Audit and Assurance

Expand all | Collapse all

Security Framework Implementation

  • 1.  Security Framework Implementation

    Posted 19 Mar, 2020 09:55

    My company is looking to formally implement a security framework, either NIST CSF or HITRUST. Has anyone had any experience implementing a framework? If so, do you have any recommendations or best practices to get started? My first thought was to perform a gap analysis against the framework to see where we stand with controls, policies, etc. Also wondering if this is something we handle strictly in-house or if it would make sense to bring in some consultants to assist?


    Michael Donahue
    Information Security Analyst

  • 2.  RE: Security Framework Implementation

    Posted 19 Mar, 2020 19:09
    Hi Michael,

    I'd begin from what your regulatory requirement. Each industry has specific security framework requirement e.g. PCI-DSS, HIPAA, ISO27001, etc. NIST is quite difficult to implement. NIST controls can be overwhelming. You can start from the simple CIS security controls and gradually expand to more controls later on.
    I'd start from security self-assessment in-house if you have a resource to do so because external consultants would do the same as you do in-house.


    Chayan Rattanavijai
    SVP Information Security

  • 3.  RE: Security Framework Implementation

    Posted 21 Mar, 2020 13:01
    Good, this is along the lines of our initial plan.

    Thanks Chayan!​

    Michael Donahue
    Information Security Analyst

  • 4.  RE: Security Framework Implementation

    Posted 25 Mar, 2020 07:16
    It would also come down to whether you think someone internally has the expertise and bandwidth to complete the self assessment and what level of assurance you are looking for.  Many times an outside consultant can also provide an unbiased point of view and provide areas of process improvement that internal personnel may not call out.

    Troy Fine
    Schneider Downs

  • 5.  RE: Security Framework Implementation

    Posted 28 Mar, 2020 06:12
    Hi Mike,
    You can consider NIST CSF 1.1 version toolkit to start with. Here are the very few simple steps, which you can adhere to implement . My assumption is you have IT security infrastructure in place.
    • First of all keep your  entire IT asset management up to date. (Like servesr/network security devices/desktop/laptop).
    • Define the policy and processes as required like organization information security policy.
    • NIST CSF has 5 key functions - Identify/Detect/Protect/Respond/Recover. You have to map your organization assessets accordingly like policy/process/risk management practice and so on.
    • While performing thrid point, if you do not have capability in place which should be align with NIST CSF frame work dont worry, just note down and later take decision.
    • Once security capability are mapped with NIST CSF framework then you can do the gap assessment, wheather its implemented or not or partially implemented. And later you can discuss accordingly to fullfill the gaps.
    Here is the small example of NIST CSF framework and security capability mapping at high level -

    Identify - Governance Risk and Compliace like policy/risk management/Asset Management
    Protect - Security awarness training/firewall/router/endpoint security solution/ encryption etc.
    Detect -  IDS/Security Monitoring tools etc.
    Response - Response planning and communication (security incident response planning document , tools etc)
    Recovery - BCP test/ Monthly or Quartery mainatiance tests at organization level.

    Note -  Its not mandate that you have to follow NIST CSF, as per the your oganization size and requirement you can consider the NIST CSF functions. Like Response and Recover can be clubbed and managed.

    Hope this will help you.


    Shridhar Kuppannagari
    Lead Consultant