According to the Trends in Security Framework Adoption Survey, conducted by Dimensional Research on behalf of Tenable, 44% of organizations use more than one security framework. That is half of the 88% of organizations that are using a framework. Combining frameworks is seemingly encouraged by the NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF) because it includes cross-references to other frameworks, including the Center for Internet Security Critical Security Controls (CSC). I have spoken with people at multiple organizations who see the CSF and the CSC as complementary. The CSF is well suited for risk assessment and to identify gaps between current and target profiles, while the CSC is well suited to guide detailed technical control implementation.
44% of organizations use more than one security framework
You may be saying to yourself, “Implementing a single framework is challenging enough. How can anyone implement more than one?” It is true that security framework implementation is challenging; as a rule it is a long-term project requiring a multi-year budget commitment. A key to success is to prioritize business services based on risk assessment and then to start implementation of the most important controls for the highest risk services. Using the CSF and CSC together can help you accomplish just that. The CSF can help you prioritize business services, and the CSC controls are prioritized so you can start implementation with the first five controls, designated Foundation Cyber Hygiene. Achieve a quick win, adapt if needed based on lessons learned, and then address the next highest priority. The next highest priority may be the next business service, or it may be implementing additional security controls for the current business service.
The City of Portland, Oregon is one organization that has taken this approach. It is using both the CSF and CSC frameworks to guide security program evolution. Christopher Paidhrin, Portland’s Information Security Manager, uses both frameworks to meet the following objectives:
- Prioritize risk and remediation
- Identify security gaps and selective metrics
- Align business risk to Critical Security Controls
- Prioritize budget and resources
The CSC technical control implementation is directed by Brian Ventura, one of the city’s Information Security Architects.
Both Christopher and Brian will be presenting a case study explaining Portland’s experience at an upcoming Multi-State Information Sharing and Analysis Center (MS-ISAC) webcast, A Prioritized Approach to Implement the NIST CSF Using the CIS Critical Security Controls.
Christopher Paidhrin is a CSF expert and frequent conference speaker. He will share Portland’s risk-based security roadmap and has generously offered to make his roadmap planning spreadsheet available to attendees. Brian Ventura is a CSC expert who frequently teaches a SANS course about planning, implementing, and auditing the Critical Security Controls. Brian will explain how the city is implementing the CSC Foundational Cyber Hygiene controls, including examples from SecurityCenter Continuous View™.
Please join them for the webcast. I have seen a sneak peek of their content and know that it will be worth your time.