July 18, 2018
We hear a great deal about Security Frameworks these days. Seems like everyone has a Security Framework tailored to exactly what an organization needs and it is touted as THE FRAMEWORK to structure your IT operations. We have ISO, HIPAA, NIST, FENRA, GLBA, PCI, and what seems like a hundred other Frameworks and compliances. So what is it all about and why does it matter? We all want security in the end so can’t we just pick one and go?
The truth is these Security Frameworks are tailored to specific operation types and they serve specific purposes. PCI helps business process credit cards safely and keeps your money safe. HIPAA focusses on our Health Records and again, we want to keep our records safe from prying eyes. Easy enough, if we are a dentist office, we pick HIPAA and we are good to go – unless we happen to take credit cards for payment. Now we have to adopt PCI framework because the bank demands it to process those credit card payments. So now we have HIPAA and PCI frameworks to manage. Or what if we are a manufacturer governed by an ISO framework, we have a clinic inside the facility under HIPAA, and a cafeteria that takes credit cards? (PCI). The alphabet soup is getting thick and it is not uncommon at all for firms to be required to adhere to three to five frameworks in a normal organization.
Here is the good news (and there is some). Though the Security Frameworks are all different and tailored to specific applications; they are also remarkably similar in most aspects! Wait – what? Similar in what ways?
Frameworks, in their simplest form, are checklists and suggestions to help ensure that the majority of common issues are addressed. In this regard, they are an extremely helpful means of conceptualizing, architecting, deploying, and verifying a wide variety of IT Security, Governance, and Privacy controls. Since this is their purpose, most models have a great deal in common. For example, HIPAA, PCI and ISO all call for unique passwords with a desired level of complexity. If we want to meet all three compliances under a single policy, we could simply write to the highest standard and be compliant across the board. The trick is combining these standards and creating Policies and Procedures that support all of the compliances with a single policy. It sounds simple enough, but combining hundreds of controls into a minimal amount of policies can be difficult to make simple to understand end execute.
Experience navigating this maze is important to develop the IT Security posture that best suits your organization. Look for partners that know the frameworks and how to apply them successfully both from a policy and technical platform. These types of partners are rare gems that can save time and money with IT Security and Privacy programs.
For more information about Moser's Security experts, visit our security page.