The information your organization processes may decide the success or failure of the business, in both the long and short term. For this fact alone, implementing an information security framework should be on the top of your to-do list.
But with hundreds of IS frameworks out there, how do you know which one is right for you?
The Information Security Framework
Your organization’s information security framework is an agreed-upon set of policies, documents, or guidelines that determine how the information systems are handled. The outcome of the framework is to reduce vulnerabilities and risks associated with the information systems operation.
There are over 200 information security frameworks used worldwide. Some of the frameworks have elevated to legally binding status, such as the CMMC (formerly the NIST 800 self-certification framework).
Other IS frameworks form part of the regulation itself, such as the GDPR. The statutes and articles within the regulation layout a foundation for a data privacy security framework.
However, most IS frameworks are voluntary and, in some cases, might be required to interface with specific industries. For example, the ISO standards board is entirely voluntary, but some vendors will not conduct business with your organization if you are not up to standard.
How Information Security Frameworks Can Benefit You
IS frameworks can benefit your organization in more ways than one. The most obvious benefit is that by adhering to reputable IS frameworks, you’ll likely be complying with regulations, sometimes before they even become regulation.
An example of this would be organizations complying with ISO 27001 did not change much post GDPR. This is because the requirements of the GDPR were very similar to the ones already covered in ISO 27001.
The second way they can benefit your organization is through improved vendor relations and bargaining power. We briefly mentioned this above, but some vendors and business partners will not enter a business relationship with your organization if they do not adhere to any IS standard.
Conversely, if you are already complying with one or more IS frameworks, you will have increased bargaining power over your competitors or in business negotiation with prospects.
Well implemented information security frameworks will also begin to build a culture of security within your organization. The policy documentation and guidelines improve staff awareness and increase the general security of the organization. It will passively adjust how business operations are carried out and will likely eliminate vulnerabilities over the long-term.
Finally, the IS framework is designed to protect your assets. If your business is heavily reliant on its information system, like fintech, then an IS framework would be essential.
Information Security Frameworks for Fintech
As a nascent industry, there is no information security framework specific to the fintech industry. However, there are existing, robust frameworks that can work well if implemented in a fintech infrastructure.
In the coming section, we will discuss those frameworks and how they can apply to your industry.
NIST Cybersecurity Framework
The National Institute of Standards and Technology (NIST) is an established NGO specializing in cyber and information security. Their Cybersecurity Framework is a great starter framework that works for almost any industry.
It goes beyond surface-level security, but at the same time, it is not fully detailed to fit a specific industry.
Furthermore, the NIST cybersecurity framework is tailored toward the private sector. It provides a basic model of computer and information security that any fintech business can implement and follow.
The core principles of the model are to identify, protect, detect, respond, and recover. With these core principles, your organization should be on the right track to building a security culture. But it does not stop there.
NIST 800 SP
Once your organization has a better grasp of information security’s basic principles, perhaps from implementing the NIST Cybersecurity framework, you can become a bit more ambitious with your framework certification.
The next information security framework on the list is the NIST 800 Special Publication (SP) series. This framework is incredibly detailed and covers everything from third-party risk management to device security.
When it comes to fintech, there is nothing within the 800 SP series that is specific to the industry, but you can pick and choose which will fit best; some examples are:
- Zero Trust Architecture (SP 800-207): if you are running a fintech in blockchain or cryptocurrency, you might be interested in developing or implementing a zero-trust architecture.
- NIST Third-party risk management: This is an ideal framework for any business that deals with vendors or acquisitions. Within the fintech industry, it is common to have a vendors’ and suppliers’ ecosystem before the final product reaches your customers.
- Digital Identity Series (800-63-3 A, B, C):. It is the nature of fintechs to cater to a global and digital audience. Their main challenge stems from knowing who they are serving and falling in line with anti-money laundering laws. In this case, a robust KYC is necessary, and protecting and confirming those identities is essential.
These are a couple of examples of the NIST 800 SP series relevant to the fintech industry. Keep in mind that the 800 SP series is pervasive and covers a wide array of topics and security measurements. We advise you to take a look at the publication yourself (you may also learn a thing or two!) but don’t hesitate to contact a specialist when in doubt.
The Center for Internet Security (CIS) is a long time player in the information security framework field. They have employed a community-driven approach to security, with a closed crowd-sourcing community. The organization’s frameworks are built on by subject matter experts, cyber professionals, governmental organizations, and more.
Their two most prominent information security frameworks are the CIS Critical Security Controls and CIS Benchmarks.
Both frameworks fit well with the fintech industry, particularly the CIS Benchmarks. The reason for this is that fintech is increasingly reliant on IoT.
The CIS Benchmarks address this issue by devising and documenting the best security configurations for out-of-the-box devices, software, and operating systems. These configuration benchmarks can prove incredibly useful for the security of the fintech industry.
The second framework in question is the CIS CSC 20. This framework outlines 20 critical security controls that your organization can employ to boost the organization’s security. Like the NIST cybersecurity framework, it is relatively simple to follow and implement. The controls break down into separate groupings that ascend in difficulty.
Starting from basic cyber hygiene to organizational controls, the CIS CSC 20 is a great framework that works in conjunction with others.
The International Standards Organization (ISO) is a prominent organization that regularly releases new frameworks. The ISO standardization process is used by millions of organizations worldwide and covers standards from quality management to social responsibility.
The ISO 27001, known as the information security management standard, is their version of an information security framework. Regulations like the GDPR base some of their legal requirements on ISO 27001, and its implementation is global.
Like the CIS CSC, it has a series of security controls that the organization must implement to certify. The primary difference is that the ISO is a management framework and brings the implementation of the control under a management system.
The goal of this approach is to mitigate the disjointed nature that affects some other IS frameworks. This means organizations will often just implement specific controls in a fire and forget manner, resulting in a disjointed security approach.
The ISO 27001 circumnavigates this by adding stages to the certification process, with the final stage ensuring the ongoing management of information security.
The ISO 27001 is a great framework to implement for fintech, or any other relevant business, because of its integrated practices.
You may have noticed that all the frameworks mentioned prior have all been self-certification or voluntary. In the coming sections, we will explore some frameworks that are required by law.
Do keep in mind that some of these regulatory frameworks may not apply to fintech. But with a disruptive industry like fintech, it is only a matter of time before regulators catch up with innovations.
This means that sooner or later, some of the regulations that affect banking or traditional financial institutions may someday affect fintech. But without further ado, let’s jump right in.
The Payment Card Industry Data Security Standard (PCI DSS) is a security standard that affects all vendors or organizations that use branded credit cards or other major credit card schemes.
This might not directly affect the fintech industry as such. But it is conceivable that in the future, once fintech solutions become more mainstream, regulators will want to ensure that the information systems that deal with people’s money are correctly secured.
And at the time of writing this article, the PCI DSS is one such framework. This means future fintech companies may come under the same bracket as credit card providers do.
The General Data Protection Regulation should be familiar to many organizations, especially those dealing with EU data subjects. Again this framework might not be strictly related to the fintech industry, and there will be some local fintech businesses to which this does not apply.
But it is an important regulation to mention nonetheless. The GDPR is essentially a privacy framework that sets out businesses’ requirements to protect the personally identifiable information (PII) of their customers or users.
This would certainly apply to fintech as well. Being a financial institution, the organization that falls under the fintech bracket will undoubtedly deal with highly sensitive PII. In the cases where the PII is that of an EU data subject, then GDPR compliance is a must.
However, compliance aside, the GDPR is a great way to manage the PII of your customers and users. The framework-like implementation of the regulation means compliance comes with a management system that can benefit the organization.
An IS framework might be precisely what the fintech industry needs to become more mainstream. With such a fast-paced industry, regulators will find it challenging to design legislations that work for both businesses and consumers or users alike.
But this presents an excellent opportunity for the industry to stay ahead of the game and take regulation into their own hands while also showing good faith with both their customers and interested parties.
Although there a few information security frameworks that directly speak to the fintech industry, there are some that were discussed in this article that could fit well with the industry, and those were:
- The NIST Cybersecurity Framework
- NIST 800 Special Publication Series
- CIS frameworks – CIS CSC 20 and CIS Benchmarks
- ISO 27001
It is also important to note the frameworks from specific regulations like PCI DSS and the GDPR. Although not strictly related to the fintech industry, the more mainstream fintech solutions become, the more likely regulators will take heed to ensure that these solutions’ information systems are correctly protected and regulated.
If you are looking to find the right information security framework for you, then get in contact with one of our specialists today.