What is a Common Security Framework (CSF) and why is it important to your organization’s

enterprise security? A CSF (sometimes referred to as an IT Security Framework or an Information

Security Management System) is a set of documented policies and procedures that govern the
implementation and ongoing management of an organization’s security. Think of it as a blueprint or
operator’s guide for security. Many organizations are pursuing a Common Security Framework to
improve their overall security posture and frequently to aid in meeting the requirements of various
compliance and/or regulatory measures.

There are a variety of frameworks in use today and we will take a look at a few in a minute.
Choosing the right framework can be a difficult task with so many available options covering different
priorities, vertical markets, and levels of complexity.

One point worth discussing up front is that CSF’s and compliance measures are not the same. There
is a common misunderstanding that something like the Payment Card Industry Data Security
Standard (PCI DSS) is a security framework. While PCI-DSS certainly has elements that describe
security measures, it is not a Common Security Framework. There are two primary reasons for this:

1. Limited Scope. The scope of many compliance measures is limited (PCI-DSS certainly falls
into this category).
2. Limited Models. These compliance models are not holistic in looking at security, as they only
address measures that are specific to the objectives of that compliance framework.
Common Security Frameworks were developed to address both issues – covering a wide area of
security considerations across the entire enterprise. CSF’s are generally not very specific with
respect to technologies. For example, many CSF’s will indicate that you must deploy Multi-Factor
Authentication, but will not provide any opinion on which specific solutions you should evaluate,
whether those solutions should be on premise or cloud based, etc.

Here are some of the more common examples in use today. Please note that this list is from a U.S.
perspective, other frameworks exist and may possess different adoption rates outside the U.S. That
said, CSF’s are generally more globally applicable than compliance, since they’re designed to
provide a blueprint for overall security, not just to comply with local laws or regulatory measures.
 NIST SP 800 series. Initially developed in 1990, this has matured into a well-respected and
frequently used CSF. The series consists of several publications addressing specific issues within
security, for example SP800-50 addresses Building an Information Security Awareness and Training
Program and SP800-52 covers Guidelines for the Selection, Configuration, and Use of Transport Layer
Security (TLS) Implementations. Although the U.S. government developed it, the NIST 800 series has
seen wide adoption globally by commercial organizations. Many other CSF’s have started as
offshoots from the NIST publication. Most US government agencies are required to comply with
NIST and it also provides compliance with Federal Information Processing Standard (FIPS) 200.
 ISO 27000 series. This evolved from the British Standard framework (BS7799) that is popular
due to the global recognition of ISO across a variety of standards, although the complexity and cost
of pursuing ISO certification are sometimes a deterrent. There are three basic guidelines within this
standard: 27000 is an overview defining terms and objectives of the framework, 27001 defines the
requirements and policies, and 27002 defines the operational steps necessary to be compliant.
Additionally, there are optional sets of additional standards available for organizations wishing to
adopt them. For example, ISO 27799 relates to Healthcare specific concerns.
 SANS 20 / CIS 20. This is the framework organizations pursue when they want the most
important areas of security covered, but don’t want to incur the expense and labor requirements
required for a more exhaustive framework like NIST or ISO. As the name implies, this framework
prescribes twenty key areas of focus for security.
 HITRUST. HITRUST was developed leveraging components from NIST, ISO, and others. It
is specific to the Healthcare industry and is receiving wide adoption within that industry, particularly
in the U.S.
 COBIT. Heavily utilized in the financial sector and by public companies, COBIT provides a
security framework as well as individual certifications around IT, such as Certified Information
System Auditor (CISA) and Certified Information Security Manager (CISM). This framework is
frequently used to meet the security requirements of organizations that must comply with Sarbanes-
Oxley (SOX).
In general, we see organizations leveraging CSFs in one or more of the following four ways:

1. To improve overall security. Leveraging the CSF blueprint to ensure they address the most
important aspects.
2. As a competitive differentiator. Establishing a competitive advantage due to the greater focus
on security and protection of their own and customer assets.
3. To meet compliance and/or regulatory requirements. Often necessary in specific vertical
industries like healthcare or financial.
4. To free up budget and purchasing ability around security. Once a business decision has been
made to pursue a CSF, the subsequent budget required to meet the CSF requirements is frequently
easier to receive.