Media Blog

Security Frameworks

Security Frameworks

With limited technical resources, budget constraints, and a constantly changing threat landscape, it is understandable why many small and mid-sized businesses (SMBs) continue to struggle with information security. Add the challenges of managing regulatory compliance such as PCI DSSHIPPAGDPR, and the disruption created by the COVID-19 pandemic, and it’s easy to understand that SMBs are facing a time of unprecedented change. 

 Implementing and managing an information security program can be complicated and confusing. How can business owners and those tasked with managing security get started organizing and prioritizing what needs to be done?  Selecting an information security framework to follow is an excellent place to start.

What is a Security Framework?

A security framework is a formal structured approach that defines how information is managed to protect data and reduce risk. Frameworks provide documented policies, controls, processes, procedures to help the organization manage risk. The frameworks describe “what” an organization will do to manage security risks. These frameworks can be thought of as blueprint or a roadmap.  

In a session at the RSA 2019 conference, Frank Kim, founder of security consulting firm ThinkSec and curriculum director at the SANS Institute, presented How to make sense of cybersecurity frameworks. He explained that frameworks can be separated into three categories: Program frameworks, Control frameworks, and Risk frameworks. A summary of the presentation is available in the article How to choose the right cybersecurity framework

The three types of security frameworks Kim explained:

Program frameworks 

  • Assess the state of the overall security program
  • Build a comprehensive security program
  • Measure maturity and conduct industry comparisons
  • Simplify communications with business leaders

Control frameworks  

  • Identify a baseline set of controls
  • Assess the state of technical capabilities
  • Prioritize the implementation of controls
  • Develop an initial roadmap for the security team

Risk frameworks  

  • Define key process steps for assessing and managing risk
  • Structure the risk management program
  • Identify, measure, and quantify risk
  • Prioritize security activities

Program and Control frameworks can be used together to manage the overall security program. Control frameworks contain a catalog of controls an organization can implement to ensure the organization complies with specific regulatory requirements. If the organization needs to comply with multiple regulatory requirements, then they would use multiple control frameworks. Risk frameworks help organizations identify, quantify, and measure risk to prioritize risk.

Security Management Frameworks

It is estimated over 200 security frameworks are in use across the globe. Only a handful of these frameworks have been widely adopted. Some frameworks were developed for specific industries or to satisfy individual regulatory compliance requirements. The frameworks can vary significantly in complexity and scale, with some frameworks requiring extensive documentation, long implementation timelines, and large budgets (and teams) to achieve and maintain certification.

Cybersecurity Frameworks

Some frameworks are also considered a standard or regulation, adding to the confusion.


How do you select a Security Framework?

Given the number of frameworks that are available, it is not surprising that many organizations have either not chosen a framework to follow or have developed an ad hoc framework. Gartner’s research shows that 21% of clients had not selected a security framework.

When selecting a framework, keep in mind the unique needs of your industry, regulatory compliance requirements, customer expectations, and the IT and security capabilities of your organization. While any of the widely adopted security frameworks can help you with your security program, be cautious when selecting a framework. A framework that is over-kill for your organization or that does not address your specific industry or regulatory compliance requirements can result in security gaps, wasted time, and money and can overload your team.

The primary consideration is to understand your organization’s compliance requirements from a statutory, regulatory, and contractual perspective. Once the minimum set of requirements necessary for compliance is established, you can check to see if a framework has been developed for that regulation(s) or your specific industry.

You can refer to one of the many guides that are available, here are a few:

Get started on the road to protecting your clients, employees, and your business today be selecting a Security framework!

For more information, please email John Mendes at [email protected].