Addressing Configuration Controls in an Era of Multiple Security Frameworks

We have entered the era of multiple security frameworks . Sometimes mandatory, often voluntary, security frameworks are created to provide federal and commercial organizations with an effective roadmap for securing information technology (IT) systems. The goal is to reduce risk levels and prevent or mitigate cyberattacks.

To accomplish this task, security frameworks typically provide a series of documented, agreed upon, and understood policies, procedures, and processes necessary to secure the confidentiality, integrity, and availability of information systems and data.

If a drawback to security frameworks exists, however, it is that most provide a “30,000-foot view” of information security. Most identify potential risks as well as how to protect, detect, respond, and even recover from cyberattacks. Specific implementation steps, on the other hand, are rarely addressed.

One critical exception exists. At the core of most, if not all, the frameworks are a set of security-related controls that affect the security posture and/or functionality of the system.