With several new laws impacting security and privacy, discussions around control frameworks are becoming prevalent. However, what a control framework is and the criteria that should be used in choosing the most applicable framework for your specific needs are usually misunderstood.
What is a Control Framework?
In simple terms, a control framework is a set of cybersecurity, privacy, and physical security controls. This set is intended to enable organizations to comply with applicable laws, regulations, and contracts, and also build secure systems and processes to help make the business more efficient and profitable. These collections of controlsare usually focused on an area of risk, such as cybersecurity (NIST Cybersecurity Framework, Secure Controls Framework, etc.) or financial reporting ( COSO)and can either be generated internally or come from an external source . They can even cover a particular function or area, such as the Payment Card Industry Data Security Standard (PCI DSS) that isfocused entirely on protecting credit and debit card data.
Control frameworks usually are broken down by the various domains they cover such as access control, business continuity, third-party management, etc. to help organize the structure of the controls. However, it is vital realize that use of a control framework can only provide reasonable assurance to a company on how risk is being addressed, but not absolute assurance. From an assurance perspective, frameworks do not include a way to measure the effectiveness of the controls to address risk, nor the relationship between or inter-dependency of controls (layered approach to control implementation).
Obsolescence of “Industry-Specific Frameworks”
For the better part of the last two decades, it was common for companies to have simple control sets that focused on a single compliance requirement, such as a financial institution needing to comply with GLBA, a merchant that only needed to focus on PCI DSS or a healthcare provider that only needed to address HIPAA. For the most part, those days are gone as “industry-specific frameworks” no longer exist due to several factors:
(1) The evolving nature of business models push businesses beyond just one industry vertical, in terms of cybersecurity and privacy requirements
(2) The trickle-down effect of compliance obligations from clients and partners through contracts
(3) New state, federal, and international laws and regulations that require secure practices.
Rise of the “Metaframework”
A metaframework is a “framework of frameworks” that incorporates the control requirements of multiple laws, regulations and other frameworks into one single framework. When a company that needs to address one or two compliance obligations (HIPAA or PCI DSS), it isn’t too difficult to manage those according to those control sets. However, when you start adding multiple laws, regulations, and frameworks into the mix, it quickly becomes difficult to manage compliance based on multiple, individual control sets. Hence, the need for a metaframework that can bridge multiple frameworks by allowing organizations to use a single, unifiedcontrol set that can map to multiple laws, regulations and industry frameworks.These metaframeworks can also be used to quickly identify those controls called out by specific regulations, both domestically and internationally.
“It is important to remember that picking a framework to align to is predominantly a business decision and not a technology or security decision”
Two of the common metaframeworks are the open source Secure Controls Framework (SCF) and the commercial Unified Compliance Framework (UCF). Both metaframeworks have strong followings and are commonly used in Governance, Risk & Compliance (GRC) or Integrated Risk Management (IRM) solutions as core control sets that are used to manage a wide variety of cybersecurity and privacy requirements.
How to Pick A Framework
It is important to remember that picking a framework to align to is predominantly a business decision and not a technology or security decision. The reason for this is that each framework addresses risk differently and a company has to consider what risks are trying to be reduced, since not all frameworks cover the same topics and that can lead to gaps in coverage. The easier way tostart this process is to take a data-centric approach where you analyze the company’s critical business functions and processes in an effort to identify where operations exist that store, transmit, and process data, as well as what type of data your company needs to protect. The end result of this exercise should be to identify Minimum Security Requirements (MSR), which would further define the minimum controls that must be in place to address legal, regulatory, and contractual compliance needs.
Once the MSR are identified, the goal is to identify other aspects. Is there a control set (e.g., ISO 27002) that meets all the needs? Is there a metaframework that will address all the cybersecurity and privacy requirements that need to be addressed? Trying to comply with multiple, independent frameworks in their entirety can be expensive, hard to manage, and overly burdensome to the staff tasked with managing the controls. The most efficient approach is most often to create your own hybrid control framework or leverage an existing metaframework. In either case, only those controls that apply to your business processes should be considered.
Once a control framework has been decided upon or created, you can then set up ongoing governance routines to review any major changes to your infrastructure or business processes to ensure that the control framework is updated to reflect the current state. Your control framework must evolve with the changes in your business practices or use of technology.
Does choosing a control framework merit the amount of work that goes into it? Absolutely! The cost of non-compliance can be staggeringin terms of fines, negative publicity, and legal fees. With the FTC’s Article 5 ability to investigate and fine businesses for failing to take security and privacy seriously, having a comprehensive control set and governance program is simply a business necessity to demonstrate evidence of due care and due diligence in maintaining secure systems and processes.
Using a control framework can help you better understand your internal business processes, risks posed to your organization and allow you to determine the risk appetite of the organization (each company has a certain level of risk itis willing to accept). It will also allow you to better manage your control portfolio, further reducing risk to your organization.