While a cybersecurity framework provides a set of "best practices" for measuring risk tolerance and establishing controls, selecting which one is appropriate for your firm may be challenging. Furthermore, many legislation refers to more than one standard or framework.
In this article, we will dive deep into the main concepts and share some cybersecurity framework examples. Once you finish reading it, you will be able to find out which framework best suits your needs!
Cybersecurity - Living in a Digital World
Today, it’s virtually inevitable that digital technology and data will be essential to some aspect of your life. It could be your work, relationships, living situation, and so forth. For example, you’re utterly dependent on devices and data if you run a business.
Unfortunately, imperfect people with bad intentions are eager to steal the data you and your business need to function. Their motivations vary, but malicious actors generally either want to profit from your devices and data or disrupt them—or both.
It’s also shocking that a recent survey from Insight found that over 70% of business leaders are NOT convinced that their companies can withstand a possible cyber attack.
With these fears, many companies create ideal frameworks to maintain, monitor and disable cybersecurity risks before they happen.
What can you do to achieve the best cybersecurity under these circumstances?
There are ways to achieve a satisfactory level of cybersecurity, including data security solutions and database security. Frequently, the best way to meet this objective is to adopt a cybersecurity framework. A framework provides the structure and methodology to protect your critical digital assets.
What is a cybersecurity framework?
A cybersecurity framework is, essentially, a system of standards, guidelines, and best practices to manage risks that arise in the digital world. They typically match security objectives, like avoiding unauthorized system access, with controls like requiring a username and password.
If that is confusing, it might help first understand what a framework is. In the physical world, a framework is a beam system that holds up a building. . In the world of ideas, a framework is a structure that underpins a system or concept. A framework is a way of organizing information and, in most cases, related tasks.
Frameworks have been around for a long time. For example, in financial accounting, frameworks help accountants keep track of financial transactions. An accounting framework is built around concepts like assets, liabilities, costs, and controls. Cybersecurity frameworks take the framework approach to the work of securing digital assets. The framework is designed to give security managers a reliable, systematic way to mitigate cyber risk no matter how complex the environment might be.
Cybersecurity frameworks are often mandatory, or at least strongly encouraged, for companies that want to comply with state, industry, and international cybersecurity regulations. For example, in order to handle credit card transactions, a business must pass an audit attesting to its compliance with the Payment Card Industry Data Security Standards (PCI DSS) framework.
Types of cybersecurity frameworks
At one of his most important conferences, Frank Kim, previous CISO for SANS institute and one of the top cybersecurity experts provided an excellent explanation for these various framework types. He split them into three categories and outlined their purposes –
Control frameworks:
- Develop an essential strategy for the security team
- Provide a baseline set of controls
- Assess the current technical state
- Prioritize control implementation
Program frameworks:
- Assess the state of the security program
- Build a comprehensive security program
- Measure program security/ competitive analysis
- Simplify communication between the security team and business leaders
Risk frameworks:
- Define key process steps to assess/manage risk
- Structure program for risk management
- Identify, measure, and quantify risk
- Prioritize security activities
Cybersecurity framework examples
There are many different frameworks. However, a few dominate the market. In addition to PCI DSS, popular frameworks include:
- The US National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (NIST CSF)
- The Center for Internet Security Critical Security Controls (CIS)
- The International Standards Organization (ISO) frameworks ISO/IEC 27001 and 27002
The NIST cybersecurity framework
The NIST Framework for Improving Critical Infrastructure Cybersecurity, sometimes just called the “NIST cybersecurity framework,” is, as its name suggests, is intended to be used to protect critical infrastructure like power plants and dams from cyber attacks. However, its principles can apply to any organization that seeks better security. It is one of several NIST standards that cover cybersecurity.
Like most frameworks, the NIST cybersecurity framework is complex and broad in scope. The basic document describing it runs 41 pages. The implementation of the framework can involve thousands of person-hours and hundreds of pages of documentation, procedures, controls, etc. At the root, though, the framework is fairly easy to understand.
The framework’s core is a list of cybersecurity functions that follow the basic pattern of cyber defense: identify, protect, detect, respond, and recover. The framework provides an organized mechanism for identifying risks and assets that require protection. It lists the ways the organization must protect these assets by detecting risks, responding to threats, and then recovering assets in the event of a security incident.
What are the five elements of the NIST cybersecurity framework?
Identify
The Identify function establishes the framework for future cybersecurity-related measures taken by your company. Determining what exists, what dangers are involved with those settings, and how it connects to your company goals is critical to Framework's success.
Protect
The framework contains a category known as PR.DS, which stands for “Protect Data Security.” Going deeper into the framework, PR.DS has seven sub-categories, each intended to ensure the protection of data. These include controls for protecting data at rest (PR.DS-1), protecting data in transit (PR.DS-2), and so on. To comply with PR.DS-1, for instance, the organization might mandate encryption of data at rest.
Detect
The Detect function necessitates the creation and implementation of the necessary operations to detect the presence of a cybersecurity incident. It allows for the prompt detection of cybersecurity occurrences.
Respond
To guarantee that the cybersecurity program is always improving, the Respond function performs response planning, analysis, and mitigation operations.
Recover
It enables a fast return to regular activities in order to mitigate the effect of a cybersecurity occurrence. Recovery Planning, Improvements, and Communications are examples of outcomes for this Framework Core function.
CIS
CIS was built in the late 2000s by a volunteer-expert coalition to create a framework for protecting companies from cybersecurity threats. It comprises 20 controls that experts from all fields regularly update – government, academia, and industry – to be consistently modern and on top of cybersecurity threats.
CIS works well for organizations that want to start with baby steps. Their process is divided into three groups. First, they start with the basics, then move into foundational, and finally, organizational. CIS is also a great option if you want an additional framework that can coexist with other industry-specific compliance standards (such as HIPAA and NIST).
This organization works with benchmarks, or guidelines based on commonly used standards, such as NIST and HIPAA, that not only map security standards to help companies comply with them but offer alternative basic security configurations for those who don’t require compliance but want to improve their security.
These benchmarks are divided into two levels. The first is recommendations for essential security configurations that don’t affect services in performance, and the second is a more advanced level of benchmarks that offer higher-level security configuration recommendations, with a possible cost of dramatic performance.
ISO/IEC 27001
ISO 27001/27002, also known as ISO 27K, is the internationally recognized standard for cybersecurity. The framework mandates (assumes) that an organization adopting ISO 27001 will have an Information Security Management System (ISMS). ISO/IEC 27001 requires that management systematically manage the organization’s information security risks, taking threats and vulnerabilities into account.
The framework then requires the organization to design and implement information security (InfoSec) coherent and comprehensive controls. The goal of these controls is to mitigate identified risks. The framework suggests that the organization adopt an ongoing risk management process. To get certified as ISO 27001-compliant, an organization must demonstrate to the auditor that it is using what ISO refers to as the “PDCA Cycle.”
PDCA Cycle
What is the PDCA cycle? The PDCA cycle is a business management method that focuses on four main steps that every company should consider implementing. The four steps are:
- Plan — means establishing the ISMS itself along with policies, objectives, processes, and procedures for risk management.
- Do — refers to implementing the actual functioning ISMS, including implementing InfoSec policies, procedures, and so forth.
- Check — involves monitoring and reviewing of the ISMS, measuring process performance compared to policies and objectives.
- Act — is the process of updating and improving the ISMS. It may mean undertaking corrective and preventive actions based on internal audits and management reviews.
Companies and government agencies adopt ISO 27001 to get certified for compliance. Otherwise, it’s a lot of work without much to show for the effort. ISO certifies compliance through the work of approved audit firms. A company goes through applying for certification with ISO, which usually involves working with an experienced consultant who may then also act as the auditor and certifying authority.
Cybersecurity frameworks like GDPR help to protect personal user data.
Some frameworks exist for a specific industry or security scenario.
- COBIT, for example, is a controls framework for IT systems used in financial accounting. It’s a core part of compliance with the Sarbanes Oxley Act.
- HIPAA, a law designed to protect patients' privacy, comprises regulations and a framework. PCI DSS is similar. It’s a specific set of control requirements coupled with a certification process to attest to compliance.
- The EU GDPR rules that protect personal information are somewhat softer in nature. The rules are quite clear, but compliance is not certified by any specific
How to comply with multiple cybersecurity regulations
Most businesses, especially ones that work internationally, must comply with a collection of different cybersecurity regulations. Frameworks can be a great way to tackle this complicated challenge. They give you a way to define, enforce, and monitor controls across multiple compliance regimens.
The good news is that security vendors and consultancies are publishing extensive guidance on complying with regulations. With HIPAA, for example, it is possible to find good resources for meeting the law's burdensome requirements. These include administrative safeguards, physical safeguards, and other controls.
Takeaways
Cybersecurity frameworks provide a basis for achieving a strong security posture and preventing data breaches. In some cases, they enable an organization to become certified compliant with a specific regulation. Adopting a framework requires a decision to commit time and resources to the project. If done right, however, it’s worth it! The framework offers an organized way to become secure and continually measure the effectiveness of the security controls established by the framework.
Nicolas Poggi is the head of mobile research at Prey, Inc., provider of the open source Prey Anti-Theft software protecting eight million mobile devices. Nic’s work explores technology innovations within the mobile marketplace, and their impact upon security. Nic also serves as Prey’s communications manager, overseeing the company’s brand and content creation. Nic is a technology and contemporary culture journalist and author, and before joining Prey held positions as head of indie coverage at TheGameFanatics, and as FM radio host and interviewer at IndieAir.