Did you ever play “Kick the Can” as a kid? The basic game play includes one person (your organization) designated as “It”. An empty can is placed in the open playing field (in this example, let’s call this can – payment card information). With eyes closed, “It” counts to 20 while the other players (hackers) run and hide. “It” is now responsible for finding and tagging/capturing all of the other players, while always keeping a watchful eye on the can. If one of the players can kick the can without being caught, they set all captured players free at once. Want to make the game even more fun? Add more cans! (ePHI, SSNs, bank account numbers!) So much fun, right!?
In the (real) world of information security and compliance, there are rules for how each can, or each type of data, is to be protected. Organizations with payment card information must follow the Payment Card Industry Data Security Standard (PCI DSS). If you are handling electronic Personal Health Information (ePHI), then you’ll need to meet the HIPAA regulations. If you are dealing with the federal government, NIST SP 800-53 may need to be followed. With all of the different types of information your organization is responsible for securing and protecting, it can often feel like the second you take your eyes off one “can”, someone is immediately kicking down another. How can you protect all of your compliance cans at once, while still focusing adequate attention on each set of rules?
Fortunately, the overall goal of information security always remains the same – preventing the loss of availability, the loss of integrity, and the loss of confidentiality for systems and data. With this in mind, it can be helpful to take a step back from the individual checklists and shift from focusing on compliance to focusing more holistically on information security. How this is done can differ from one organization to the next, but one way to standardize and build a roadmap for your enterprise information security program is through the use of an industry cyber security framework, such as the NIST Cybersecurity Framework (CSF), or the CIS Top 20.
A cybersecurity framework is a predefined set of controls that helps organizations reduce possible vulnerabilities and misconfigurations, and protect information and systems from compromise. Implementing a security framework across all data types can give your organization a tool to assess the current state of your environment and provides a more calculated process for assessing and managing risk. Think of this as an invisible fence around all of your cans on the field that helps you plan which can or cans you need to protect first. A framework can help you identify critical security gaps and properly prioritize the deployment and implementation of security controls, defining where resources are needed
most in order to best protect sensitive information and systems that are facing the highest risk.
A framework doesn’t guarantee safety from every form of cyberattack, but it does provide a measurable baseline to show where you stand compared to other organizations, as well as a defined set of best practices for your organization to follow. By measuring up to a standard, you can better track your goals, objectives, and eventual progress. A framework can also allow you to simplify communications with executive level leaders. As cybersecurity professionals, you are often so knowledgeable and “in the weeds”, that it can be difficult to communicate about cyber risks in clear and simple terms. Use of a cybersecurity framework can make it easier for everyone to understand and communicate about security.
Different standards provide varying styles and degrees of protection, with differing approaches, but as we stated above, they all seek to accomplish the same goal of protecting sensitive information from compromise. Because of this, there are distinct areas of overlap between cybersecurity frameworks and the various compliance standards, and you can use that to your advantage. Once you align your business practices with a cybersecurity framework, you can much more easily align with additional ones that apply to specific sets of data or compliance requirements like the PCI DSS.
Earlier this year, the PCI Security Standards Council created a document in which they mapped the PCI DSS to the NIST Cybersecurity Framework as a resource for organizations to better align security objectives and identify opportunities for control efficiencies. While the PCI DSS provides specific direction and guidance on how to protect payment environments, the NIST CSF identifies general security outcomes and activities. The implementation of a particular security controls from the NIST CSF may also directly support a PCI DSS requirement, which can help you reduce duplicated efforts and prioritize projects effectively.
Use of a cybersecurity framework in correlation with the individual standards required for specific data groups can help your organization move towards a “security then compliance” mindset. Those responsible within your organization for maintaining compliance with different standards like the PCI DSS, HIPAA, FERPA, etc., are often siloed in separate departments (Finance, IT, Student Records, etc.), so efforts are often duplicated and resources allocated separately. Implementing a comprehensive information security program, based on a plan that intelligently melds all applicable requirements, can go a long way in reducing overall costs and streamlining efforts.
If you have a question or would like to discuss ways to use this approach in your organization, please don’t hesitate to reach out to us.
Additional guidance from our Security Advisor team below:
[Hobby]: Frameworks provide guidance to your information security program and offer a roadmap to effective risk management. One of the benefits of standard frameworks is their ability to provide a common language that unifies the conversation around risk, security, and compliance. Using established frameworks to inform your security program provides several concrete advantages including:
- Easily demonstrating that you’re following acknowledged best practices
- The ability to track your progress against both baselines and comparatives
- An established way to communicate both needs and results to leadership.
Crosswalk tools such as the referenced PCI-NIST mapping demonstrate one of the strengths of frameworks, they provide a way to develop plans to cooperatively protect critical information resources. This is one of the reasons why there’s so much overlap among frameworks: they’re focused on the same goals. But perhaps the greatest benefit of following an established framework is they offer the possibility of shifting from reacting to events to proactively managing risk.