Some standards lack specific technical detail and guidance, but provide an overall program structure and the security management guidance that’s necessary to implement and maintain an effective security program. Assessing, executing, monitoring and auditing security programs using existing, proven security frameworks can strengthen security posture and support compliance with multiple regulations. Common security frameworks include: ISO, NIST, COBIT, COSO and HITRUST CSF.
The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) provide best practice recommendations on information security management and program elements. ISO defines the broadest structure of an effective overall program, supporting information security as a systems issue that includes technology, practice, and people, and describes the need for a formal security program.
The National Institute of Standards and Technology (NIST) is a US government-ordered, cyber security framework. This framework provides a structure for the nation's financial, energy, health care and other critical systems to better protect their information and physical assets from cyber attack. NIST provides a common language to address and manage cyber risk in a cost-effective way based on business needs, without placing additional regulatory requirements on businesses.
The Control Objectives for Information and related Technology (COBIT) is a set of best practices for IT management. COBIT focuses on defining program and management control functions. It is designed to help ensure IT programs are implemented and managed effectively to maximize the investment of technology efficiently. While not specifically a security standard, strong COBIT compliance typically indicates a higher quality of control over internal practices that help manage an effective security infrastructure, as well as sound business practice.
The Committee of Sponsoring Organizations of the Treadway Commission defined the Control Objectives for their Internal Control – Integrated Frameworks, the widely accepted control frameworks for enterprise governance and risk management, and similar compliant frameworks. COSO defines a set of business, management, and security relevant controls that can be used to demonstrate good business practice controls, and can be used to show compliance with Sarbanes-Oxley requirements.
Developed in collaboration with healthcare and information security professionals, the Common Security Framework (CSF) is the first IT security framework developed specifically for healthcare information.
Solutionary is a HITRUST Common Security Frameworks (CSF) Assessor. This means that Solutionary is able to deliver healthcare certification work including readiness assessments and remediation associated with the CSF. In addition to the organizational certification, Solutionary has a team of security professionals certified as CSF Practitioners for effective and efficient implementation of the CSF.
|Compliance Activity||Solutionary Services
|Assess & Measure Gaps||Professional Security Services||ISO/IEC 27001-2013; ISO/IEC 27002-2013; COBIT 4.1; COSO from COBIT 4.1; HITRUST CSF2|
|Remediation & Enhancement||Professional Security Services; Certified HITRUST CSF Practitioners; Authorized partner consulting services||ISO/IEC 27001-2013; ISO/IEC 27002-2013; 87 COBIT controls with technical and security requirements; 144 COSO controls with technical and security requirements|
|Execute & Monitor Security Program||Log Management; Log Monitoring; Vulnerability Management; Security Device Management; UTM for ISO, COBIT, COSO; Endpoint Device Management; Authorized partner consulting services||152 of 191 ISO security controls; 40 COBIT controls with technical and security requirements; 59 COSO controls with technical and security requirements; 77 of 136 HITRUST CSF security specifications|
|Demonstrate Compliance||ActiveGuard Evidence Log Vault; ActiveGuard Security Compliance Reporting||33 ISO security controls with auditing and reporting requirements; 23 COBIT controls with auditing and reporting requirements; 23 COSO controls with auditing and reporting requirements; 42 CSF security specifications with auditing and reporting requirements|