overview of what security controls are in place and a road map of work to be completed. This will also allow them to provide feedback, prioritize needs, and provide valuable input. The ability to provide transparency about your security program and strategy with a framework to leadership is a significant advantage.

The following are some of the more common and widely adopted frameworks available today:

• Control Objectives for Information and Related Technology (COBIT): http://www.isaca.org/cobit/pages/default.aspx
• International Standards Organization (ISO) 27000 Family: https://www.iso.org/isoiec-27001-information-security.html
• The National Institute of Standards and Technology (NIST) framework for improving critical infrastructure cybersecurity: https://www.nist.gov/cyberframework
• NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations: https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final
• NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
• Health Information Trust Alliance Common Security Framework (HITRUST) CSF: https://hitrustalliance.net/hitrust-csf/

Your industry and location within the world may dictate which framework is to be used, but in general, they can all be used throughout any industry as a foundation. As an example, a healthcare organization will most likely adopt the HITRUST framework. ISO 27000 and COBIT will most likely have a more global presence over NIST, which is primarily leveraged by the US government.

To help with your implementation, let's take a closer look at the NIST framework for improving critical infrastructure cybersecurity. Although the framework was initially created for critical infrastructure, it can be used by any organization of any industry and size. This framework has gained a lot of popularity and has been adopted by many. The NIST cybersecurity framework is built around five core functions, as shown:

Figure 2.3 – The NIST cybersecurity framework core functions

More information about the five functions in the NIST framework can be found at https://www.nist.gov/cyberframework/online-learning/five-functions.

Within these functions are subcategories that provide a set of references on how to manage the risk within that given subcategory. To take this a step further, let's review the specific category that relates to the baseline configuration that you will follow as part of your overall implementation. The following table breaks down the Protect function of the NIST framework:

Figure 2.4 – Example of the NIST cybersecurity framework

Important note

The NIST framework for improving critical infrastructure cybersecurity web page that contains the preceding example can be found at https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf.

As you can see from the preceding table, the NIST cybersecurity framework provides guidance and resources that can be used to meet the controls. Ensuring a framework is adopted will build a solid foundation to ensure that the required baseline controls to strengthen your systems are put into place. Frameworks represent the overall controls at a higher level and help ensure that there are no gaps in your security program, including any gaps in your Windows infrastructure.

Next, let's look at baseline controls. Baseline controls are set to define a standard set of configurations for your devices.