Security frameworks are an instrumental part of helping security professionals determine the most effective security program for their organizations, including how they leverage security services from vendors and managed security services providers (MSSPs). Frameworks help practitioners identify and implement controls, as well as provide a “check the box” tracking mechanism for elements an organization identifies it needs to fortify its security posture.
Common Security Frameworks
Security frameworks help manage cybersecurity risk, and there are several out there you may be aware of:
- The NIST Framework organizes basic cybersecurity functions: Identify, Protect, Detect, Respond and Recover. A profile helps to align the functions, categories and subcategories associated with each cybersecurity function. Implementation tiers allow organizations to explore risk management practices.
- The CIS presents 18 controls, including “inventory and control of enterprise assets” and “data protection.” The overview of data protection reads: Develop processes and technical controls to identify, classify, securely handle, retain and dispose of data.
- PCI DSS exists to protect credit cardholder data with 12 prescriptive requirements including “install and maintain a firewall configuration to protect cardholder data” and “protect stored cardholder data.”
What’s Missing?
While these frameworks cover discrete components, which is important, they lack two important elements:
- Customization based on specific client goals, existing technology and services, and industry needs
- Continuous improvement of a security program over time.
These elements have traditionally been tackled by the organization itself (versus a vendor or MSSP) as more of a DIY effort.
The ideal framework allows setup based on your industry, technology, infrastructure, staff, expertise and other variables. Your expectations, requirements, threat landscape, risk profile and security maturity goals matter a lot to security outcomes. And, you should be able to emphasize or de-emphasize certain framework elements depending on your organizational current state, goals and industry.
Security in Action Framework
The Security in Action Framework is interactive and customizable. It’s built on a consultative model, so it fits your organization. The framework is comprised of eight steps and offers the best approach to working with an MSSP to achieve better security and business outcomes.
- Discover: This step is all about a complete discovery and onboarding process that captures all relevant business objectives, risk factors and security goals.
- Focus: Focus allows you to apply discovery findings and prioritize threats and mitigation efforts.
- Prepare: This is the time for collaboration on architecture and solution designs, as well as creation of a security runbook.
- Monitor/Manage: This step centers around monitoring and proactively managing your IT environment 24x7x365 in lockstep with an MSSP.
- Notify: Communication is key with this part of the process, which includes alerts on potential security threats and information on what to do next.
- Contain: When a threat is identified, you work with experts like your security implementation team (SIT), the security operations center (SOC) and network operations center (NOC) to contain the threat before it causes any more damage.
- Mitigate: Mitigate the threat with proactive response management 24x7x365, allowing you to return to business as usual as quickly as possible.
- Maintain/Evolve: Continuously assess and improve your security posture.
Look for an MSSP that offers all eight of these steps to improve both day-to-day operations and your cyber resilience. These steps also make it easier to balance the human intelligence, technology and processes your organization needs.
Want to learn more about this important framework? Read the whitepaper now.