Living in a digital world…
Today, it’s virtually inevitable that digital technology and data will be essential to some aspect of your life. It could be your work, your personal relationships, your living situation and so forth. If you run a business, you’re for sure utterly dependent on devices and data.
Unfortunately, as we are now reminded on a daily basis, bad people with bad intentions are eager to steal the data that you and your business need to function. Their motivations vary, but in general, malicious actors either want to profit from your devices and data or disrupt them—or both.
What can you do to achieve the best cybersecurity under these circumstances?
There are ways to achieve a satisfactory level of cybersecurity, which may include data security solutions and database security as well. Frequently, the best way to meet this objective is to adopt a cybersecurity framework. A framework provides the structure and methodology you need to protect your important digital assets.
What is a Cybersecurity Framework?
A cybersecurity framework is, essentially, a system of standards, guidelines, and best practices to manage risks that arise in the digital world. They typically match security objectives, like avoiding unauthorized system access with controls like requiring a username and password.
It might help to first understand what a framework is in general. In the physical world, a framework is a system of beams that hold up a building. In the world of ideas, a framework is a structure that underpins a system or concept. A framework is a way of organizing information and, in most cases, related tasks.
Frameworks have been around for a long time. In financial accounting, for example, frameworks help accountants keep track of financial transactions. An accounting framework is built around concepts like assets, liabilities, costs and controls. Cybersecurity frameworks take the framework approach to the work of securing digital assets. The framework is designed to give security managers a reliable, systematic way to mitigate cyber risk no matter how complex the environment might be.
Cybersecurity frameworks are often mandatory, or at least strongly encouraged, for companies that want to comply with state, industry and international cybersecurity regulations. For example, in order to handle credit card transactions, a business must pass an audit attesting to their compliance with the Payment Card Industry Data Security Standards (PCI DSS) framework.
Types of Cybersecurity Frameworks
In the most recent RSA conference Frank Kim, previous CISO for SANS institute and one of the top cybersecurity experts, provided a great explanation for these various framework types. He split them into three categories and outlined their purposes –
- Develop a basic strategy for the security team
- Provide a baseline set of controls
- Assess the current technical state
- Prioritize control implementation
- Assess state of security program
- Build a comprehensive security program
- Measure program security/ competitive analysis
- Simplify communication between the security team and business leaders
- Define key process steps to assess/manage risk
- Structure program for risk management
- Identify, measure, and quantify risk
- Prioritize security activities
Choosing the Best Cybersecurity Framework
There are many different frameworks. However, a few dominate the market. In addition to PCI DSS, popular frameworks include:
- The US National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (NIST CSF)
- The Center for Internet Security Critical Security Controls (CIS)
- The International Standards Organization (ISO) frameworks ISO/IEC 27001 and 27002
The NIST Framework for Improving Critical Infrastructure Cybersecurity, sometimes just called the “NIST cybersecurity framework,” is, as its name suggests, is intended to be used protecting critical infrastructure like power plants and dams from cyber attack. However, its principles can apply to any organization that seeks better security. It is one of several NIST standards that cover cybersecurity.
Like most frameworks, the NIST cybersecurity framework is complex and broad in scope. The basic document describing it runs 41 pages. The actual implementation of the framework can involve thousands of person-hours and hundreds of pages of documentation, procedures, controls and so forth. At the root, though, the framework is fairly easy to understand.
The framework’s core is a list of cybersecurity functions that follow the basic pattern of cyber defense: identify, protect, detect, respond and recover. The framework provides an organized mechanism for identifying risks and assets that require protection. It lists the ways the organization must protect these assets by detecting risks, responding to threats and then recovering assets in the event of a security incident.
For example, under Protect, the framework contains a category known as PR.DS, which stands for “Protect Data Security.” Going deeper into the framework, PR.DS has seven sub-categories, each intended to ensure protection of data. These include controls for protecting data at rest (PR.DS-1), protecting data in transit (PR.DS-2) and so on. To comply with PR.DS-1, for instance, the organization might mandate encryption of data at rest.
CIS was built in the late 2,000s by a team of voluneer-expert coalition to create a framework for protecting companies from the threats of cybersecurity. It is comprised of 20 controls that are regularly updated by experts from all fields – government, academia, and industry – to be consistently modern and on top of cybersecurity threats.
CIS works well for organizations who want to start out with baby steps. Their process is divided into three groups. They start with the basics, then move into foundational, and finally, organizational. CIS is also a great option if you want an additional framework that can coexist with other, industry-specific compliance standards (such as HIPAA and NIST).
ISO 27001/27002, also known as ISO 27K is the internationally recognized standard for cybersecurity. The framework mandates (assumes) that an organization adopting ISO 27001 will have an Information Security Management System (ISMS). With that in mind, ISO/IEC 27001 requires that management will systematically manage the organization’s information security risks, taking into account threats and vulnerabilities.
The framework then requires the organization to design and implement information security (InfoSec) controls that are both coherent and comprehensive. The goal of these controls is to mitigate identified risks. From there, the framework suggests that the organization adopt a risk management process that’s ongoing. To get certified as ISO 27001-compliant, an organization must demonstrate to the auditor that it is using what ISO refers to as the “PDCA Cycle.” This stands for Plan, Do, Check and Act.
What is the PDCA Cycle?
- Plan — means establishing the ISMS itself along with policies, objectives, processes, and procedures for risk management.
- Do — refers to implementing the actual functioning ISMS, including implementing InfoSec policies, procedures and so forth.
- Check — involves monitoring and review of the ISMS, measuring process performance compared to policies and objectives.
- Act — is the process of updating and improving the ISMS. It may mean undertaking corrective and preventive actions, on the basis of internal audit and management review.
Companies and government agencies adopt ISO 27001 in order to get certified for compliance. Otherwise, it’s a lot of work without much to how for the effort. ISO certifies compliance through the work of approved audit firms. A company goes through a process of applying for certification with ISO, which usually involves working with an experienced consultant who may then also act as the auditor and certifying authority.
Other Notable Frameworks
Some frameworks exist for a specific industry or security scenario.
- COBIT, for example, is a control framework for IT systems used in financial accounting. It’s a core part of compliance with the Sarbanes Oxley Act.
- HIPAA, a law designed to protect patients’ privacy, comprises both a set of regulations and a framework. PCI DSS is similar. It’s a specific set of control requirements that are coupled with a certification process to attest to compliance.
- The EU GDPR rules that protect personal information are somewhat softer in nature. The rules are quite clear, but compliance is not certified by any specific entity.
How to Comply with Multiple Cybersecurity Regulations
Most businesses, especially ones that work internationally, must comply with a collection of different cybersecurity regulations. Frameworks can be a great way to tackle this complicated challenge. They give you a way to define, enforce and monitor controls across multiple compliance regimens.
The good news is that security vendors and consultancies are publishing extensive guidance on complying with regulations. With HIPAA, for example, it is possible to find good resources on meeting the laws burdensome requirements. These include administrative safeguards, physical safeguards, and other controls.
Cybersecurity frameworks provide a basis for achieving a strong security posture and preventing data breaches. In some cases, they enable an organization to become certified as compliant with a specific regulation. Adopting a framework requires a decision to commit time and resources to the project. If done right, however, it’s worth it! The framework offers an organized way to become secure and then continually measure the effectiveness of the security controls established by the framework.