Security frameworks

Your security framework serves as the support structure. Industry standards give that structure the necessary support to be designed, implemented and evaluated properly to your company’s information security program follows a cohesive, frequently industry-specific approach. While LBMC Security Services works within many reliable security frameworks and has been recognized as a certified or approved provider, the most prominent framework standards which our clients use include:

NIST

The National Institute of Standard Technology, an agency of the U.S. Department of Commerce, offers a certification and accreditation process for risk management frameworks. Its purpose is to develop a common information security framework for the federal government and its support contractors. NIST standards apply to the initial network design through their implementation and operation. In addition, NIST standards support a vibrant continuous monitoring process. LBMC provides a range of services in the area of NIST and FISMA compliance. For nearly a decade, LBMC has performed assessments and developed security programs to align with this comprehensive framework.

HITRUST

The Health Information Trust Alliance (HITRUST) sets high security standards for healthcare providers, third-party administrators, clearinghouses and other organizations that use protected health information. Only a select group meets its elite standards to become a HITRUST Common Security Framework (HITRUST CSF) Assessor. LBMC Security Services is proud to be one of the first four firms in the country to earn the assessor designation by February 2010 and one of only 12 firms to hold that designation today.

The foundation of all HITRUST programs and services, the HITRUST CSF is a certifiable framework that provides the needed structure, detail and clarity related to information security in the healthcare industry. Designed to reduce the burdensome task of healthcare organizations in complying with federal and state regulations, HITRUST CSF also develops the security program based on international and domestic standards as they relate to information security overall.

ISO/IEC 27002:2005

The International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) issues the information security standards for the information security industry. ISO/IEC 27002 follows the CIA triad principles—confidentiality (information accessible by authorized users), integrity (information safeguarded for accuracy and completeness of information and processing) and availability (authorized users have access when required). The advisory standards offer flexibility because they can be followed by organizations of all sizes and types depending on their specific information security risks.

COBIT

The framework standards for IT management, Control Objectives for Information and related Technology (COBIT) enables organizations to follow clearly defined policy development and best practices for IT control, emphasizing regulatory compliance and strengthening the value attained from the company’s IT services. COBIT compliance also enables a greater control over internal practices, further improving the security infrastructure.

COSO

Focusing on financial processes, COSO (Committee of Sponsoring Organizations of the Treadway Commission) offers a voluntary framework to strengthen financial reporting quality through effective internal controls. COSO goes beyond the framework itself, defining business, management and security-relevant control best practices so followers adhere to Sarbanes-Oxley requirements.