Blog Viewer

Cybersecurity Maturity Models – A 40,000 Foot Overview

By David Whale posted 12-17-2021 17:25


Please enjoy this blog post authored by David Whale, Director Information Security, Fasken Martineau Dumoulin LLP 

The world of cybersecurity maturity models is on par with going to your favorite buffet (pre-Covid of course) for your birthday dinner. So many options. Government based frameworks, regulatory based frameworks, development based framework, cloud based frameworks, Internet of Things based frameworks… Where to start? How to start?

This blog post will take a high level look at 10 of the more popular frameworks in hopes of making your questions clearer then mud.

NIST Cybersecurity Framework (CSF):

When President Obama calls for security you create the NIST CSF. Meant to provide better collaboration between public and private sectors for identifying, assessing and managing cyber risk. Although the framework’s design aims to secure critical infrastructures; private organizations frequently leverage it to strengthen their cyber defenses. NIST CSF is focused around structured process over 5 functions (identify, protect, detect, respond, recovery) and brings best practices directly from NIST 800-53 allowing it to be leveraged for a range of security requirements.

NIST CSF has become the gold standard for organizations to self assess cybersecurity maturity, identifying gaps and meeting regulations.

ISO 27001/27002:

If you need a recognized certification look no further then ISO 27001/27002. These certifications are considered the international standard for validating a cybersecurity program as they provide an independent third party verification that allows you to demonstrate you are managing cyber risk with mature practices and controls in line with recognized and audited best practices.

ISO 27001/27002 establishes requirements and controls for information security with a focus on protecting information across people, processes and technology. It’s a broad framework that can be applied to all types and sizes of organizations.

ISO 27001/27002 is often used by companies that needs to market information security capabilities through certification to win business. Its no small undertaking, requires time and resources and needs to be re-evaluated annually to stay current and maintain certification.

Service Organization Control (SOC) Type 2:

SOC2 is a trust-based cybersecurity framework and auditing standard developed by the American Institute of Certified Public Accountants (AICPA). Its purpose is to enable security for organizations that collect and store customer information and help verify that vendors and partners are securely managing data in their control.

SOC2 specifies compliance requirements and extensive auditing processes for third-party systems and controls. Once the audit is complete you receive a report that attests to your cybersecurity posture.

SOC2 is all encompassing which can make it tough to implement (especially for highly regulated organizations) but provides a competitive edge for Service providers and organization that store, process or transmit any kind of information.

North American Electric Reliability Corporation Critical Infrastructure Protection (NERC-CIP):

NERC-CIP came about to mitigate the rise in attacks on US critical infrastructure and third-party risks. It’s a mandatory set of cybersecurity standards for entities that own or manage facilities that are part of the U.S. and Canadian electric power grid. NERC-CIP is meant to identify and reduce risk and ensure reliability (very important for critical infrastructure).

NERC-CIP requires a range of controls including categorizing systems and critical assets, training, incident response, recovery and vulnerability assessments.

If you’re looking for a standard focused on improving operational control, environmental awareness, system readiness, reliability and protection maybe NERC-CIP is for you. If you’re an owner, operator or user of bulk electric systems, well you have no choice.

Health Insurance Portability and Accountability Act (HIPAA):

HIPAA is a cybersecurity framework that sets the standard for sensitive patient data protection and contains various guidelines that enable sufficient controls for securing employee or customer health information. HIPAA demonstrates compliance against cyber best practices and enforces a risk based approach that requires organizations to demonstrate a clear understanding of how to implement security requirements and when to use them.

HIPAA is a requirement for healthcare organizations to comply since they collect and store health information for all patients.

If your organization deals with protected health information (PHI), offers group health plans, or provides services to physicians, healthcare providers, hospitals or insurance companies you should be looking at aligning with HIPAA.

General Data Protection Regulation (GDPR):

GDPR is a framework created to strengthen data protection procedures and practices for securing personally identifiable information belonging to citizens of the European Union (EU). It impacts all organizations established in the EU along with any business that collects and stores the private data of EU citizens.

The regulation framework provides a set of mandatory security requirements (including data access rights, data protection policies and procedures and data breach notification requirements) that organizations in different parts of the world must implement. As such, it is a global framework that protects the data of all EU citizens. GDPR is a regulation that holds stiff non-compliance penalties. This has helped force many organizations to comply with the requirements.

If you’re an entity that collects or processes personal data of residents of the EU (no matter where your company resides) GDPR is a must. If you don’t deal with EU residents but are concerned with privacy GDPR is still a great framework to build on.

Federal Information Security Management Act (FISMA):

FISMA is comprehensive cybersecurity framework that protects federal government information and systems against cyber threats. FISMA also extends to third parties and vendors who work on behalf of federal agencies.

The FISMA framework is aligned closely with NIST standards and requires agencies and third parties to maintain an inventory of their digital assets and identify any integrations between networks and systems. Sensitive information must be categorized according to risk and security controls must meet minimum security standards as defined by FIPS and NIST 800 guidelines. Cybersecurity risk assessments, annual security reviews, and continuously monitor their IT infrastructure.

If you’re a private sector company that has a contractual relationship with the government, whether to provide services, support a federal program, or receive grant money, you must comply with FISMA. If you’re not involved with government work but looking for a risk-management centered approach with heightened awareness, strong incident response and continuous monitoring FISMA may fit the bill.

Information Assurance for Small and Medium Enterprises (IASME Governance):

IASME governance refers to cybersecurity standards designed to enable small and medium-sized enterprises to realize adequate information assurance. The IASME governance outlines a criterion in which a business can be certified for implementing the relevant cybersecurity measures.

The standard enables companies to demonstrate to new or existing customers their readiness to protect business or personal data. In short, it is used to accredit a business’s cybersecurity posture.

The IASME governance accreditation is similar to that of an ISO 27001 certification. However, implementing and maintaining the standard comes with reduced costs, administrative overheads, and complexities.

If you’re a small business looking to provide assurance to your clients that you have adequate controls in place to protect a data breach but lack the appetite or budget for ISO 27001, IASME governance is a great option.

CIS Controls (formerly the SANS Top 20):

The CIS Controls framework is a listing of technical controls and best practice configurations that can be applied to any environment solely focused on hardening technical infrastructure to reduce risk and increase resiliency. The controls provides direct operational advice, are meant to be automated and pair well with other risk management frameworks to help remediate identified risks.

It provides 20 mission-critical controls across three categories (Basic, Foundational, Organizational) and three implementation groups (limited resources and cybersecurity expertise, moderate resources and cybersecurity expertise, significant resources and cybersecurity expertise).

CIS Controls are a set of recommendations that provide actionable steps for defending computer systems from sophisticated attacks. This list of highly effective actions is relatively short, but offers users a prioritized starting point for any organization seeking to improve its cyber security.

Control Objectives for Information and related Technology (COBIT):

COBIT is a Governance System and framework from ISACA primarily focused on reducing technical risks in business processes that integrates with IT security, governance, and management. Its goal is to ensure appropriate oversight of your organization’s security posture and provide alignment of IT and business-strategic goals.

COBIT has capability levels based on process capability schemes ranging from 0 to 5 that reflect how well a process is implemented and performing and creates a security framework that streamlines audits and incorporates continuous improvement.

The COBIT cybersecurity framework is useful for companies aiming at improving production quality and, at the same time, adhere to enhanced security practices. It aims to meet stakeholder cybersecurity expectations, end-to-end procedure controls for enterprises, and the need to develop a single but integrated security framework. COBIT is most commonly used by Publicly traded companies required to comply with Sarbanes-Oxley.

As you can see there’s no shortage of framework options. No matter what you chose make sure you don’t just pay lip service to the standard.  Security controls can’t be implemented simply to meet a certain standard.  You must think about your industry and compliance requirements, have a solid business reasons (improving processes, procedures, and security) and strong support from management to be successful.

Your framework of choice should be a blueprint enabling you to build an information security program that manages risk, reduces vulnerabilities and defines and prioritizes tasks required to build security into your organization.

Any one of  these will help you organize and manage an information security program. The only bad choice is not choosing any at all.