As of June 1, 2024, Vestige Digital Investigations is part of ArcherHall, a leading digital forensics, e-discovery, and cybersecurity service provider.
The Vestige team that you know and trust will continue to serve you at ArcherHall. Our expanded team, capabilities, and infrastructure will allow us to serve you and your clients even better.

What is the Difference Between Prescriptive vs. Non-Prescriptive Frameworks?

What is the Difference Between Prescriptive vs. Non-Prescriptive Frameworks?

Author photo
President
MBA, CISA, CSXF, CMMC-RP

To understand prescriptive and non-prescriptive assessment frameworks, we need to step back and understand the components.  First, let’s start with an assessment.  Sometimes audits and assessments get confused.  Both are critical tools in understanding an organization’s performance in a specific area.  There are assessments and audits around an organization’s financial system, around the manner in which it adheres to safety practices (think OSHA), its performance around human resource practices and of course, for the purpose of our discussion, the performance of an organization’s cybersecurity practices. In this article, we’re going to explore two somewhat contradictory approaches that these frameworks take – the difference between prescriptive frameworks and non-prescriptive assessment frameworks.

Understanding Assessments

In general, assessments are an outsider’s judgment as to what potential weaknesses exist and to understand the effectiveness of the organization’s controls.  An audit, on the other hand, is typically performed to verify compliance with some standard or regulation.  For cybersecurity, this can include things like the Health Insurance Portability and Accountability Act (HIPAA), privacy standards like California Consumer Privacy Act (CCPA), Gramm-Leach-Bliley Act (GLBA) and many more.

What is an Assessment Framework

For the purposes of answering this question, we are going to generically refer to audits and assessments in the same manner and simply call it an “assessment”.  An assessment framework, therefore, is simply a collection of requirements to be in compliance with whatever is being assessed. Generally speaking, these assessment frameworks include a wide range of requirements that ought to be in-place—many times these are crafted through experience, discussion, and negotiation by a number of experts and oftentimes include the “best practices” that organizations should be following.

Prescriptive vs Non-Prescriptive

Again, in terms of cybersecurity, there is no shortage of frameworks that exist.  Some of these frameworks are very “prescriptive” – meaning they tell you exactly what needs to be performed.  Some examples include PCI-DSS, the NIST Security Technical Implementation Guides (STIGs) and even the Center for Internet Security’s (CIS) Hardening Benchmarks.  In general, prescriptive frameworks tell you exactly what needs to be in-place and how to accomplish that.

On the other hand, there are many assessment frameworks that are “non-prescriptive” – meaning they tell you what needs to be performed, but not how.  This is an important distinction and, like many things in this world, is both good and bad.  For non-prescriptive frameworks, the manner in which an organization elects to address the controls is left to the organization.  Great!  This means you can tailor things in a way that works for your organization.  The flexibility that this offers can be significant…but it is a double-edged sword.  The fact that the organization gets to choose how to implement a control can also make things more difficult.  That same flexibility that is desired, can backfire when the individuals making the decisions as to how the organization will comply don’t understand the underlying reasons for the control.  This can be due to misunderstanding or misinterpreting what the requirements are.  It can also be due to a lack of embracing the true extent to which the control should be implemented.

For instance, drawing from the DOD’s Cybsersecurity Maturity Model Certification (CMMC) framework (a non-prescriptive framework), the control identified as PE.L1-3.10.4 says “Maintain audit logs of physical access”.  Seems straight-forward, right?  Or is it?  For instance, you might be wondering things like:

  • What is required for an audit log?
  • Does it need to be paper-based with wet signatures?
  • Can it be digital?
  • How do we maintain such audit log?
  • How many audit logs do we need?
  • What physical access are we maintaining audit logs around?
  • How long do we need to keep such logs?
  • Who needs access to the logs?

And the list goes on-and-on.  What’s the right answer?  Well, it depends!  Nice answer, right?  The reality is it is left to interpretation.  And as long as your interpretation matches the interpretation of the purveyors of the framework you should be good.  But therein lies the problem.  In essence, you need to be assured that the interpretation that you have made around this requirement aligns with the expectations.

Reasonableness and Justification

Therefore, an organization’s adherence to a standard set forth in a non-prescriptive framework often comes down to how reasonable are you at identifying the true reason for the control, a good understanding of the expectation of what needs to be in-place to meet such requirement, an understanding of the alternative approaches and finally your justification for the choices that were made.  This comes down to being able to describe, rationalize, justify and document exactly what it is that you are doing to meet the standard.

And that’s why it’s a double-edged sword.  With the flexibility garnered with a non-prescriptive framework, you also get the burden of having to make sure you understand and document the way you address the controls.

If you find yourself in a situation where you need to interpret the requirements of a non-prescriptive assessment framework, let the cybersecurity experts of Vestige assist. CONTACT VESTIGE today.