Mobile devices are computers in their own right and are often connected to a larger enterprise information technology system, making mobile security a necessary part of an organization’s overall security efforts.
However, there is no single standard when it comes to information security or computer security, thus no unified, off-the-shelf approach for either mobile or enterprise security.
And, it gets even more complicated than that.
Companies also find themselves subject to multiple regulatory regimes and industry mandates that must be met in addition to best practice security approaches. So what is a chief information security officer (CISO) to do?
One approach is to start with one or more of the available “security frameworks” and avoid the need to develop the best security procedures for your company on your own.
Security frameworks are coordinated systems of tools and actions that allow CISOs and their staff to monitor data, transactions, and users at the point of data utilization to ensure that security of critical information is maintained. Benefits of using one or more rigorous and recognized security frameworks include:
- Protecting vital organizational processes and systems,
- Protecting company data from access by non-authorized users,
- Providing a common vocabulary and meaning of terms,
- Providing a unified understanding of procedures to monitor and maintain security,
- Providing a basis for methodical and efficient analysis of threats and counter-measures, and
- Providing a plan for minimizing damage if an intrusion does occur, and methods for disaster recovery of vital systems
But, there are dozens of security frameworks to choose from, some more appropriate for one type of organization than another. Some apply to all industries, while others are designed for a specific field of endeavor. Some are mandated by law, while others are voluntary. Some are proprietary, while others are open. Only a few of the available frameworks focus specifically on mobile security.
According to a recent paper by Diana Salazar,
“the first step utilizing a framework is to determine what industry-specific compliance requirements apply to the business. Cross-reference tables are available for overlapping security controls to meet compliance requirements across the multiple frameworks that apply to an organization. Implementing a comprehensive framework prevents an adverse impact on the organization by enabling resilience and improved defenses.
Here is a list of major computer and information security frameworks I’ve put together from a variety of sources:
The following standards are widely cited, and apply to any industry:
National Institute of Standards and Technology Cyber Security Framework (NIST) – This framework from the U.S. Department of Commerce is used by many states and municipalities. Can be applied to any industry.
Control Objectives for Information and Related Technology (COBIT) aligns IT with strategic business goals and is commonly used to achieve compliance with Sarbanes-Oxley requirements.
The International Organization for Standardization (ISO) has a recognized world-wide information security framework for all types and sizes of organizations.
Sherwood Applied Business Security Architecture (SABSA) is designed for information assurance architectures and risk management frameworks. It integrates security and risk management into IT architecture methods and frameworks.
OCTAVE Allegro – OCTAVE, which stands for Operationally Critical Threat, Asset, and Vulnerability Evaluation, was developed at Carnegie Mellon University.
Many industries have developed their own standards to fit with their specific needs. Here are some examples:
The Payment Card Industry Data Security Standard (PCI DSS) was developed by the major credit card companies and consists of the standards by which merchants must process credit cards. If you take credit card information and store it on a computer, this standard likely applies to you.
The HITRUST CyberAid program was developed to assist small organizations in the health sector in the US with information and computer security, and risk management.
The Health Information Technology for Economic and Clinical Health (HITECH) Act (2009) and the Health Information Portability and Accountability Act (HIPAA) (1996) apply to both health providers and payers. They mandate privacy and security standards for the health industry that must be adhered to in the US.
The Federal Financial Institutions Examinations Council has guidelines on cybersecurity for financial services, banks, and credit unions.
The Cloud Security Alliance (CSA) maintains the Security, Trust & Assurance Registry (STAR) for assessing the security practices of cloud providers. The CSA also has a Security Guidance Working Group that offers guidelines for cybersecurity.
The North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection (CIP) program is the national critical infrastructure framework for energy providers and utilities.
Publicly Traded Companies
The Sarbanes-Oxley (SOX) Act of 2002 requires publicly traded companies to meet Section 404 compliance for cyber security. The implications of this are discussed in a useful white paper by the SANS Institute.
Proprietary Security Frameworks
Of course, there are many proprietary security frameworks, especially from vendors offering “managed security services” or enterprise-level software. Here are a few interesting examples:
The IBM Mobile Security Framework advocates these steps in setting up secure mobile computing:
- Protect Devices
- Secure Content and Collaboration
- Safeguard Applications and Data
- Manage Access and Fraud
- Extend Security Intelligence
In cooperation with Forrester, the well-known consulting company, IBM has also sponsored a useful video series on mobile cybersecurity.
Symantec has many years’ experience in the security space, so it is not surprising that they offer managed security services in many different business sectors. For the electric utilities industry they have Symantec Managed Security Services Solutions for NERC CIP, delivering real-time threat monitoring and analysis to help utility providers demonstrate NERC CIP compliance.
Verizon’s VERIS (Vocabulary for Event Recording and Incident Sharing) Framework is a taxonomy that standardizes how security incidents are described and categorized.
For a list of other managed security services frameworks see the 2015 Magic Quadrant on Managed Security Services vendors from Gartner.
Open Enterprise Security Frameworks
Finally, here is a list of open enterprise security frameworks which may be applicable to your business. Most of these are listed in the Wikipedia article on “Enterprise Information Security Architecture.”
This exploration of enterprise security frameworks supports my observation that there is no single standard out there for enterprise security. Instead, if you are in charge of security for your organization, you need to investigate which of the available security frameworks apply to your business, and adapt accordingly. For large enterprises, this may involve a team of security specialists working with several security frameworks.
For small and medium businesses, Float offers an app called Security Assistant as a great place to start.