Cyber Security Framework Complexity – Simplified

surveillance cameras on a pole

There are a ton of cyber security frameworks out there.  Depending on your line of business you may have become acquainted with NIST, HIPAA, PCI DDS, ISO/IEC, SOC, or others.  There are a lot of commonalities amongst these frameworks with complexity being foremost.  We want to break some of that complexity down.

Starts with Questions

All cyber security frameworks start with a questionnaire of some kind. They aim to gather some basic information about if your organization houses, stores, or transmits sensitive data.  Reduced to their simplest form here are some of the questions they typically ask.

  1. Do you use sensitive data in your normal course of business?
  2. Is having a copy of that data essential, or is there a way you could do your job without it?
  3. Do you give any third parties access to that data?
  4. Do you have policies in place for the protection of that data?
  5. Where do you store that data?
  6. Who has access to it?
  7. Is it in once central spot, or on multiple devices and storage locations?
  8. What would happen to your business operations if your systems with that data went offline?
  9. Do you have a disaster recovery plan in place?
  10. Do you have an incident response plan in place in case of a breach?
  11. What security measures do you have in place to protect data on your servers?
  12. What security measures do you have in place to protect data on the cloud?
  13. What security measures do you have in place to protect data on endpoints?

Questions like these are important because they help you have a better understanding of where your sensitive data lives and how it’s used.  That informs your decisions on how to best protect it.

Framework Requirements

The next piece of the picture is to understand the specific requirements of the framework that you’re trying to adhere to.  This is honestly the part where most folks get bogged down.  The requirements for HIPAA or NIST cover wide swaths of organization types.  That lends to generalized language.  Difficult to understand guidelines lead to confusion about real world application.

An expert can help you cut through that to understand what the requirements are really asking you to do.

Solution Mapping

Once you have a clear understanding of where your sensitive data is, how it’s used, and the framework requirements you need to meet, you can start mapping solutions.  Typically, an IT security specialist will look over that information and recommend security solutions based on the information provided and understanding of available solutions. 

Without taking the time to understand the need you may end up with gaps in your solution that don’t allow you to achieve compliance.  That could be a costly mistake.  On the other hand, you may end up paying for solutions that you don’t need if time isn’t taken to understand your current situation.

Cyber Security Solutions

Here is a brief list of some of the different cyber security solutions that are typically put in place for small businesses.  This is by no means a complete list.

  • Password Policy Enforcement (Typically via Domain Controller or Azure AD)
  • Multifactor Authentication
  • Cyber Security Awareness Training
  • Endpoint Detection and Response Software
  • Backup and Disaster Recovery Solution
  • Device Encryption
  • Remote Wipe Capability
  • Vulnerability Scanning
  • Intrusion Prevention System
  • Microsoft Security Patches Updated Regularly
  • Advanced Spam Filtering with Sandboxing
  • Privileged Access Management
  • SIEM/SOC Services
  • Gateway Antivirus
  • Application Control
  • Content Filtering
  • Advanced Threat Protection Sandboxing
Compliance Simplified

i.t.NOW helps clients take care of their cyber security needs.  We work with other security professionals to help our clients get and stay secure and compliant.  Call us today for to start a conversation.

Photo by Thomas Windisch: