With the rise of mobile business environments, cloud services, IoT, and bring-your-own-device (BYOD) policies, the nature of security has changed dramatically. Perimeters are extinct, and our data is everywhere. Meanwhile, hackers are armed with the newest technology and techniques and are taking advantage of the changing data security landscape.
The types and frequency of security threats continue to grow.
Since 2005, the number of breaches has risen consistently in the United States, with 1,473 breaches recorded in 2019, exposing over 164.68 million sensitive records.
For all of these reasons, organizations today need to have formal plans in place to mitigate cybersecurity risks and protect their valuable assets.
Here at Hyperproof, our mission from day one has been to help organizations mitigate risk, by providing software that helps infosec and compliance teams build effective compliance programs.
To achieve this mission, we’ve built software that enables our customers to understand and implement best-in-class cybersecurity and data privacy standards in their organizations (e.g. NIST SP 800-53, ISO 27001). Implementing these security standards can help organizations ensure they have a solid security baseline and, more importantly, practice good hygiene on an ongoing basis to build resiliency, a necessity in our dynamic risk environment.
To that end, as experts in cybersecurity, network security, and data privacy enhance their knowledge of how specific threat vectors work and develop best practices for protection and mitigation, Hyperproof incorporates these expert-developed frameworks into our product so our customers can use them to improve their security posture.
At this time, Hyperproof’s compliance operations platform has added support for two of the most well-recognized frameworks in the security realm: The NIST Cybersecurity Framework and the Cloud Security Alliance Cloud Controls Framework.
In this article, we’ll provide some key facts on each framework and thoughts on why you may want to leverage these frameworks to guide your organization’s security function. We’ll also highlight what the frameworks look like in Hyperproof.
NIST Cybersecurity Framework
Developed in collaboration between industry and government (the National Institute of Standards and Technology), the Cybersecurity Framework consists of standards, guidelines, and practices to help organizations better manage and reduce cybersecurity risk.
Cybersecurity is a complex topic, and the NIST CF provides a common language and methodology for communicating cyber risks to all stakeholders in an understandable way. It helps guide key decisions about risk management activities through the various levels of an organization — from senior executives to new employees. NIST standards are based on best practices from several security documents, organizations, and publications (e.g. ISO 27001, COBIT 5, etc.).
Because the framework is designed to be outcome driven (as opposed to prescriptive), it works for organizations of all sizes, industries, and maturities. Whether you’re just getting started in establishing a cybersecurity program or you’re already running a fairly mature program, the framework can provide value by acting as a top-level security management tool that helps assess cybersecurity risk across the organization.
NIST’s cybersecurity framework outlines five key areas your organization should address from a cyber protection perspective: identify, protect, detect, respond, and recover. Under each area are a specific set of activities organizations should undertake in order to combat common threat vectors.
If you’ve taken the time to cover all five areas, your organization will be fairly well protected within your overall environment (including cloud environments and traditional infrastructure environments).
You can utilize Hyperproof’s NIST CF template to expedite your implementation process. The template contains 108 requirements across five areas (identify, protect, detect, respond and recover) and 199 illustrative controls — providing you a starting point for customization.
With the template, you can start to customize the controls to fit your specific needs and collect evidence on whether a control is implemented or working as intended. Hyperproof also makes it easy to collaborate with other colleagues. For instance, you can assign control owners and invite others to work on controls in Hyperproof, set automated reminders for colleagues to evaluate controls. Hyperproof comes with dashboards so you can gauge your progress as you work through control domains.
Not only does Hyperproof help you implement the framework faster, it allows you to ensure that controls are managed on an ongoing basis — to keep up with events that may change your risk profile.
Cloud Security Alliance Cloud Controls Matrix (CCM)
According to the Cloud Security Alliance, the Cloud Controls Matrix (CCM) provides fundamental security principles to guide cloud vendors and assist potential cloud customers in assessing the overall security risk of a cloud provider. Organizations implement the CCM as a way to strengthen their existing information security control environments. It delineates control guidance by service provider and consumer and by differentiating according to the specific cloud model type and environment.
If you are a cloud vendor and your organization wants to conduct business with the government or any security-conscious enterprise, achieving cloud security certifications is the procurement gate. Cloud compliance frameworks like the CSA CCM provide the guidelines and structure necessary for maintaining the level of security your customers demand.
The CCM contains 16 control domains that are cross-walked to other industry-accepted standards, regulations, and control frameworks to simplify audits. The crosswalks include but are not limited to: ISO 27001/27002/27017/27018, NIST SP 800-53, AICPA TSC, ENISA Information Assurance Framework, German BSI C5, PCI DSS, ISACA COBIT, NERC CIP, and many others.
The latest version of CCM (v3.0) contains the following domains:
- Application and Interface Security
- Audit Assurance and Compliance
- Business Continuity Management and Op Resilience
- Chance Control and Configuration Management
- Data Security and Information Lifecycle Management
- Datacenter Security
- Encryption and Key Management
- Governance and Risk Management
- Human Resources Security
- Identity and Access Management
- Infrastructure and Virtualization
- Interoperability and Portability
- Mobile Security
- Security Incident Management, E-discovery, and Cloud Forensics
- Supply Chain Management, Transparency, and Access
- Threat and Vulnerability Management
While some of your cloud solution customers may be satisfied knowing that you have met the requirements of CMM, others may need greater assurance through third-party verification. To that end, The Cloud Security Alliance has developed a certification program called STAR. The value-added CSA STAR certification verifies an above and beyond cloud security stance that carries weight with customers. Further, the STAR registry documents the security and privacy controls provided by popular cloud computing offerings so cloud customers can assess their security providers to make good purchasing decisions.
In Hyperproof, you can utilize a program template that helps you put controls in place for each CCM control domain. Once you start adding controls, you can associate evidence to document that a control is implemented or tested and the result of the test. Hyperproof makes it easy to collaborate with other colleagues whose work touches the domains within the CCM. The application comes with dashboards so you can gauge your progress as you work towards the STAR certification.
In Hyperproof, you can utilize the CSA CCM (Version 3.0.1) template to expedite your implementation. The template contains 133 control objectives that are structured in 16 domains, covering all key aspects of the cloud technology.
With the Hyperproof template, you can start to customize the controls to fit your specific circumstances and then collect evidence to show that a control is implemented and working as intended. Hyperproof also makes it easy to collaborate with other colleagues. For instance, you can assign control owners and invite others to work on controls in Hyperproof and set automated reminders for colleagues to evaluate controls. And Hyperproof provides dashboards so you can gauge your progress as you work through control domains.
Not only does Hyperproof help you implement the framework faster, it allows you to ensure that controls are managed on an ongoing basis so you can keep up with events that may change your risk profile.
If you’d like to learn more about how Hyperproof can help you achieve the oversight, consistency, and efficiency you need to run an effective compliance program — we’d love to talk to you.
The post Hyperproof Now Supports NIST Cybersecurity Framework and CSA CCM appeared first on Hyperproof.
*** This is a Security Bloggers Network syndicated blog from Hyperproof authored by Jingcong Zhao. Read the original post at: https://hyperproof.io/resource/hyperproof-supports-nist-cf/