So, You Want to be Compliant. Now What?
Introduction
Cybersecurity compliance frameworks serve two functions: (1) they voluntarily provide a roadmap for organizations to follow to create robust, sustainable cybersecurity programs and (2) they mandatorily serve as legal or regulatory obligations to which organizations must demonstrate adherence. The ultimate intent of cybersecurity frameworks, regardless of their underlying function, is to reduce cybersecurity risk. When used voluntarily, frameworks guide organizations to reduce their risk according to their own individual risk profile. When mandatorily required, attested compliance with a framework demonstrates, at least nominally, that organizations have adopted the frameworks’ myriad best practices. Organizational leaders may choose to follow a cybersecurity framework for one or both of the aforementioned reasons. This article explains how leaders should approach the adoption of a cybersecurity framework.
Choosing a Framework
Cybersecurity frameworks are standardized best practice guidelines or controls that organizations are encouraged or mandated to follow. Although the cybersecurity field is new, it is already teeming with frameworks. Choosing which of the many frameworks to adopt can be challenging unless the choice is made for you because a regulatory obligation demands you demonstrate compliance with a specific framework. If you do have the freedom to select which framework to follow, there is no single, definitive way to determine which framework is the best for your organization, as each framework has its own subtle spin on cybersecurity best practices. However, you should at least aim to select a framework similarly scoped to your cybersecurity program’s maturity. Brand new cybersecurity programs would likely benefit more from following the CISA CPGs, which have 38 cybersecurity controls, than NIST 800-53, which has more than 1,000 cybersecurity controls.
Here’s a partial list of common cybersecurity frameworks to consider voluntarily following:
- NIST CSF – a high-level framework scalable for organizations of all sizes and ideal for organizations looking to develop or mature their cybersecurity program.
- NIST 800-53 – an in-depth framework with over a thousand discrete cybersecurity controls organizations can implement.
- NIST 800-37 is a risk management-focused framework designed to help organizations build a cybersecurity program around risk decisions.
- NIST Privacy Framework – a privacy-focused framework designed to help organizations develop cybersecurity programs that protect data privacy.
- CISA CPG – a small framework designed to help organizations start a cybersecurity program by focusing on several high-impact controls
- CIS Critical Security Controls – a framework with a broad range of controls scalable to organizations in any sector
- HITRUST CSF is a framework intended to synthesize the controls commonly found among other frameworks.
- SOC 2 – framework focused on certifying that an organization complies with specified security controls, and adherence to the requirements can lead to SOC 2 certification.
Here’s a partial list of common cybersecurity frameworks that may be mandatorily imposed due to a legal or regulation obligation (note—this widely varies based on industry, sector, and governing authority, so be sure to consult your own business needs and legal teams to determine legal obligations):
- NIST 800-171 – framework focused on protecting Controlled Unclassified Information (CUI) in government-affiliated organizations, and adherence to the requirements can lead to CMMC certification.
- GDPR – European Union-based law specifying controls protecting data privacy and adhering to the requirements can lead to a GDPR certification.
- PCI-DSS – a framework for organizations that process credit card information, and adherence to the requirements can lead to PCI-DSS certification.
- ISO/IEC 27001 – an international framework focused on building an information security program, and adherence to the requirements can lead to 27001 certification.
- StateRAMP / FedRAMP – a framework for cloud security vendors, and adherence to the requirements can lead to authorized statuses on StateRAMP and FedRAMP lists.
Frameworks as a Voluntary Guide
If you’re using a framework as a voluntary way to improve your cybersecurity outcomes, consider following these steps, regardless of which framework you choose:
- Assemble your cybersecurity team – convene a team of 3-5 people who will help you adopt the framework. Team members will ideally thoroughly understand IT and cybersecurity, but they don’t have to. Non-technical team members with solid project management skills are also helpful. Set a regular meeting cadence with this team to start adopting the framework.
- Familiarize yourself with the framework – read the framework front to back several times if necessary. While frameworks are commonly known for their control statements, most frameworks also have extensive supplementary information, such as introductory rationales and implementation suggestions, that are critical for understanding how to use the framework. Frameworks also often present control statements in a hierarchical form, such as the NIST CSF’s Functions, Categories, and Subcategories, NIST 800-53’s Control Baselines, and CIS’ Implementation Groups. If a hierarchy does exist, be sure to understand how and why it’s structured.
- Set your scope – frameworks can be used in part or as a whole. Some organizations may benefit from going through all 1,000 NIST 800-53 controls, while others may benefit from focusing on just a subset of the controls. Some controls may simply not apply to your organization, or you may just want to focus on a group of controls for the time being. That’s okay. Clearly setting your scope gives you guardrails for the rest of your time with the framework.
- Conduct a gap assessment – gap assessments are a point-in-time analysis of your organization’s current practices compared to what they could or should be, which is often defined by the framework’s control statements. Reflect on your organization’s practices by reviewing documents and data and interviewing people. Take a thorough and unflinching look. Be sure to remind your stakeholders that cybersecurity frameworks are meant to generate collective improvements and reduce risk. Individuals can feel threatened when they’re asked about how they perform their roles, significantly if their practices could be improved. Remind everyone that you’re just gathering data, not trying to single out specific people or teams.
- Create a Plan of Action and Milestones (POAM) – once you’ve reflected on your organization’s practices, compared them to the framework’s control statements, and identified where gaps exist, then you should create an action plan to close the gaps. The action plan should contain milestones, or indicators of success, for how the gap can be closed. You should also identify which people will be responsible for the action item and identify a rough target date for completing the action. Closing a gap can involve people, processes, or technology changes. The action plan can identify the type of change and whether any funding needs to be allocated.
- Track progress over time – the POAM should be a living document that your cybersecurity team tracks progress against over time. Continue to update the action plan when gaps are closed or when milestones and target dates change. Include cybersecurity discussions and action plan progress with other stakeholder groups, such as leadership. Use the framework to generate productive cultural changes around IT and cybersecurity throughout your organization.
- Celebrate your accomplishments – cybersecurity is a complex and evolving field so that success can feel like an elusive moving target. However, be sure to acknowledge and share the gaps you have closed—that’s real work with real impact. Once you feel like you’ve made enough progress on your POAM, consider reconducting a gap assessment, expanding the scope of your use of the framework, or adopting the use of an entirely different framework. Hopefully, your voluntary use of the cybersecurity framework has led to the creation of a robust, sustainable cybersecurity program.
Frameworks as a Legal or Regulatory Obligation
If your organization is legally obligated to comply with a framework then all of the aforementioned strategies for the voluntary adoption of a framework will also help you. However, there are a few additional considerations to assist with your regulatory compliance:
- Include legal experts on your cybersecurity team – be sure your cybersecurity team includes legal representatives who can advise on your exact legal obligations. “Become complaint” is easy to say, but there are a lot of variables and specifics that may be at play.
- Fully understand the parts of the framework that are in scope – sometimes, control statements can be vague or confusing. You don’t want to guess a control’s intent throughout your compliance effort. Thankfully, many controls have informative references that map to control statements in other frameworks or offer implementation examples for how a control can be satisfied.
- Set a strict timeline for compliance – your regulatory obligation may demand a specific compliance timeline from you. Even if no timeline is required, you should set an aggressive timeline that generates productive action from your cybersecurity team and organizational leaders. Throughout your gap assessment, you may discover that closing some gaps will require significant resources and time. Do you want to start those remediation efforts sooner rather than later?
- Review your policies and procedures – the adage “do what you say, say what you do” is perfectly appropriate for meeting regulatory obligations. You should thoroughly review all of your relevant policies and procedures to ensure that a document doesn’t describe a practice that you’re not doing and that you don’t have a practice that isn’t documented. All cybersecurity frameworks include controls that touch on both documentation and practices.
- Produce clear evidence for each control that’s in scope – if you’re going to certify your compliance with a regulatory framework, then it’s likely that you’ll be audited. Auditors will ask for clear evidence of how your practices satisfy a control statement. While most of your evidence may be written statements, don’t forget to include relevant data and screenshots. For example, if you’re obligated to have user passwords be a certain length, then you can produce both your password policy and a screenshot of the setting in your identity management solution.
Conclusion
Cybersecurity frameworks are helpful tools organizations can use to improve their cybersecurity posture. Organizations can voluntarily choose to follow a framework, or organizations may be legally obligated to demonstrate compliance with one. Regardless, the use of a cybersecurity framework can reduce risk and increase organizational reputation. Consider following the steps in this article to make your use of a cybersecurity framework a success.
You can also engage Sedara to help you improve your cybersecurity posture and meet your legal and regulatory obligations. Our Cybersecurity Development Program (CDP) has expert, trusted virtual Chief Information Security Officers (vCISOs) or fractional CISO’s who serve as your designated cybersecurity champion. Our vCISOs are schooled in the major cybersecurity frameworks and can conduct gap assessments and create action plans for you to accomplish your cybersecurity goals.