Frameworks Need to Adapt
- Frameworks tell you what you need to be secure, but they don’t tell you how to secure your system.
- Organizations implementing a framework should contract with a consultant who can come in, audit the systems, look at the data, and recommend the kinds of controls they need.
“Once an organization adopts a framework, the discussion is no longer about whether you need a control. It’s about the cost of implementing the control everyone agrees they need.”
Like many education institutions, Central New Mexico Community College must manage the cybersecurity challenges of an IT environment shared by students, faculty, and staff. It is an environment that enables the sharing of ideas, research, and connections with the community while protecting a wide range of personal and proprietary information. A security framework plays an important part in the overall security practice, but to be effective, it must adapt to the college’s needs. “We follow standards like the NIST Cybersecurity Framework to some degree,” says Luis Brown, chief information security officer (CISO) for Central New Mexico Community College, “but there are aspects of that framework, and a framework like ISO 27002, that are not applicable to a college environment.”