A Framework Provides a Baseline for Security that Supports Business Goals
- Most businesses use the framework as a guideline to decide which controls and practices are most important to their business.
- The security metrics you measure and that map to framework controls are really driven by top-down business considerations.
“If management requests something that deviates from standards associated with the framework, then the framework is a good starting point for discussing that idea.”
Lester Godsey, Chief Information Security Officer (CISO) for the City of Mesa, says there are several distinct benefits to adopting a security framework:
- “A security framework is another way of establishing a baseline of what’s acceptable in your organization,” says Godsey. And if there’s a request for a mitigating control, the framework gives you a context for discussing the value and impact of that control.