Cyber Security Audit - Frameworks and Standards to use

Big-JJ

Hi there,

I will be leading cyber security audit for our company. I have done some IT audit (and other IT-related audit) but not specifically cyber security related. Since I am not technical we are planning to hire a consultant for this audit.

My plan is to start with doing some research.

So, what would be good cyber security frameworks or standards that I should look into as a starting point?

Thanks in advance.

aftereffector

What industry are you in?

NIST Risk Management Framework, a la NIST SP 800-53 (and SP 800-53A rev 4 and CNMI 1253 et al) are very good for government-related networks with a lot of confidentiality and integrity controls. I'd recommend ISO 27000 if you deal with overseas clients. COBIT is pretty good for financial markets that have to deal with PCI DSS. ITIL is another good choice but I haven't had any exposure to it.

There are a lot more, but NIST / ISO 27000 / COBIT / ITIL are four of the more popular ones.

636-555-3226

How big is your company and how many security folks? If no security folks, how many IT resources can you spare? Almost everybody I know uses the NIST cybersecurity framework, but it's worth jack for actually telling an inexperienced company with no security leadership what to do. In that case I'd recommend using a standards-based approach like Center for Internet Security's Top 20 Critical Security Controls as they have defined action items and (I feel) are a bit more approachable than other standards like ISO 27k or NIST SP800-53

markulous

Yeah, kind of depends what your business is. You may want to use HIPAA if it's healthcare, whereas maybe PCI would be better for a retail store(s). As mentioned above, NIST is a pretty good standard and will overlap quite a bit with some of the other ones.

Big-JJ

aftereffector wrote: »

What industry are you in?

NIST Risk Management Framework, a la NIST SP 800-53 (and SP 800-53A rev 4 and CNMI 1253 et al) are very good for government-related networks with a lot of confidentiality and integrity controls. I'd recommend ISO 27000 if you deal with overseas clients. COBIT is pretty good for financial markets that have to deal with PCI DSS. ITIL is another good choice but I haven't had any exposure to it.

There are a lot more, but NIST / ISO 27000 / COBIT / ITIL are four of the more popular ones.

Thanks for suggestion.

I am in public health care.

Aren't COBIT and ITIL geared more toward IT processes and IT general controls, not really security focused?

Big-JJ

636-555-3226 wrote: »

How big is your company and how many security folks? If no security folks, how many IT resources can you spare? Almost everybody I know uses the NIST cybersecurity framework, but it's worth jack for actually telling an inexperienced company with no security leadership what to do. In that case I'd recommend using a standards-based approach like Center for Internet Security's Top 20 Critical Security Controls as they have defined action items and (I feel) are a bit more approachable than other standards like ISO 27k or NIST SP800-53

Thanks for your suggestion. This audit will cover 3 public health care entities. So, the number of total employees is quite big. I actually thought of that approach as well...focusing on Top 20 security controls rather using the vague and general frameworks that might not add that much value to stakeholders. But we do need some sort of frameworks or best practices to rely on tho. May be I can combine the two.

Big-JJ

markulous wrote: »

Yeah, kind of depends what your business is. You may want to use HIPAA if it's healthcare, whereas maybe PCI would be better for a retail store(s). As mentioned above, NIST is a pretty good standard and will overlap quite a bit with some of the other ones.

I will definitely look into HIPPA.

soccarplayer29

As others have stated, NIST 800-53Rev. 4 is a good place to start, designed for government entities but some commercial companies use it also.

Since you're healthcare industry I'd suggest the Hitrust Common Security Framework (CSF). It overlaps heavily with the NIST and financial (COBIT/FISCAM) standards but with an emphasis on protecting PII.

Let us know your thoughts and how you proceed.

TheFORCE

Really? You have a CISA and you are not aware of any cyber security frameworks?
Start reading on ISO 27xxx, those are somewhat simple and general to get you started. Look at the NIST publications after that.

Where is the company located? If you dont mind me asking.

tpatt100

What I learned from IT auditing is read up on different frameworks, choose one and then create a security audit that fulfills the requirements of the framework.

NIST is a good place to start:

Cybersecurity Framework

I have read a ton of documentation on HIPPA, COBIT, NIST, etc. There is a lot of wording in these documents. Since you are in healthcare read up on HIPPA and then figure out what your goals are and start meeting with management, your IT people, HR, etc because it will eventually involve all of them due to technical as well as administrative requirements.

This is a great beginner's book on IT auditing that gives you a good top level view of IT auditing for security reasons.

IT Auditing Using Controls to Protect Information Assets, 2nd Edition

A decent IT audit will fulfill many of the requirements of a security audit, I am doing SOX at the moment and there is a lot of overlap. If you are starting from scratch you might as well choose a well known framework.

TechGuru80

Since nobody else mentioned it...CSC Top 20 is another guide not necessarily a framework.

beads

CSC Top 20 comes straight out of NIST recommendations made years ago. Speaking of NIST. I don't recommend the framework for non-governmental organizations. It's 20 percent of the overall framework and contains far too many items your organization is not going to conform to in the first place like FIPS-140 1 and 2. How about that physical security plan? Not likely. Five banners to click through to get into the network? Yeah business digs complexity.

If you're working in the healthcare space find anyone of the HIPAA resources and working outward from there. PCI-DSS, if applicable, will encompass about the first 75-80 percent of HIPAA so the rest is fairly easy to implement for the average SMB. Large businesses and Enterprise would already have much of this setup and running but the PCI-DSS part becomes very, very complicated at the top two levels.

From experience I would encourage you to make friends with everyone in HR. Know their strengths, weaknesses and any resistance to HIPPA etc. Much the same when discussing changes with clinicians - who will through the biggest fit to change.

Without understand what the overall GRC goals may be it would be difficult to advise further.

- b/eads, A healthcare security expert