An information security framework is a series of documented processes that are used to define policies and procedures around the implementation and ongoing management of information security controls in an enterprise environment. These frameworks are basically a “blueprint” for building an information security program to manage risk and reduce vulnerabilities. KSG information security pros can utilize these frameworks to define and prioritize the tasks required to build security into an organization.
Frameworks are often customized to solve specific information security problems, just like building blueprints are customized to meet their required specifications and use. There are frameworks that were developed for specific industries as well as different regulatory compliance goals. They also come in varying degrees of complexity and scale. However, you will find that there is a large amount of overlap in general security concepts as each one evolves.
The ISO 27000 series was developed by the International Standards Organization. It provides a very broad information security framework that can be applied to all types and sizes of organizations. It can be thought of as the information security equivalent of ISO 9000 quality standards for manufacturing, and even includes a similar certification process. It is broken up into different sub-standards based on the content. For example, ISO 27000 consists of an overview and vocabulary, while ISO 27001 defines the requirements for the program. ISO 27002, which was evolved from the British standard BS7799, defines the operational steps necessary in an information security program.
There are many more standards and best practices documented in the ISO 27000 series. ISO 27799, for example, defines information security in healthcare, which could be useful for those companies requiring HIPAA compliance. New ISO 27000 standards are in the works to offer specific advice on cloud computing, storage security and digital evidence collection. ISO 27000 is broad and can be used for any industry, but the certification lends itself to cloud providers looking to demonstrate an active security program.
The U.S. National Institute of Standards and Technology has been building an extensive collection of information security standards and best practices documentation. The NIST Special Publication 800 series was first published in 1990 and has grown to provide advice on just about every aspect of information security. Although not specifically an information security framework, NIST SP 800-53 is a model that other frameworks have evolved from. U.S. government agencies utilize NIST SP 800-53 to comply with the Federal Information Processing Standard’s (FIPS) 200 requirements. Even though it is specific to government agencies, the NIST framework could be applied in any other industry and should not be overlooked by companies looking to build an information security program.
The beauty of any of these frameworks is that there is overlap between them so “crosswalks” can be built to show compliance with different regulatory standards. For example, ISO 27002 defines information security policy in section 5; COBIT defines it in the section “Plan and Organize”; Sarbanes Oxley defines it as “Internal Environment”; HIPAA defines it as “Assigned Security Responsibility”; and PCI DSS defines it as “Maintain an Information Security Policy.” By using a common framework like ISO 27000, a company can then use this crosswalk process to show compliance with multiple regulations such as HIPAA, Sarbanes Oxley, PCI DSS and GLBA, to name a few.