menucloseContact UsEventsNewssearchclose
Services
Industries
Insights
About Us
Careers
Contact UsEventsNews
searchclose
home Cybersecurity Watch

Common Control Frameworks and Cybersecurity Compliance

Trevor Krause
Cybersecurity Watch
| 10/9/2024
Columns of historic government building to emphasize cybersecurity compliance through a unified control framework.

October is Cybersecurity Awareness Month, sponsored by the Cybersecurity and Infrastructure Security Agency and the National Cybersecurity Alliance. In this article, a Crowe cybersecurity professional offers insight on the benefits of implementing a unified control framework.

Unified common control frameworks help support streamlined, consistent cybersecurity compliance.

Given the breadth and depth of regulatory requirements for cybersecurity – and the complexity and nuances involved – organizations sometimes find that identifying, tracking, and maintaining compliance with the cybersecurity guidelines, standards, and regulatory requirements that apply to them is a significant challenge. By implementing and maintaining a unified common control framework, organizations can better track and comply with cybersecurity regulations.

Sign up to receive the latest cybersecurity insights on identifying threats, managing risk, and strengthening your organization’s security posture.
Subscribe now

Foundational cybersecurity standards

For more than a decade, the most significant cybersecurity standards and regulatory requirements that aimed to protect the confidentiality, integrity, and availability of IT systems and data have included the following:

  • ISO/IEC 27001:2022 is an international standard for information security management systems. It outlines best practices and comprehensive controls for managing information security risks.
  • National Institute of Standards and Technology (NIST) SP 800-53, also known as “Security and Privacy Controls for Information Systems and Organizations,” is published by the U.S. federal government. It provides a catalog of security and privacy controls for federal information systems and organizations to protect their information and information systems from various threats. The controls are categorized into families covering areas such as access control, incident response, risk assessment, and system and communications protection, among others.
  • The Federal Financial Institutions Examination Council (FFIEC) Information Security booklet is a comprehensive guide that provides guidance and best practices for financial services organizations to establish and maintain effective information security programs. The booklet is part of the FFIEC's Information Technology Examination Handbook, which examiners use when assessing the adequacy of an organization’s information security practices.
  • The Health Insurance Portability and Accountability Act (HIPAA) includes three areas of national standards and safeguards for individuals: privacy, security, and breach notification. The HIPAA Privacy Rule protects individuals’ medical records and individually identifiable health information. The HIPAA Security Rule protects individuals’ electronic protected health information that is created, received, used, or maintained by covered entities such as healthcare providers, health plans, healthcare clearinghouses, and business associates. The HIPAA Breach Notification Rule requires covered entities and their business associates to notify individuals following a breach of unsecured protected health information.
  • The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to protect credit card information during and after a transaction. It applies to organizations that handle branded credit card providers. The PCI DSS specifies requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures.

These foundational standards and regulations have guided organizations in establishing robust cybersecurity practices and achieving compliance with industry best practices and regulatory requirements. They have evolved over the years, and new guidance has emerged to address the evolving landscape of cybersecurity threats and challenges.

New and updated cybersecurity guidance

More recently, several significant cybersecurity standards, regulations, and frameworks have been released or updated to address emerging threats and technological advancements.

  • The NIST Cybersecurity Framework (CSF) provides a voluntary framework of cybersecurity standards, guidelines, and best practices for organizations to manage and improve their cybersecurity risk management processes.
  • The General Data Protection Regulation (GDPR) is a European Union (EU) regulation on data protection and privacy for all individuals in the EU and the European Economic Area, as well as any entity doing business in the EU.
  • NIST SP 800-171 provides requirements for protecting Controlled Unclassified Information in nonfederal systems and organizations. It is aimed at improving cybersecurity defenses in the supply chains of federal agencies.
  • The Center for Internet Security (CIS) Controls v8 is a set of cybersecurity best practices widely used to improve an organization’s cybersecurity posture.
  • The California Consumer Privacy Act enhances privacy rights and consumer protection for residents of California. It imposes obligations on businesses to protect personal information and grants consumers rights regarding their data.
  • The Cybersecurity Maturity Model Certification, introduced by the U.S. Department of Defense, is a framework designed to assess and enhance the cybersecurity posture of the Defense Industrial Base Sector. It specifies maturity levels and cybersecurity practices that contractors must implement to protect sensitive information.

These standards, regulations, and frameworks reflect the evolving landscape of cybersecurity threats and the increasing importance of protecting sensitive data and information systems. They provide organizations with frameworks and guidelines to strengthen their cybersecurity defenses and ensure compliance with legal and regulatory requirements. So which ones are relevant and how can an organization adopt them?

The 5 W’s

The first steps organizations can take are to identify and document the five W’s: who, what, when, where, and why. Doing so is crucial for understanding who must comply with a regulation, what the requirement covers, when a regulation should be applied, where it applies, and why compliance is necessary. Addressing these five W’s can help stakeholders understand the scope and importance of regulatory standards.

Additionally, documenting the five W’s can help organizations consistently interpret and apply requirements across different teams and departments; verify compliance and accountability by clearly stating who is responsible for implementing and maintaining compliance with the standards; and understand the rationale behind cybersecurity standards to better assess risks and prioritize security measures. The goal is to facilitate effective communication for executives, internal employees, and external business partners and elicit a clear understanding of the standards. Organizations should closely coordinate with their legal and compliance teams to determine cybersecurity and privacy standards and regulatory requirements their organization must comply with. The following steps can help determine specific details.

  • Determine who is responsible for compliance within your organization. This includes identifying stakeholders, compliance officers, and teams tasked with implementing and maintaining cybersecurity measures.
  • Identify what specific standards and regulations apply to your organization or industry by understanding the requirements laid out by relevant authorities or standards bodies, such as NIST, ISO, and GDPR.
  • Establish when compliance is required by determining deadlines for meeting regulatory requirements and implementing cybersecurity standards, which might involve initial compliance, regular audits, or updates based on changes in regulations.
  • Identify where the scope and jurisdiction of applicable standards and regulations lies, which means understanding whether the regulations are national, regional, or international in scope, and ensuring compliance across all relevant locations and operations.
  • Understand the why and the rationale behind these standards and regulations, which are typically designed to protect data, ensure privacy, mitigate risks, and enhance cybersecurity posture.

Building a common control framework

Even when cybersecurity compliance requirements are understood, organizations might struggle to recognize the best approach for assessing controls within each standard and the regulatory requirements to maintain compliance. Organizations often opt for using an automated solution, such as a governance, risk, and compliance solution, as a centralized tool to document and track compliance for all required cybersecurity controls outlined within one or more industry or regulatory standards.

Many organizations are required to document the design and test the effectiveness between 300 and 400 controls across just two to three cybersecurity standards and regulatory requirements. Because most organizations must achieve cybersecurity compliance on some level, industry leaders (including Crowe) have developed integrated control frameworks to help organizations address multiple cybersecurity and privacy industry standards and regulatory requirements.

Integrated common control frameworks allow organizations to review a singular control by consolidating various control requirements from multiple regulatory, industry, and best practice sources into a single framework. These frameworks provide organizations with a coordinated approach to managing cybersecurity controls efficiently.

Following are two integrated common control frameworks.

  • The Unified Compliance Framework integrates and harmonizes IT controls from various regulations, standards, and frameworks into a single format. It maps controls across different regulations, such as GDPR, HIPAA, PCI DSS, NIST, and ISO/IEC 27001:2022, and allows organizations to identify commonalities and streamline compliance efforts.
  • The Secure Controls Framework is a robust cybersecurity framework that provides organizations with a structured approach to implementing and improving cybersecurity controls. It helps organizations enhance their resilience against cyberthreats while aligning with industry standards and regulatory requirements.

By correlating the controls, an integrated common control framework can include a single test procedure that allows organizations to understand compliance with all common control requirements across the different standards. Beyond the examples previously mentioned, some industry-created frameworks contain even more regulations and standards across more industries.

Crowe has created its own integrated control framework, which includes more than 16 different regulations and standards. In addition, the controls are mapped to cybersecurity risks and include key risk indicators, which can help organizations use integrated risk management solutions to track and monitor risk management performance. Such a comprehensive approach can make future compliance needs and real-time assessment much more efficient.

A proactive approach to cybersecurity compliance

It is vitally important for every organization to review and determine which cybersecurity compliance requirements pertain. Building a comprehensive control framework at the outset can help organizations avoid future compliance and regulatory problems and make the compliance and risk management process more efficient.

Cybersecurity Security assessments Regulation and compliance
Previous Post Next Post

Manage risks. Monitor threats. Enhance digital security. Build cyber resilience.

Discover how Crowe cybersecurity specialists help organizations like yours update, expand, and reinforce protection and recovery systems.
Explore services