Regulated industries are mostly required to employ one or maybe multiple compliance schemes that usually include frameworks and standards in their field of business. (Frameworks and standards are often confused. We touched on that in a previous story here at TechGenix.) Some are industry specific and others are more general. Due to the magnitude of practices available to guide and assist, it can be overwhelming for IT professionals to find what’s best suited to their company’s needs. By considering some of the most universally adopted schemes, you can narrow the search to help ease the decision-making process.
Frameworks hold value
By following a framework, an organization can utilize a flexible structure that enables it to manage a strategy, develop and document processes, and implement controls to align IT and business and manage and reduce risk. Different frameworks and standards are needed depending on what the organization wants to accomplish. If the environment dynamics change over time or other issues arise different frameworks and standards may become more important, that perhaps were not relevant before. Frameworks hold great value. They don’t only provide structure. They encourage efficiency, provide a way to measure effectiveness and allow for improvement. They give the organization a way to follow checklists, prioritize, identify fundamental responsibilities, assign tasks and move towards the end goal, one step at a time — all in a controlled manner.
Frameworks are especially important in IT to help manage the complex systems and environments appropriately. Not only is the structure that frameworks provide advantageous for IT, but it also allows organizations to efficiently adapt to changes. Be it compliance changes, changes driven by laws and regulations, or business operations. This is fundamental, especially as regulations around the security of information is now a priority for most industries and as environment dynamics change and technologies evolve, so will the risks as well as the regulations. Frameworks can help organizations to get a handle on this.
For IT governance, a primary goal is ascertaining direct controls in the organization. Depending on the organization’s level of maturity, it may already have some controls in place, but improvements can still be made. Each framework has its strengths and weaknesses, but an organization can leverage multiple frameworks and standards to accomplish its goal. Essentially, it needs to know its present state of affairs and where it would like to be. By doing this, weaknesses can be discovered and frameworks and standards can be used to guide the organization to where it needs to get. Then any additional controls can be applied as required to make improvements to IT governance.
Universally used frameworks and standards
A vast number of frameworks and standards are applicable to a multitude of industries and sectors. Each has its place and function, be it in a department or an entire industry. Having said that, there are some that are universally used and most definitely more prevalent than others. Below are a few of the frameworks/standards that stand out globally. They can be categorized for: IT governance, management and control, information security and risk, as well as service delivery. There are some that have more specific requirements and address industry-related issues.
The more general ones for IT governance, management, and control
COBIT, or Control Objectives for Information and Related Technologies, is a leading framework used by large enterprises. It has a broad scope. It helps organizations manage information and their infrastructure. It provides a means to navigate the complexities associated with this by utilizing controls, processes structures, objectives, and management guidelines to align IT goals with business goals.
By using COBIT, an organization can identify critical issues and tailor practices to support the alignment of business and IT. It also maps directly to ITIL, for example, and the ISO 27000 series of standards.
It’s a voluntary framework but can benefit an organization by helping it to expand the strength of its defenses and thereby reduce its overall security risk.
The National Institute of Standards and Technology, NIST Framework, encompasses a multitude of information security standards and best practices. Due to its level of maturity and scale, large enterprises adopt it to improve critical infrastructure. However, it can be easily adapted to smaller businesses too. As NIST is widely used, it is a good way to provide reassurance to external parties with regards to how you operate your business, as it's likely that most are at least familiar with it.
This framework is voluntary unless the organization is contractually obligated to comply, but the benefits it provides are great as it encourages data and infrastructure security through easy to follow guidance, best practices and standards to help improve cybersecurity and manage cybersecurity risk.
Two popular NIST Frameworks include the NIST Cybersecurity Framework (NIST CSF) to help advance cybersecurity and resilience in businesses and at a wider level. Another extensively used one is the NIST Risk Management Framework (NIST RMF), it links to system level settings. It’s based on the NIST Special Publication 800-53 standard. Some entities (like governments) require organizations that deal with them to comply with this standard.
- ISO 27000 series
The International Standards Organization 27000 series (ISO27000) for information security management is one of the most widely and globally adopted and has a broad scope. It offers a systematic approach to manage sensitive information and covers the risk associated with people, processes and technology. As the scope is so vast, within the series standards exist for a variety of ways to keep information assets secure. Some may be more industry-specific or better suited to certain types of operations, however, mostly the series is useful throughout all industries, no matter their type or size.
Although the benefits it affords are great, the route to certification can be quite labor intensive — especially for smaller businesses. Therefore, ISO certification is often pursued by mostly larger enterprises. But smaller organizations that perhaps do not want to take the certification route can still adopt many of the recommendations as it is a beneficial way to begin structuring a security framework.
- ISO 27001
ISO 27001 is probably the most prevalent of the series — often referred to as the pillar of the family. It formally specifies a management system for information security. Bodies can be accredited to certify organizations as ISO 27001 compliant when they meet the requirements of the standard and are able to demonstrate this.
The standard specifies the requirements for auditing information security management systems (ISMS). So, through using appropriate technology, testing and auditing, training and awareness for people, and better processes, organizations can better secure their information.
This framework is widely adopted for IT service management globally and incorporates international best practices. Information Technology Infrastructure Library (ITIL) aims to align IT services with business goals through service strategy, service design, service transition, service operation, and service improvement. This creates a foundation for a solid IT governance structure to support the requirements and intricacies of information security in an ever-changing environment.
It accommodates modern technology, software, and tools. It is not industry-specific and can be adapted to suit any organization.
ITIL not only helps an organization to build a stable IT infrastructure that allows flexibility in changing environment dynamics but also helps with risk management and improves customer-client relationships.
Many IT operational managers swear by its benefits and wouldn’t be without it!
The not so general ones
Below are some industry-specific frameworks /standards that may require closer consideration. It includes some that are voluntary and others that are legally enforced. Implementing one or more of the more general frameworks noted above can help to cover some of the requirements of these as well, but will not directly match all of the requirements — so extra controls may be needed to demonstrate compliance with these more specific ones.
- PCI DSS (for payment card handling)
The Global Payment Card Data Security Standard is specific to controlling the storage, transmission, and processing of cardholder data that organizations handle. It aims to protect this sensitive information, ensure organizations are using secure practices and to reduce card fraud.
It is administered by the card providers themselves. It is not a legal requirement, but rather a form of industry self-governance. It guides businesses that process any card information to do so in a secure manner so that this sensitive data is always protected.
It is important to note that card data is also personal data so will be governed by other legal compliance regulations like the GDPR and other data protection regulations globally that are enforced by law.
- HIPAA (for health/medical information in the US)
The U.S. Health Insurance Portability and Accountability Act (HIPAA) sets various standards and requirements for health data, among other things. It includes the HIPAA Security Rule which concerns cybersecurity professionals and IT in particular. Anyone who handles and maintains health information must comply. It is enforced by law and is a regularity compliance framework, so if you handle health data and use your infrastructure to do so, be sure to adhere to practices for securing and processing health data in ways that comply with HIPAA.
- GDPR (Data Protection in the EU)
The General Data Protection Regulation (GDPR) is relatively new (enforced in 2018) EU regulation. It is a regulatory compliance framework and anyone, globally, processing the personal information of any EU citizen must comply with this data privacy regulation. The framework has a broad scope and lays out the requirements of the regulation.
Other frameworks and standards including NIST offer controls based on similar requirements, so organizations may find that other frameworks may support some of the GDPR requirements as well (like the requirement for a Privacy Impact Assessment) and may be able to map this to an existing framework they may already use, if they have suitable ones in place.
Hundreds exist, these are merely a notable few
Hundreds of frameworks and standards exist. The frameworks and standards that you choose to adopt and integrate ultimately depend on what you want to achieve and its success depends on the organization's ability to encourage change. You may choose to use multiple frameworks to align business and IT and to meet desired and regulatory compliance goals, as each may shine in different areas. Frameworks mostly allow the flexibility to do this. So, if you are only beginning the journey consider the commonly used ones. There will be overlap between them, but once you align your business with suitable frameworks for your needs it will be easier to map others to it so that your business can benefit from the best that each provides.
Lastly, remember that the more general ones may not always cover all the requirements of the more specific ones. There will be some overlap, but you shouldn’t rely solely on those to comply with more industry-specific frameworks and standards, especially those that are a legal requirement.
Featured Image: Pixabay