Due to the increasing instances of cyber-attacks in the last decade, establishing information security controls and assessments have become an essential tool for organizations. These controls are necessary for an organization to strengthen its defenses against various security threats. There are compliance standards or frameworks which have distinguished themselves as the best practices for organizations to assess their current security plan and maturity. These standards or frameworks also help the organization set important goals regarding security to improve its practices when protecting sensitive and critical assets. The frameworks I am talking about are NIST, CIS/SANS 20, and ISO 27001.
What is NIST?
The National Institute of Standards and Technology (NIST) is a non-regulatory agency of the United States Government founded in 1901 that produces technology, standards, and metrics to drive innovation in the US science and technology sectors. The NIST has its headquarters at Gaithersburg in Maryland.
The NIST publishes the Special Publication 800-series, which provides guidance documents and recommendations. They published Special Publication 800-53 as part of the above series, which catalogs 20 security and privacy control groups. NIST recommends that organizations in their risk management strategies should implement these security and privacy controls. These controls talk about access control, training for security awareness, incident response plans, risk assessments, and continuous monitoring. I have elaborated in my previous articles – “How to respond to a data or security breach?” and “As a CIO do you have a plan if a data breach occurs at your organization?“
The NIST compliance framework was created to provide a customizable guide on how organizations should manage and reduce cybersecurity-related risks. NIST combines existing standards, guidelines, and best practices in its guide. Although, it is essential to know that just adhering to NIST will not make your organization 100% secure, and that’s why the NIST guidelines begin by telling organizations to use a value-based approach to protect their assets.
The key benefit associated with NIST compliance is it helps to make your organization’s IT infrastructure secure. It is also a foundation protocol for companies when achieving HIPAA or FISMA compliance.
What is SANS/CIS 20?
Founded in 1989 by Allan Paller, SANS Institute is a company that specializes in information and cybersecurity. SANS partners with the Center for Internet Security (CIS) and industry professionals to maintain the 20 critical security controls. The CIS 20 are essential to protect the assets and data of an organization from known cyber-attack vectors. These controls should be implemented by companies that seek to strengthen their security in the Internet of Things (IoT) domain. The CIS 20 controls span across areas such as asset configurations (hardware and software), malware defenses, recovery, continuous monitoring and control, incident response plans and management, penetration tests, and Red Team exercises.
The following infographic mentions the CIS 20 Security Controls:
- The basic controls should be implemented in every organization for essential cyber defense readiness.
- The foundation controls are the best technical practices that provide clear security benefits.
- The organizational controls focus on the people and processes involved in cybersecurity.
What is ISO 27001?
In a previous article, ISO 27001 and its benefits were mentioned. I would highly recommend you read that article for more knowledge. ISO stands for International Organization for Standardization.
ISO 27001 is an information security standard that outlines organizations’ requirements on how they should manage and secure their critical and classified data with an Information Security Management System (ISMS). It is a part of the ISO 27000 family of standards. The ISO 27000 regulations are broad and can be applied to a wide array of businesses and organizations, regardless of their size and magnitude.
The ISO 27001 focuses on a six-step planning process:
- The organization should define a security policy after taking all consideration into account.
- The scope of ISMS should be defined.
- Conducting a risk assessment.
- Identification and management of risks.
- Determining the controls to be implemented.
- Preparing a statement of applicability.
ISO 27001 has 10 clauses that guide organizations in establishing and maintaining an ISMS.
- The first three clauses specify the necessary terms and references.
- Organization’s context: This includes defining the scope of ISMS and the relevant parties, assets, and data that should fall under ISMS.
- Leadership and Commitment: The 5th clause talks about how a top-down approach from the management makes for a successful project and how the leadership should be involved by providing necessary resources to support ISMS and its initiatives.
- Planning: The 6th clause focuses on planning for risk management and risk assessment in the organization.
- Support: The 7th clause directs organizations to have sufficient resources, including people, infrastructure, budget, and communications, to achieve success in cybersecurity measures.
- Operation: The 8th clause tells the organization what they should do to act on the plans that protect their data.
- Performance evaluation: This involves assessing the risk management plan and response at regular intervals.
- Improvement: The last clause focuses on how the response and management plans can be improved and how ISMS should be re-evaluated to keep up with the latest risks.
What is the difference between NIST, SANS/CIS 20 and ISO 27001?
- NIST is a voluntary framework applicable for any organization seeking to reduce its overall security risks.
- SANS/CIS 20 is for organizations seeking priority-based results on their security response. They are generally handy for industries in the IoT domain.
- ISO 27001 is for organizations seeking to have a risk-management based approach to their security. They apply to all types of industries and of all sizes.