In addition, specialized frameworks are less comprehensive and address specific aspects of information
compliance. HIPAA, for example, provides security requirements to protect patient privacy; PCI in the
retail sector address credit card processing, FedRAMP covers Federal cloud standards and the energy
sector relies on the NERC Critical Infrastructure Plan. The list is long, and today even individual States
are adopting their own cyber security frameworks (i.e., NYDFS).
If there is a drawback to security frameworks, however, it is that most provide a “30,000-foot view” of
information security. Most identify potential risks as well as how to protect, detect, respond and even
recover from cyber-attacks. Specific implementation steps, on the other hand, are rarely addressed.
However, there is one critical exception. At the core of most, if not all, the frameworks are a set of
security-related controls that affect the security posture and/or functionality of the system.
Now, with established, recognized standards to accomplish this network security “hardening,” along with
new automation solutions, IT personnel have an effective starting point and foundation for implementing
security frameworks.
Critical Security Controls and Configuration Settings
Critical Security controls provide specific safeguards for any and all systems connected to the network,
including mainframe computers, servers, endpoints, attached devices, network appliances, operating
systems, middleware, and applications.
The controls impact areas such as access control, audit and accountability, identification and
authentication, contingency planning, incident response, configuration and change management,
physical and environmental security. By changing configuration settings in hardware, software, or
firmware, companies can improve their security posture.
Of all the available frameworks, NIST SP 800-53 provides the most comprehensive baseline for security
controls in its latest published revision, which are prioritized and categorized by level of risk.
However, it is still up to the individual organization to establish company-specific configuration settings
and changes to registry settings, account, file directory permission settings; and settings for functions,
ports, protocols, services, and remote connections.
This task often falls to information security and IT staff, many of whom lack the background and training
in the area. This introduces the potential that systems will be under-protected and/or left with exploitable
security gaps.
As a result, many organizations – even those that apply security frameworks voluntarily – are moving
away from proprietary security hardening efforts in favor of recognized and established best practices.
This simplifies deployment and configuration, enhances change control and automates auditing –
significantly reducing risk.