Finding Out About Frameworks
By Ben Hunter, III, CPA, CITP, CISA, CRISC, CFE
A framework is a basic conceptual structure or a set of rules or best practices which we can follow in a systematic way to achieve the desired results. Frameworks help keep us focused on the critical and important IT controls when our work becomes chaotic, when management insists on unreasonable deadlines, or when we become overwhelmed and exhausted. Frameworks give us structure in order to govern complex systems and the humans that work in those systems. They can ensure that organizations get the most return on investment from IT.
Frameworks help management maintain governance over IT, especially if the company uses an outsourced IT model. Too often management keeps its hands off of IT as long as it gets its email and its name out of the news. A governance framework or cybersecurity framework will help demystify the IT environment and allow management to have oversight of IT. Frameworks also make it easier for management to have an audit of IT performed, or to benchmark the IT environment against industry standards and industry peers. Management oversight is essential to obtaining a ROI on IT spending and aligning IT efforts with the business direction, values, and goals.
Knowing that there are various frameworks available to choose from is valuable. As management, you do not have to shoehorn your environment into a certain framework. Here is a brief description of some of the best known and most widely used IT frameworks for your consideration:
COBIT: Control Objectives for Information and Related Technologies.
COBIT is a globally recognized framework that helps ensure effective enterprise governance of information and technology. Enterprise information and technology means all the technology and information processing the enterprise puts in place to achieve its goals, regardless of where this happens in the enterprise. Enterprise information and technology is not limited to the IT department of an organization, but certainly includes it. COBIT defines the components to build and sustain a governance system, defines the design factors that should be considered by the enterprise to build a best fit governance system, and is flexible and allows guidance on new topics to be added.
NIST Cybersecurity Framework:
The NIST Cybersecurity Framework is a policy framework of computer security guidance for how organizations can assess and improve their ability to prevent, detect, and respond to cyber-attacks.
ISO 27001
The widest used framework by far is the current ISO27001, which formally specifies a management system that is intended to bring information security under explicit management control. Being a formal specification means that it mandates specific requirements. Organizations that claim to have adopted ISO 27001 can therefore be formally audited and certified compliant with the standard. ISO 27001 requires that management:
- systematically examine the organization’s information security risks, taking account of the threats, vulnerabilities and impacts;
- design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable;
- adopt an overarching management process to ensure that the information security controls continue to meet the organization’s information security needs on an ongoing basis.
ISO 27001 should be used in conjunction with ISO 27002, which provides implementation guidance and controls.
Adoption of a framework should not be attempted without full management support. Neither should it be viewed as an “IT project.” It will involve the entire business, and the adoption team should reflect this. Frameworks help management maintain governance over IT. Frameworks give us structure in order to govern complex systems and the humans that work in those systems. To help management verify that its outsourced IT provider is providing industry leading service, ask what framework your IT provider is using.
Ben Hunter, III CISO, Advisory Services Principal, CPA/CITP, CISA, CRISC, CDPSE, CISM
Ben is the Chief Information Security Officer for BRC and is a Principal in our Firm’s Risk Advisory Services Practice. He specializes in Cybersecurity and Information Technology Audits and Assessments. Ben began his cybersecurity career in the US Marine Corps. After becoming a Certified Public Accountant, he continued his cybersecurity and IT Audit training […]