When it comes to cybersecurity for businesses, corporations, and enterprises, one thing is clear: you need a security strategy. With 71 percent of U.S. enterprises recently saying that they’ve suffered at least one data breach in their lifetime, it’s time to start thinking about adopting an information technology (IT) framework that can help prevent hackers from succeeding in the first place.
Towards that end, 86 percent of U.S. organizations, companies, and enterprises say they plan to increase enterprise network security spending year over year. However, the question is no longer whether or not to dedicate significant resources to proactively addressing cybersecurity. Now, it’s a matter of adopting the right enterprise security architecture and framework that will be most effective in bolstering your cyber defenses across the board.
Today, the Enterprise Information Security Framework (EISF), is one of the most widely adopted systems architecture and data handling frameworks for protecting large organizations against cyber attacks and security incidents. The EISF also serves to guide companies in terms of what to do during an attack to eliminate the threat, as well as afterward to restore systems and analyze how to prevent similar incidents in the future.
Here, we’ll break down what the EISF is, and how it provides companies with a strategic way of enterprise security and protection.
1. Framework Background & Objectives
The EISF was first formally introduced by technology analysis firm Gartner in 2006 in a whitepaper covering enterprise security architecture processes. Since then, EISA has evolved into an enterprise security architecture framework that’s focused on being a solution that incorporates business, information, and technology best practices so that organizations can adopt a holistic strategy for their cyber defenses. In general, the EISF is a framework that sets the tone for an organization as it relates to defining security requirements, identifying security mechanisms and metrics, classifying cybersecurity resources, and recommending network defense activities.
The main objective of the EISF is to create an effective, consistent, and ongoing IT security process throughout an enterprise organization. The framework seeks to address security needs in three key areas of both critical systems and data: Integrity, Confidentiality, and Availability. It’s also important to remember that the EISF wasn’t necessarily created to that any specific company can achieve all of its objectives single handedly. Framework creators formulated the EISF bearing in mind that, in order to sufficiently protect systems and data at the highest levels, enterprises would have to enlist the right partners and vendors to shore up any gaps that can’t be addressed internally.
But in a nutshell, here are how the EISF seeks to address the three key areas mentioned above:
- Integrity: Enterprises should undertake measures to ensure that no unauthorized access, transmission, or changing of systems or data occurs under any circumstance. This also goes for third-party vendors and partners such as internet service and cloud storage providers.
- Confidentiality: The framework specifies that companies take precautions to maintain the confidentiality of critical systems and data so that unauthorized parties don’t have access to things they shouldn’t in the first place. This objective typically covers both digital (and physical) access controls.
- Availability: Also referred to as Continuity, the EISF aims to ensure the ongoing availability of network systems before, during, and after any type of cyber incident. The goal (aside from preventing attacks) is to limit the downtime during remediation, and restoring system functionality as quickly as possible after the threat has been neutralized.
Being familiar with how the EISF came to be, as well as its high-level objectives will help guide you (and your cybersecurity partner) along the way as you formulate a roadmap for adoption and implementation.
2. Key Framework Elements
Now that you’re familiar with what the EISF seeks to achieve in general, you’re probably curious about what specific elements the framework contains that are pertinent to most enterprises, companies, and large organizations. When taken together, each of these key elements serves to create a secure, consistent enterprise application security architecture. When addressed thoroughly, the core objectives of confidentiality, integrity, and availability are therefore achieved as a result.
- Standards: This includes directives, guidelines, and policies that are designed to accomplish the core EISF goals. From top-level executives to rank-and-file employees, the framework states that you should have security standards in place for how everyone interacts with critical systems and data.
- Procedures: When adopting the framework, you’ll need to identify the who, when, how, and in what order, your cybersecurity measures will need to take place once adopted. The framework doesn’t just focus on outcomes, but on the procedures and processes, that you’ll need to facilitate those outcomes.
- Training & Awareness: A key element to the EISF is to ensure ongoing training and awareness so that your personnel is always up to date with the latest cyber threats and best practices for tackling them. You’ll need to impart information about protection principles, role requirements and responsibilities, and the use of relevant technology tools.
- Administration: Here, you’ll need to define the organizational roles and responsibilities necessary to ensure implementation (and ongoing application) of the framework. Things like defining a chief security officer and incident response team to administer various aspects of the framework are covered under this element.
- Assurance: You’ll also want to be assured that all security measures taken will be upheld and maintained on a consistent basis. Aside from defining roles and responsibilities, the framework demands you have contingencies in place in the event of key personnel absence, security system downtime, and any other unforeseen events that might affect your cyber defense efforts.
- Methodology: System development (and maintenance) methodologies facilitate a structured approach to the technical development of your network. Having a secure methodology for application development under the framework involves all technical staff from day one, and contains both disaster recovery and contingency planning.
- Architecture: Finally, you’ll need to define standards and guidelines for future network and system design (and implementation) efforts. Addressing architecture is a team effort between technical and business stakeholders, and helps ensure that any changes in system architecture are up to snuff.
Work with your cybersecurity partner to make sure all of these elements are covered when implementing the EISF for your organization. Some elements may take precedence over others, depending on the nature of your technology, business process, and customer data. Other elements, like training and security awareness, should be taken seriously in all instances.
3. Implementation Guidelines
Aside from core goals and key elements, the EISF also presents enterprises with a process guideline of how they should approach their own formulation, adoption, and implementation of the framework. Again, the specific tactics and action steps that each organization will undertake will almost certainly vary. But here are the following steps that the EISF outlines in terms of implementation roadmap:
- Information Asset Identification: The first step is determining which assets (both systems and data) need to be protected. You’ll want to conduct a security risk analysis with your cybersecurity partner, and prioritize all assets accordingly. Effective evaluation of all asset characteristics (and potential vulnerabilities) is essential in this first step.
- Organization Accountability Establishment: Next, you’ll need to separate the roles and responsibilities for everyone in the organization involved in implementing the EISF. In some case, you may need to compartmentalize activities, as not all stakeholders should have access to systems and data that others may require. Establish clearly who has custodial responsibility of the security of each system, network, or data type.
- Individual Accountability Assignment: Once the organizational responsibilities have been outlined, you’ll need to make sure you’re able to hold end-users accountable. For example, make sure you have secure identification methods in place (i.e. usernames, passwords, biometrics). The framework also recommends that you have some sort of audit procedures in place, so you can track personnel activities, and audit them periodically to ensure no breaches in procedures are occurring.
- Deployment of Support Systems: When adopting the framework, more than likely you and your partner will decide that additional technology, software, or systems need to be deployed to further protect against hackers and cyber attacks. You’ll need to come up with a formal policy that details how these systems will be put into place, as well as methods for how you’ll assess potential new technologies.
- Implement Control Measures: Finally, you’ll begin implementing the appropriate security and control measures as defined by the framework, your internal analysis, and the help of your cybersecurity partner.
Moreover, the EISF has outlined these steps so that they can be repeated at various stages over time. Once you’ve developed policies and procedures in accordance with the framework, you’ll want to work with your partner to re-visit their effectiveness on a periodic basis. By repeating steps one through five on an annual basis, for instance, you’ll ensure that your entire security policy, approach, and cybersecurity posture are up to date with new threats and technologies.
4. Security Levels
Each critical system and data type that you seek to protect will have its own appropriate level of safeguards necessary. The EISF acknowledges this, and is far from a “one size fits all” solution. Therefore, the framework specifies three distinct security levels that each asset can (and should) be classified under. User passwords for your employees, for instance, will need to be protected using different safeguards than say, your customers’ private credit card information.
So, when assessing the priority of your various assets that need to be secured, be aware that the EISF states that each asset should be classified under one of the following three levels:
- Level 1: This security level is the most stringent and is applied to resources that are
most sensitive and valuable. Level 1 assets should be accessible by only a selected group of users, and critical business functions are jeopardized should they be breached.
- Level 2: These assets won’t result in the loss of critical business functions, but are highly sensitive and valuable. Compromise of Level 2 assets might result in things like financial loss or significant reputational damage.
- Level 3: The least critical cyber assets, it’s still important to put sufficient safeguards in place with regards to Level 3 systems and data. The framework categorizes many publicly available systems or data that your business uses as Level 3.
Depending on which security level each asset is categorized as you’ll then define the appropriate security procedures and enforcement points. For example, if your business is in the financial services sector, you might identify a specific system that contains your customers’ credit history as something that will need to be guarded closely. This might be classified as Level 2 data, since although compromise might not shut down your ability to do business completely, the financial and reputational damage that would result from a hack would be pretty significant.
You’ll then implement appropriate Level 2 security procedures. This might include multifactor authentication for any personnel that accesses the system, physical safeguards preventing unauthorized access to terminals that access said system, or requiring advanced antivirus software being installed. Enforcement points are merely the places that you will make sure these measures are taking place. Are employees trained to log off their terminals when stepping away? Are staff locking office doors after hours to prevent people from physically entering unauthorized spaces?
The EISF is a framework designed to provide a holistic, proactive, and ongoing stance as it relates to enterprise cyber security. Large companies, businesses, and organizations have vastly different needs than smaller ones, and the EISF is there to help you manage all the moving parts that need to work in concert to secure critical systems and data in today’s perilous digital environment. Before “getting into the weeds” with your cybersecurity partner, make sure to keep yourself focused on the high-level goals of Integrity, Confidentiality, and Availability.
Make sure all key framework elements, such as procedures, administration, and training are addressed in your adoption roadmap. Follow the EISF’s implementation guidelines, and revisit each and every step on a periodic basis to keep pace as threats evolve. Lastly, adopt concrete security measures in accordance with the priority you’ve assigned each network, system, or data type. Adopting the EISF certainly won’t happen overnight, but now that you’re equipped with the knowledge of why the framework exists, the key elements it contains, and how it’s supposed to be implemented, the adoption journey (along with your cybersecurity partner) will be a lot more smooth.