It’s obvious that managed services providers (MSPs) provide technical support and management to protect their customers’ interests. But in a sense, it’s equally important that MSPs protect their customers through deliberately implementing and following the right information security frameworks. There are various security frameworks available for just about every size and type of business, and it can benefit an MSP to be familiar with at least the most popular and effective options. Understanding the landscape of IT security frameworks can ideally help MSPs do their jobs with confidence, build better relationships with their customers, and even attract potential customers.
You work hard to ensure information security for yourself and your client. But if your methods are piecemeal and ad hoc, it could lead to oversights and vulnerabilities. An information security framework is a comprehensive plan for the implementation and ongoing operation of the tools and practices necessary to protect your organization’s data and systems. There are three essential factors, known as the (confidentiality, integrity, and availability) CIA triad, that make up any effective secure frame: confidentiality, integrity, and accessibility.
The point of implementing an information security framework is essentially to reduce risk, as it provides daily and emergency procedures for ensuring security. Such frameworks provide a “what-if” blueprint for effective disaster response and common security concerns. As an MSP, it’s crucial to be familiar with information security frameworks, as these guides instill confidence and can boost your reputation with customers.
Common security frameworks (CSF), common security controls, and information security framework are terms often used interchangeably, along with the term information security management system. But usage seems to suggest that CSF more commonly refers to the “brand names” of information security frameworks. A framework could be as simple as a single page outline, though that would definitely not be effective for most organizations. CSFs are the comprehensive standardized systems developed by national and international bodies and adopted by many enterprises.
There are a number of common security control frameworks that can help businesses of various types protect against vulnerabilities, and choosing the right framework depends on a number of factors specific to MSPs and their clients. Here, we’ll discuss the most common IT security frameworks and some of the pros and cons of each.
The ISO 27000 series is a CSF published by the International Organization for Standardization. It is the gold standard for information security frameworks, and many others are based off its specifications.
One notable feature of ISO is its sheer breadth. It has 46 modules, some focusing on specific facets of information security like network security and application security, and some focusing on specific industries like healthcare. Whatever your customer needs, you are likely to find a module addressing it, and you can skip over unneeded areas without sacrificing effectiveness. Many organizations focus mostly on ISO 27001, which deals with threat and vulnerability assessments, developing a system customized for your organization, and recommending numerous controls in areas like cryptography, access management, physical and environmental security, and information system incident management.
ISO does not offer and does not require certification. However, many third-party organizations do offer ISO certification. The ISO series itself is not free, and certification will add more expense. Overall, note that ISO encourages organizations to develop an ISMS that is right for them, treating the ISO 27000 series as a guide, not exact rules.
The National Institute of Standards and Technology (NIST), an agency of the US Department of Commerce, first published its Special Publication 800-53 in 1990 in order to help nonmilitary federal agencies adapt to Federal Information Processing Standards (FIPS). This framework contains a number of best practices for information security in government, and due to the guide’s comprehensive and flexible nature, it has become extremely popular in the private sector as well.
Advantages of NIST 800-53 are that it is arguably even more comprehensive than ISO 27000. Any nongovernmental entities who want to work on government contracts may be required to be certified in these best practices. On the plus side, all needed documents are available free through government websites. However, that comprehensiveness could also be a disadvantage. At nearly 500 pages, NIST 800-53 could overwhelm even experienced IT professionals, and make it an unwieldy tool for good information security management.
A relative newcomer from the same agency as SP 800-53, the CSF was created in 2014 and published publicly several years later as the result of a US federal executive order to better protect critical infrastructure from cyberattacks. To this end, the CSF provides a brief and accessible high-order guide to information security, broken down into five categories: identify, protect, detect, respond, and recover.
While the CSF is not a truly comprehensive security framework, it is a solid foundation for small organizations that cannot afford the time or investment of ISO or NIST 800-53. It could also be effective as an introduction for nontechnical executives who are responsible for information security decisions.
By some measures, PCI DSS is the most common information security framework in the world. However, it’s not really a framework, as its scope is too limited and its best practices do not comprehensively cover an organization’s whole operations. But it merits mention here as PCI DSS plays such a big role in the information security space and it could certainly provide useful controls for MSPs building their own custom information security framework.
PCI DSS was created by the five major credit card companies (Visa, Mastercard, American Express, Discover, and JCB) to combat credit card fraud. The first version was released in 2004. It features 12 requirements in six “control groups,” which are:
Compliance with PCI DSS is not government mandated but is required by the credit card companies for every single enterprise that processes credit or debit card transactions and/or data, regardless of size or volume. The card companies levy monetary penalties for noncompliance. If your organization stores or processes card data, PCI DSS must be part of your security framework. And if you deal with any sensitive data, this is a good starting place.
After HIPAA was passed in 1996, the healthcare industry struggled with the law’s vague regulations and loopholes. Organizations were allowed to self-assess their cybersecurity threat levels, even though many hospitals and doctors’ offices did not have the qualified experts on staff.
HITRUST’s CSF was created in 2007 to give healthcare organizations clear, actionable guidelines for information security. It was made with HIPAA compliance and the healthcare industry in mind, but is available for all organizations in all industries. It is especially useful for any industry that deals with regulation and private data. Like other newer CSFs, it builds on the most common existing ones, with the claim that it unites and draws on elements of ISO, NIST, PCI, HIPAA, and state laws.
HITRUST is risk-based, which means it is customizable and adaptable to your customers’ threat levels. It is free for qualified organizations and certification is available, so you don’t have to go it alone.
COBIT [Link to recent COBIT article] is to the financial industry as HITRUST is to the healthcare industry. Created by the Information Systems Audit and Control Association (IASCA), the controls and best practices were defined in the 1990s for financial auditors but were quickly expanded for all industries. Like HITRUST, COBIT helps with compliance for specific regulations, specifically the Sarbanes-Oxley Act.
COBIT is a high-level system that integrates the overlapping elements of major CSFs. It divides the IT process into four domains: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate.
The options here are a good start for anyone looking to build or adapt a common security framework. As an MSP, it’s important to be familiar with these frameworks in order to better assess threat levels and security needs of your customers, and to understand if your own business is compliant. Contact our team to ensure that your security framework complies with industry standards.