With acronyms inside of acronyms and hundreds of pages of documentation, choosing a security controls assessment framework can be daunting. NuHarbor Security has years of experience working with different controls frameworks, and we’ve laid out the basics to help you get started. This isn’t intended to be a comprehensive list, but rather a jumping-off point into the world of security controls frameworks.
What Is a Controls Assessment?
A security controls assessment is a review of an organization’s security controls and is conducted either voluntarily or as part of a certification. It’s great for identifying gaps in security policy and implementing and verifying controls. A controls assessment is not a risk assessment, and you can find out more about the differences between the two .
What Is the Purpose of a Framework?
A framework provides standardized criteria for an objective point-in-time evaluation of an organization’s security controls. It’s a set of requirements that helps ensure your organization has its bases covered. A framework can also help identify gaps in your security program.
NIST 800-53
The National Institute for Standards and Technology (NIST) 800-53 framework applies to all U.S. federal information systems, excluding those related to national security. NIST 800-53 is an implementation of the Federal Information Security Management Act. Federal agencies are expected to comply with NIST 800-53, as are private companies with federal contracts. NIST 800-53 is also a good fit for larger private organizations and shouldn’t be seen as strictly applicable to federal entities.
There are Three Phases to a NIST 800-53 Evaluation:
- Document Review
First, the assessor gets a general understanding of your organization. They review security policies, procedures, and standards. It’s important that the assessor understands the structure and components of your organization. The first phase also helps develop contextually relevant questions for the next phase.
- Staff Interviews and Limited Assurance Testing
Based on information gathered in phase one, the assessor focuses on specific questions about your policies, procedures, and standards that were not addressed in the first phase. Limited assurance testing is used to spot-check that policies are in place and effective. Both aspects help the assessor gain a detailed understanding of how your organization implemented controls.
- Reporting
The third phase involves the assessor identifying control gaps and compliance issues, and suggesting improvements based on the information gathered in the previous two phases. This is compiled into a report and reviewed with your organization, addressing any questions that may arise. NuHarbor NIST 800-53 evaluations are compiled into two main deliverables, one detailing control-specific concerns and suggestions, and one high-level overview of the findings across multiple controls and control groups with broader recommendations.
If you think that NIST 800-53 would be a good fit for your organization, check out our blog on the NIST 800-53 Security Assessment Process.
NIST Cybersecurity Framework (NCF)
Issued in 2013, Executive Order 13636 called for a flexible security framework that could be adapted to different industries. NIST created the NIST Cybersecurity Framework (NCF) in 2014 to address the order. NIST 800-53 heavily influenced the creation of NCF, and there are many similarities between the two. The NCF is industry-agnostic and intended to guide a company based on their priorities and business risk model. NCF is a voluntary framework, and there are no requirements or mandatory controls. Because you can approach this framework from many directions, it’s a great choice for programs with limited scope or budget.
Core Components
The framework uses five core components that reflect the high-level functions of an organization’s security program:
- Identify
- Protect
- Detect
- Respond
- Recover
Implementation Tiers
The NCF uses implementation tiers to guide your organization in identifying an appropriate rigor of security based on your organization’s strategic goals and objectives. This allows your organization to define exactly what aspects of security to focus on, and identify the extent to which the controls are feasible to implement. This is particularly useful for small organizations with limited resources. Additionally, NCF can help uncover areas where your organization may be over-allocating resources, allowing for redistribution to weaker areas and increasing efficiency across the entire security program.
Framework Profiles
You can use NCF to create framework profiles to define your organizational requirements, risk, and resources. It’s helpful to create multiple profiles and set goals. For example, you might start with one framework profile while targeting a second. Make the second profile your reach goal (i.e., where you want your security program to grow towards).
Since the NCF is highly adaptive, it’s great for organizations that don’t quite fit into the more rigid frameworks like NIST 800-53 or PCI DSS. Check out our NCF Quickstart Guide if you think the framework is a good fit for your organization.
PCI DSS
In 2006, American Express, Discover, JCB, MasterCard, and Visa came together to develop a common data security standard, which they released as the Payment Card Industry Data Security Standard (PCI DSS). The standard helps companies that accept, process, store, or transmit credit card information to ensure that the data they process is secure. The industry developed PCI DSS “to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally.” If your organization facilitates credit card transactions, chances are good that you should be PCI DSS compliant.
Control Groups
PCI DSS addresses the following six control groups:
- Build and Maintain a Secure Network and Systems
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
Assessment methods
Depending on the merchant level and transaction volume of your organization, you may need to either submit a Report on Compliance (RoC) or a Self-Assessment Questionnaire (SAQ). If you’re assessing PCI DSS voluntarily, you’ll most likely be using an SAQ. For help determining which Self-Assessment Questionnaire to use, check out this blog post.
If your company deals with any aspect of credit card transactions, check out PCI DSS. You can find more information on PCI DSS on our PCI Compliance Services page.
The world of controls assessment frameworks is complex, but NuHarbor is here to guide you.
