The first two installments in this series focused on risk management and risk-based control selection. While not a requirement, it is best to build the security control library based on an established control framework.
There are over 200 different risk management, information security, and privacy frameworks published worldwide. Regardless of the number of applicable regulations and requirements, it is best to identify a primary security control framework and map the other regulatory requirements back. The Secure Controls Framework Council[1] is voluntary industry group that created a meta-framework called the Secure Controls Framework (no surprise there), which aggregates 100 statutory, regulatory and contractual frameworks into 32 domains, and then maps the controls back to the specific controls for each. The Secure Controls Framework can be downloaded free of charge along with associated publications and guidance from the group’s website.
Due to the complexity of the subject and limited time and space, I will focus specifically on the business associate (BA) and its obligations to its customers and the Health Insurance Portability and Accountability Act (HIPAA) when it comes to selecting an information security and privacy framework.
Frameworks and Their Publishers
This section lists the most common frameworks publishers and the most common frameworks applicable to BAs in two categories: freely distributed frameworks and commercially licensed (fee-based) frameworks.
Organizations that Publish Freely Distributed Frameworks
National Institute of Standards and Technology (NIST)
Specific to security and privacy related content, NIST freely distributes the following publications.
- The Cybersecurity Framework v1.1
- SP 800-53 r5: Security and Privacy Controls for Information Systems and Organizations
- SP 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
- Risk Management Publications
- SP 800-30 – Guide for Conducting Risk Assessments
- SP 800-37 – Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy
- SP 800-39 – Managing Information Security Risk: Organization, Mission, and Information System View
Center for Internet Security (CIS)
The CIS is an international volunteer public/private organization that publishes system level secure configuration benchmarks and a controls framework with implementation and prioritization guidance.
- CIS Benchmarks[1] – The CIS publishes over 100 security configuration benchmarks across 25 commercial and open-source product families.
- CIS Control Framework v8[2] – The CIS recently published the eighth version of its control framework. The framework is mapped to the NIST CsF, SP 800-53 and SP 800-171. The framework includes implementation and prioritization guidance as well.
PCI Security Standards Council (PCI SSC)
The PCI SSC is a global forum that brings together payments industry stakeholders to develop and drive adoption of data security standards and resources for safe payments worldwide[3]. The PCI SSC publishes a data security standard (DSS) and the payment application data security (PA-DSS) standard.
- PCI-DSS – A set of security controls that must be implemented by merchants that accept payment cards for processing. Unlike NIST and ISO frameworks, the PCI-DSS is specific and includes implementation guidance.
- PA-DSS – Requirements for software vendors to ensure the development of secure payment applications that support PCI DSS compliance. The PA-DSS program will reach end of life in July of this year and will be replaced by the PCI Software Security Framework (SSF).
Cloud Security Alliance (CSA)
The CSA is a not-for-profit organization with the mission to “promote the use of best practices for providing security assurance within cloud computing, and to provide education on the uses of cloud computing to help secure all other forms of computing. The CSA publishes the Cloud Controls Matrix[4] (CCM), as well as healthcare specific guidance in the form of a special working group.
- CSA-CMM – Defines 197 controls across 17 domains that align with s aligned to the CSA Security Guidance for Cloud Computing, considered a de-facto standard for cloud security assurance and compliance.
Organizations that Publish Licensable Frameworks
Health Information Trust Alliance (HITRUST)
The HITRUST Alliance was founded in 2007 and publishes standards and guidance for health IT security, privacy and risk management, an assurance program and certification of auditors, as well criteria for implementation of its Common Security Framework (CSF).
- HITRUST CSF standardizes the most commonly accepted security and privacy-related regulations, standards, and frameworks, including ISO, NIST, PCI, HIPAA, and COBIT.
International Organization for Standardization/International Electrotechnical Commission (ISO/IEC)
ISO is an independent, non-governmental international organization with a membership of 165 national standards bodies. The ISO standards are similar to the NIST standards but must be licensed from the organization.
- ISO/IEC 27001/27002 – 27001 is a framework defines the requirements for certification, while 27002 provides guidance for how the controls are implemented.
- ISO/IEC 27005 – Information Security Risk Management
Information Systems Audit and Control Association (ISACA)
ISACA helps enterprises thrive with performance improvement solutions and customizable IS/IT training that enable organizations to evaluate, perform, and achieve transformative outcomes and business success.
- COBIT 5 – The Control Objectives for Information and Technology[5] is a framework that aligns its governance structure to security and privacy controls. ISACA also publishes guidance in the form of whitepapers, tool kits, and other exhibits.
Axelos
The Information Technology Infrastructure Library (ITIL) was acquired by Axelos in a joint venture set up in 2014 by the Government of the United Kingdom and Capita, to develop, manage and operate qualifications in best practice, in methodologies formerly owned by the Office of Government Commerce.
- ITIL v4 provides a framework for service delivery that takes into account areas of concern to information security such as change management and incident management.
Why Clearwater Has Adopted the NIST Cybersecurity Framework
At Clearwater, we develop and implement methodologies based on the special publications and guidance delivered by NIST. We do this because Clearwater and our customers serve the healthcare industry, primarily conduct business in, and are regulated by the United States Federal and State governments. Also, HIPAA rules are enforced by the Office for Civil Rights (OCR), and OCR guidance as well as guidance from Health and Human Services (HHS), is based on NIST standards.
The NIST Cybersecurity Framework is the result of collaboration between private sector industry professionals and government agencies. It was borne out of Executive Order 13636, which focused on improving critical infrastructure cybersecurity. Healthcare is one of the 16 critical infrastructure sectors.
The framework integrates industry best practices and standards into a common language to help organizations understand and communicate risks internally and externally throughout their supply chain.
The preliminary voluntary framework came out in 2013, with version 1.0 released the following year, defining its core and implementation tiers and establishing controls, security functions, categories, subcategories, and more.
With the Cybersecurity Enhancement Act of 2014, Congress ratified these voluntary standards into NIST responsibilities. The framework is designed to help organizations:
- Identify risks, vulnerabilities and their potential impact
- Inform response
- Recover from incidents
- Evaluate root causes for weaknesses and vulnerabilities
- Take steps to improve controls to reduce risks
This framework, however, has not remained static and is evolving along with today’s modern threat landscape. In 2018, for example, it was expanded to include self-assessments, supply chain risk management, identity and access management, and the vulnerability disclosure lifecycle.
And more changes are anticipated in the future, including guidance on:
- Cyberattack lifecycle: automated indicator sharing and data analytics
- Internet of things (IoT)
- Artificial intelligence (AI) and machine learning
- Measuring cybersecurity
- Referencing techniques
- Secure software development
- Governance and enterprise risk management
The NIST Cybersecurity Framework aligns to the cybersecurity program management lifecycle. It has five core functions:
- Identify
- Protect
- Detect
- Respond
- Recover
These five functions have an additional 23 related categories (think: control families) and another 108 subcategories (think: controls).
You can take a phased approach to implementing these core functions, categories, and subcategories, beginning at partial implementation, and then move upward in program maturity to risk-informed, repeatable, and adaptive stages.
On each side of the framework, you should also focus on governance and communication, which are important supporting elements for framework implementation and program management.
Selecting the Right Framework for Your Organization
While the NIST Cybersecurity Framework is adaptable for organizations of all sizes across a range of industries, you may be curious if it’s right for you. How do you know if this or another framework may better suit your needs?
Before you settle on a framework and get to work implementing it, I recommend conducting a business impact analysis (BIA). A BIA will give you insight into your critical business functions and help you map those functions to your organization’s missions and objectives. You’ll also be able to:
- Identify which critical systems (think: assets) support your most critical functions
- Understand your risk tolerances
- Identify regulatory and compliance requirements throughout your organization
- Identify existing threats and vulnerabilities
- Make a plan to address gaps and weaknesses
- Document those plans
Once you’ve determined those critical processes and assets-and have a better understanding of your strengths and weaknesses-you’ll be better prepared to select the framework that best meets your organization’s priorities.
If you have questions about frameworks or how to conduct a BIA, please reach out at henry.sprafkin@clearwatercompliance.com.