We hear a great deal about Security Frameworks these days. Seems like everyone has a Security Framework tailored to exactly what an organization needs and it is touted as THE FRAMEWORK to structure your IT operations. We have ISO, HIPAA, NIST, FENRA, GLBA, PCI, and what seems like a hundred other Frameworks and compliances. So what is it all about and why does it matter? We all want security in the end so can’t we just pick one and go?
Frameworks, in their simplest form, are checklists and suggestions to help ensure that the majority of common issues are addressed. In this regard, they are an extremely helpful means of conceptualizing, architecting, deploying, and verifying a wide variety of IT Security, Governance, and Privacy controls. Since this is their purpose, most models have a great deal in common. For example, HIPAA, PCI and ISO all call for unique passwords with a desired level of complexity. If we want to meet all three compliances under a single policy, we could simply write to the highest standard and be compliant across the board. The trick is combining these standards and creating Policies and Procedures that support all of the compliances with a single policy. It sounds simple enough, but combining hundreds of controls into a minimal amount of policies can be difficult to make simple to understand end execute.
Experience navigating this maze is important to develop the IT Security posture that best suits your organization. Look for partners that know the frameworks and how to apply them successfully both from a policy and technical platform. These types of partners are rare gems that can save time and money with IT Security and Privacy programs.