Estimated Reading Time: 4 Minutes
By Aaron Nolan
Having a Guideline, Framework or Standard is fundamental for a business to define policy and assess its risk. Many companies are restrained in how they operate by guidelines, frameworks or standards whether this is Central Bank, HIPPA or ISO27001. The levels at which these can be brought to vary, depending on the company’s view of risk.
If you are looking for content to aid you in managing technology risk and governance, we recommend our Content Series. Subscribe and learn in detail how we help Financial Services companies.
A guideline is a recommendation, typically by a governing body, on the operational actions an organisation should take when there is no defined standard or framework in place.
An example of this is the Central Bank of Ireland’s handbook for Credit Unions or Financial Services, which is very suggestive in nature but not mandatory for institutes to follow. Guidelines assist the organisation in strengthening its legal and regulatory requirements, by offering best practice advice. They provide recommendations on how standards or baselines should be implemented.
The main benefits of guidelines are that they can be adapted to suit the context of the business, allowing flexibility in implementation. They can be adjusted, modified and scoped to work with the companies’ needs.
However, one of the main drawbacks of working based on a guideline is that these are objective and not clearly defined, leaving a lot of grey areas of uncertainty.
A framework is a conceptual structure defined by the governance of an organisation to set out policies within the company. This is a top-down approach with the main stakeholders identified first, along with their needs and their appetite for risk. Those who will manage the policies on a day-to-day basis are determined at a later stage.
An example of a framework would be NIST or COBIT, with clearly defined policies and controls to be implemented. Frameworks do not specifically need to come from one source as organisations can draw from several standards to develop their own structure.
The benefits of having a Framework over a Guideline is that there are clear controls and policies that need to be in place to adhere to. Another advantage is that you can draw from several resources to adopt your own framework.
The main disadvantage from pulling from several frameworks is that it may not make you fully compliant with any specific standard or regulation. Be mindful of which frameworks you use as a reference and if they resonate with each other.
A standard is a mandatory activity, action or rule which is usually verified by a third party and certified. These are typically organisational security standards that specify how hardware and software must be used, in order to satisfy the needs of the standard. Standards are created to support and reinforce policies, while providing more detail and direction on the controls.
IASME gold standard or ISO27001 are examples of standards which have precise controls which organisations must adhere to if they wish to be certified. Independent auditors are used to verify that the required controls are in place, so that the organisation can remain certified by the standard.
A crucial advantage to having standards in place, is that it provides reassurance to your customers, third parties and authorising bodies that you take the necessary standards seriously. They are beneficial for an organisations’ reputation, and also reassure stakeholders that all is being adhered to.
While there aren’t many drawbacks for adopting a standard, they can be costly to implement and upkeep. Regular reviews are required to keep the standard live, so resources are required – adding additional costs.
We have a great deal of experience with compliance across several different verticals, which allows us to work with customers in highly regulated industries, such as healthcare and financial services. Over the years we have discovered which frameworks are easier for the majority of people to understand, apply and follow.
One of these Frameworks is the NIST Cyber Security Framework, the most commonly used in the USA to evaluate a business’ technology infrastructure. It serves as an excellent place to start, because it allows companies to identify what their most significant weaknesses and strengths are, which in turn makes it easier to decide where to focus first.
The NIST Cyber Security Framework covers a business’ capacity to thrive against threats in a wide range. There are five main categories, which are: identify, protect, detect, respond and recover. Each of these can be rated from 0 to 4, depending on a business’s readiness. Overall, these ratings provide an accurate and profound knowledge of how a business tech infrastructure behaves, which is why we recommend and utilise it with our customers.
More often than not, companies are not consistent and do better in some activities than others. If you are interested in learning how prepared your business is against cyber threats, we recommend downloading our tool and watching our webinar for valuable insights and clarity. Should you need a deeper insight into this subject, simply talk to us and we would love to help.
Depending on the maturity level, risk appetite and resources available; an organisation’s governance structure should be able to select a guideline, framework or standard that works best for the company.
The implementation of a framework such as NIST should be the foundation for any risk-averse company. Having a framework like NIST allows for the budgeting of resources, capacity planning and cost technology improvements.
Security Frameworks are vital for the success and progression of a company, whereas standards are “nice to haves”. Once the organisation has implemented a framework and brought it to its highest level, only then should they look at standards in order to improve its reputation or marketing value.