First of all, a disclaimer that there are differences between frameworks and standards – to make this easier to grasp and because a lot of people mix these terms I listed both together, at the end it’s about handling risks and not about terminology. Some of these standards come with a cost, especially the ISO standards are pretty expensive to comply with. It is noteworthy that for example the NIST Standards and all documentation is available free of cost – this certainly helps to increase to spread knowledge and best practices towards all different types of organizations and individuals. Show NIST CSF: The NIST or National Institute of Standards Technology is focused on protecting critical infrastructure and how to manage/mitigate cyber risks based on different standards. It’s one of the more known frameworks and is perceived as easier to understand then a lot of the other frameworks. While the focus is on USA and critical infrastructure organizations (e.g. telecom companies, utility companies) it is used broadly around the world and seen as agile and flexible. The NIST Special Publications 800-x focusses on the different aspects of Information Security.
ISO 27001/27002: also known as ISO27Kx by the International Standard Office are probably the most commonly known standard for implementing an Information Security Management System. A lot of organizations chase ISO certification in different fields, getting ISO27001 certified shows that you follow best practices and gives assurance that data is well protected. ISO 27001 focusses on the requirements of the information security program, ISO 27002 focuses on the steps in the program and other standards like for example ISO27799 focuses on specific sectors like cyber security in healthcare. HIPAA: The Health Insurance Portability and Accountability Act focusses on healthcare organizations and how they should protect their systems with a special focus on protecting confidential medical data and patient records. Organizations in this sector have to follow the standard what proves to not always be easy when using third party systems. This is sometimes called HITRUST or HITECH CSF also. GDPR: The General Data Protection Regulation cover data privacy for citizens in the European Union (EU). It is European legislation that is taken over by the different countries and enforced since 2018. The GDPR impacts all organizations that are established in the EU or any business that collects and stores the private data of EU citizens even if they are located in other parts of the world. There is a lot of fuss about GDPR since the fines can go up to 4% of the global revenue and some pretty significant fines have been given to both smaller companies and mega corporations like Google. PCI DSS: This is a special one, the Payment Card Industry Data Security Standard governs the way credit and debit card information is handled. It is a industry standard from the Payment Card Industry Standard council that is mandated for all organizations that process credit card / cardholder data. While this is not mandated by law in most places around the world it is inevitable if you process credit cards. You don’t have to comply to this if you completely outsource the payment processing to a payment provider and don’t use a virtual terminal – in many cases this is the smart thing to do. COBIT: Control Objectives for Information and Related Technology is developed by ISACA. The most known version is COBIT 5 but there is a strong update released called COBIT 2019. ISACA is a private organization that is well known and respected throughout the world and is also behind certifications like CISA and CISM. The framework focusses on much more then IT security but cover IT governance, risks and the IT-Business alignment with a strong focus on how to achieve strategic business goals with IT. The framework is commonly used to work towards SOX (Sarbanes-Oxley) compliance since it comes form an audit background and is well aligned with these. FISMA: The Federal Information Security Management Acct is a framework that aims at protection US federal government information and IT systems agencies Cyber threats. It covers not only the federal agencies but also their suppliers and related third parties. The standard aligns pretty closely with the different NIST standards especially NIST 800. Apart from implementing security controls it also includes risk assessments and continuous monitoring of the IT infrastructure. While continuous monitoring certainly brings benefits it also shows that these monitoring systems can became an attack surface on their own – think about the Solarwinds supply chain attack. NERC-CIP: The North American Electric Reliability Corporation - Critical Infrastructure Protection focusses on cyber security for utility & electric power organizations and is seen as a default for these in the USA. The standard not only covers internal controls but also how to mitigate risk caused by the supply chain. SOC2: The Service Organization Control Type 2 is framework based on trust covering cybersecurity and IT auditing. It is developed by the American Institute of Certified Public Accountants (AICPA) to help verify that vendors and partners are securely managing client data. This is seen as one of the more difficult frameworks to comply to, with a specific focus for the financial industry where this is commonly used. The audits for this certification are tough but for organizations like banks this is one of the golden standards. CIS: The Critical Security Controls focusses on around 20 actions to mitigate the most common cyber attacks. These are designed by volunteers that are seen as experts in the security sector and quite widely used. CMMC: The Cybersecurity Maturity Model Certification is another special one. It’s a maturity model and a set of best practices/requirements in one with a specific focus on DoD contracts. The maturity levels focus on different aspects of Information security with special attention to Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Level 1 focusses on basic cyber hygiene while level 5 is the summon. Organizations need to define where they are (baseline), where they want to get (goal) to be able to define a path towards these improvements. Every extra level is more and more challenging and costly so a good analysis of the value creation and risk reduction is required. FAIR: Factor Analysis of Information Risk created by the not-for-profit Fair Institute aims at promoting risk management best practices. The approach is explicit and focusses on risk quantification, it can be used together with another standard or framework. The main benefit is in the explicit focus on risk in a mathematical way. The main focus points are defining the cost (of achievement, maintenance and acceptable loss exposures), building a foundation (e.g. taking well-informed decisions) and implementing the program (where the risk management decisions and feedback loop for improvement are important attention points). With the ever increasing threats and almost unlimited set of potential “solutions” this risk-based and cost-based approach makes cyber risks easier to quantify and decide where you need to spend the money and what risk is acceptable from a financial point of view. MITRE ATT&CK: This is not a standard to follow as such but a very important one to know. MITRE is a not-for-profit cybersecurity-focused research and development center. When MITRE began documenting common cyberattack tactics, techniques, and procedures (TTPs) used against Windows enterprise networks, ATT&CK became the baseline acting as a common language for vulnerabilities; now they manage and control the Common Vulnerabilities and Exposures (CVE) list that aims at listing known vulnerabilities in different systems. Having this common system to document & score vulnerabilities is essential… You all need to be on the same page, talk about the same, especially during challenging times where mitigation is required swiftly. Other standards or frameworks include:
Which one do I choose? It is not easy to select a framework or standard with all the different choices. My recommendation is to look at your industry and if there is a de facto standard (HIPAA, PC-DSS), check what your customers or suppliers require or select one you feel comfortable with (e.g. NIST is easier to start with then ISO). The worst choice is to not chose, Cyber threats are real, and a framework or standard is a good tool to help you assess the risks, implement mitigation with controls and work in a structured way what will certainly help in case of an audit (internal, external, regulatory). What are frameworks in security?A security framework defines policies and procedures for establishing and maintaining security controls. Frameworks clarify processes used to protect an organization from cybersecurity risks. They help IT security professionals keep their organization compliant and insulated from cyber threats.
What is the best security framework?ISO 27001/27002, also known as ISO 27K, is the internationally recognized standard for cybersecurity.
What are the two important control frameworks used in cybersecurity?The two most common cybersecurity frameworks are the NIST Cybersecurity Framework and ISO-27000, although there are dozens of different frameworks that serve the needs of different industries. Some frameworks are focused around specific industries while others just vary in wording and controls.
What is a security compliance framework?Compliance and regulatory frameworks are sets of guidelines and best practices. Organizations follow these guidelines to meet regulatory requirements, improve processes, strengthen security, and achieve other business objectives (such as becoming a public company, or selling cloud solutions to government agencies).
|
