In the third chapter of our series on the five key components of an effective cybersecurity management program, we take a deeper dive into the process of implementing cybersecurity controls and provide an overview of some leading cybersecurity control standards.
Cybersecurity controls include safeguards or countermeasures implemented by an organization to protect itself from an incident that may result in the compromise of electronic information. When discussing cybersecurity, a compromise of electronic information means any event that reduces the confidentiality, integrity, or availability of that electronic information. In a rapidly evolving technology and cybersecurity landscape, the conventional wisdom is that any organization can and will suffer a security incident—it’s a matter of when, not if. This very premise is what makes the strategic and effective implementation of cybersecurity controls so important.
Cybersecurity controls may be of several types. Some are preventive; some are detective. Some are automated with configurable technical safeguards; some are manual procedures. It is through an effective balance of cybersecurity controls across people, process, governance, and technology that an organization may not only enhance its ability to defend against a compromise, but also increase its ability to detect an inevitable security compromise while at the same time limiting its exposure and impact.
Cybersecurity controls may:
When implementing cybersecurity controls, an organization should follow seven key steps:
A variety of cybersecurity control standards exist. The sidebar includes a snapshot of the four most frequently utilized. It’s important to note that depending on an organization’s business environment, certain control standards may be required either by industry associations or government regulation. Before selecting a control standard to form the basis of an organization’s cybersecurity program, one needs to understand whether contractual obligations stipulate the use of a specific control standard. It’s also a good idea to discuss this with legal counsel to ensure any regulatory requirements are considered.
Implementing a risk-based selection of cybersecurity controls is a critical step in executing a cybersecurity management program. By selecting and employing a cybersecurity controls standard, an organization is better suited to protect against, identify, and respond to potential incidents that results in system compromise and data breach. The cybersecurity control standards contain thorough guidance that covers the entire lifecycle of cybersecurity management. By selecting and following these standards, an organization can be more confident in the completeness of its cybersecurity control environment and more easily answer the questions: Are we doing the right things? And are we in control?
National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity: Mandated by executive order, this framework unifies many leading control standards, including NIST SP 800-53 and International Standardization Organization (ISO) 27000 Series, into a comprehensive framework for how organizations can improve the cybersecurity of critical infrastructure. The core of the framework groups control categories in terms of functions within the cybersecurity lifecycle: identify, protect, detect, respond, and recover. Control activity details can be found in the informative references associated with each control category.
Security and Privacy Controls for Federal Information Systems and Organizations (NIST 800-53): One of the most comprehensive, this standard for security controls is used by organizations doing business with the United States government. Recently, we’ve seen this gain more widespread acceptance. Categorized in terms of system impact, the control catalog specifies control baselines for high, moderate, and low impact systems.
ISO 27001: This international standard defines “requirements for establishing, implementing, maintaining, and continually improving an information security management system.” The ISO standard sets out the process an organization should follow when managing information security. Annex A of the standard provides detailed control objectives and controls for information security. The ISO 27001 certification only verifies the information security management system; it does not provide assurance on the implementation of controls specified within Annex A.
SANS Critical Security Controls: The SANS Institute prioritizes security functions with an emphasis on “what works” and defines the top twenty control areas for enhancing cybersecurity. Of the standards we’ve presented, this is aimed at a more technical audience. Each of the twenty control areas includes more than100 implementation activities organized into “quick win,” “visibility/attribution,” “configuration/hygiene,” and “advanced” categories. For organizations just starting to formalize a cybersecurity management program, the “quick win” controls throughout the standard are a great place to begin.
For more information on this topic, or to learn how Baker Tilly cybersecurity specialists can help, contact our team.