Our qualified team brings expertise, innovation, industry certifications and insight to your team and to your software solution. We build the framework, educate you on the software and then stand with you as you start your new, more efficient journey.
We have expertise in the following eight frameworks:
So, let’s get started, shall we?
Center for Internet Security (CIS) Critical Security Controls
The Center for Internet Security Critical Security Controls for Effective Cyber Defense, known as the CIS Controls, is a publication of best practice guidelines for computer security. The guidelines consist of key actions, called critical security controls (CSC), that organizations should take to block or mitigate known attacks. The controls are designed so that primarily automated means can be used to implement, enforce and monitor them. The security controls give no-nonsense, actionable recommendations for cyber security, written in language that’s easily understood by IT personnel.
We believe every organization should minimally protect themselves with the CIS Controls.
We believe the CIS Controls, which easily maps into most other security frameworks, is a natural starting point for any information security and privacy program.
Depending on many things — your market sector, the types of business you transact, the expectations of your clients or customers, the regulators in your market, your firm’s risk tolerance, to name a few — other frameworks may be required to build a fully functional security program.
GBQ Technology assesses clients against the CIS Controls as well as helps them navigate through what seems to be a confusing array of other security frameworks, regulatory authorities, and assurance control frameworks.
Security frameworks provide security control selection guidance to management and technology leadership.
The more common security frameworks include:
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major credit card companies. PCI DSS is mandated by the card brands for those merchants that transact business with credit cards. The standard was created to increase controls around cardholder data to reduce credit card fraud.
The HIPAA Security Rule
Here’s the story with HIPPA: In 1996, The Health Insurance Portability and Accountability Act (HIPAA) required the that the U.S. Department of Health and Human Services (HHS) develop regulations protecting the privacy and security of patient information.
As part of this regulation—and according to the U.S. Department of Health and Human Services—”the Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) established a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI).”
NIST 800 171
The National Institute of Standards and Technology (NIST) created Special Publication 800-171 to help protect Controlled Unclassified Information. CUI is information that is sensitive and relevant to the interests of the United States, but not strictly regulated by the Federal government.
NIST SP 800-171 was designed specifically for nonfederal information systems — those in use to support private enterprises. Compliance with this publication is mandatory for many defense contractors. This document is essentially a streamlined version of NIST 800-53. The NIST 800-171 document was recently updated to Revision 1 and includes some provisions that may take time to implement, including two-factor authentication, encryption, and monitoring.
NIST SP 800-53 and 800-53(a)
This is a special publication published by the National Institute of Standards and Technology (NIST) that initially provided prescriptive security control selection guidance for all U.S. federal information systems, except those related to national security. NIST SP 800-53 Revision 5, expected to be published in December 2018, indicate that these regulations may be applied to all organizations, not just federal organizations, and all systems, not just information systems.
NIST 800-53, which is publicly available, is used by many in the non-governmental sectors to measure and manage security, as well:
- Firms select it as an implementation framework that exceeds the requirements of CIS Controls. Regulators use it as reference in some regulated vertical markets.
- Large organizations often select NIST 800-53 as the foundation for setting expectations and measuring third party suppliers.
- NIST 800-53 is foundational to implementing the NIST Risk Management Framework.
The Federal Risk and Authorization Management Program (FedRAMP)
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP is essentially a version of NIST SP 800-53 tailored to cloud architectures.
The Federal Information Security Modernization Act (FISMA)
Signed into law in 2002, the Federal Information Security Modernization Act (FISMA) was enacted in response to the increasing amount of cyber-attacks taking place on the federal government. FISMA is legislation that has been built into a comprehensive framework to enable the federal government to strengthen their response time on cyber-attacks on departments and agencies. FISMA assigns responsibilities to various agencies in order to ensure the security of data in federal government, where annual reviews of information security are conducted in order to ensure the protection of federal information. FISMA leverages NIST SP 800-53.
Enacted in 1999, the Gramm-Leach-Bliley Act—also known as the Financial Services Modernization Act—protects consumer financial privacy data and its provisions limit when a financial institution may disclose a consumer’s private, non-public personal and private information to a non-affiliated third party/parties. The Act also protects you and your business from third parties obtaining personal information through false pretenses.
ISO 27000 Family of Standards
The International Organization of Standardization (ISO)/International Electrotechnical Commission (IEC) 2700 is a series of best practice recommendations on information security management for your business. These standards provide a globally-recognized framework for best practice information security management.
The two key standards are ISO 27001 and ISO 27002:
- Provides a control catalog from which a risk-derived security program, referred to as an “Information Security Management System”, can be chosen.
- Provides a certifiable path to protect an “Information Security Management System” using ISO 27002 controls.
Cybersecurity Maturity Model Certification
Cybersecurity Maturity Model Certification (CMMC) is a unifying standard for the implementation of cybersecurity across the Defense Industrial Base (DIB). The CMMC framework includes a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level. CMMC is designed to provide increased assurance to the Department that a DIB company can adequately protect sensitive unclassified information, accounting for information flow down to subcontractors in a multi-tier supply chain.
Regulatory authorities are laws and regulations in most cases, or private contractual obligations in others, that prescribe security controls and activities that must be met by an organization covered by the obligation.
And there’s more!
Our list isn’t exhaustive. The regulatory alphabet soup continues to expand. There are over 1,000 information security and privacy regulatory authorities. In 2018, GDPR, California, Vietnam, Brazil all added regulatory requirements.
The frameworks we have listed above, both security frameworks and regulatory authorities, are not an exhaustive list. We selected them because they can be used as tools to prescribe how to organize and what to implement to meet security leading practices and regulatory obligations.