One of the most common questions that we get here at Compass is “What is an IT Security Framework?” This is a great question as folks sometimes confuse the various frameworks with different compliance requirements or regulations that they must adhere to based on their business. If you look at just the word framework, you will get a definition that uses words like support and structure. When it comes to Information Security Frameworks, the fundamental definition is the same. According to Joe Granneman from TechTarget, an IT Security Framework is:
“A series of documented processes that are used to define policies and procedures around the implementation and ongoing management of information security controls.”
Think of this like a house. When you build a house, you "frame" out all the walls, divide the rooms, and provide the base layer of support for the house. When it comes to Information Security, the framework essentially tells your organization how to build your overall information security program to help mitigate your risk. There are a number of different frameworks to choose from based on your business. However, for the purposes of this blog post we will look at the NIST Cybersecurity Framework and the 5 key areas within the framework.
NIST stands for the National Institute of Standards and Technology, which is a non-regulatory agency of the United States Department of Commerce. In 2014, NIST introduced version 1.0 of the Cybersecurity Framework (version 1.1 is in development currently). This framework outlines 5 “functions”, or the core of the framework, which are then divided down into a total of 22 different “categories” of controls. In this blog post, we are going to look at the 5 functions and the various categories that are contained underneath each function. So, without further ado, let’s get to the core of the framework:
Those are the 5 core functions of the NIST Cybersecurity Framework as well as the categories contained within each function. This is intended to be a very, very high level overview of the Framework. Over the next 5 weeks, we will be developing a series of blog posts that hone in on each of the 5 core functions to provide some additional information to help educate you on what the Framework is and how to start thinking about implementing it in your organization. In the meantime, since the NIST Cybersecurity Framework is all about creating IT Security Policies and Procedures, feel free to download our IT Security Policies ebook for more information on some of the essential IT Security policies that your organization should have in place today! Click on the image to download your copy! Till next week…..
If you have any questions about your specific environment or circumstances, please contact us for more information.