“Cybersecurity Frameworks: A Beginner’s Guide ”
What is a Cyber Security Framework?
The cybersecurity frameworks form the backbone of any organization’s security, often listing out the requirements an organization must adhere to regarding business requirements, state and federal regulations, best practices, industry requirements, and other requirements that may be specific to an organization.
In this article, we will dive deep into the main concepts and share some cybersecurity framework examples. Once you’re done reading it, you will be able to find out which framework best suits your needs!
What is a Cybersecurity Framework?
In today’s digital world, our IT assets are never fully secure, this is because of the number of threat actors attempting to exploit vulnerabilities for a number reasons, usually for gain or just the thrill of disruption. It is very difficult to for example, select the appropriate controls for a particular asset.
Cyber security frameworks are sets of documents describing guidelines, standards, and best practices designed for cyber security risk management. The frameworks exist to reduce an organization’s exposure to weaknesses and vulnerabilities that hackers and other cyber criminals may exploit.
Frameworks are comprised of industry guidelines, best practices and standards, and can be voluntary or mandatory. As an example, the PCI DSS is a mandatory standard to be used in building the framework for any organization globally that accepts, processes, stores, or transmits credit card information.
Implementation of a formal framework may benefit your organization in terms of helping to improve your security posture, enable you make investment decisions to address gaps and enhance your resilience against cyberattacks or other compromises.
The framework is responsible for two critical functions within a security program:
First, it organizes all the requirements that the cyber security program will be built on.
Then, it establishes all the hierarchical relationships between different documents and security program elements.
The framework essentially serves as the table of contents for a security program, often listing out the requirements an organization must adhere to regarding business requirements, state and federal regulations, best practices, industry requirements, and other requirements that may be specific to an organization.
It’s important to note the difference between the “security framework” that we’re talking about here, and different frameworks of best practice approaches.
Best practice approaches such as NIST and ISO — which we’ll explore in more detail below — provide a set of requirements that an organization can adhere to, but not all these requirements will necessarily apply to a given organization.
The security framework that we talk about building can be considered more like a framework of frameworks, which includes all the requirements that apply to an organization, often by aggregating from these best practice approaches, business requirements, state and federal regulations, and other sources.
What Are the Types of Cyber Security Frameworks?
Frameworks can be broken down into three types based on the needed function.
Control Frameworks
- Develops an essential strategy for the organization’s cyber security department
- Provides a baseline group of security controls
- Assesses the present state of the infrastructure and technology
- Prioritizes implementation of security controls
Program Frameworks
- Assesses the current state of the organization’s security program
- Constructs a complete cybersecurity program
- Measures the program’s security and competitive analysis
- Facilitates and simplifies communications between the cyber security team and the managers/executives
Risk Frameworks
- Defines the necessary processes for risk assessment and management
- Structures a security program for risk management
- Identifies, measures, and quantifies the organization’s security risks
- Prioritizes appropriate security measures and activities
Best Practice Security Frameworks
Some of the most common sources of requirements for security frameworks come from different best practice approaches.
These best practice guides give organizations strong lists of requirements from which they can derive their organizational framework to align with these practices. Some of the most popular guides include ISO 27001, the CIS 18 controls, and of course NIST cybersecurity framework.
1. The NIST Cyber Security Framework.
The NIST Framework for Improving Critical Infrastructure Cybersecurity, or the “NIST cybersecurity framework” for brevity’s sake, was established during the Obama Administration in response to presidential Executive Order 13636. The NIST was designed to protect America’s critical infrastructure (e.g., dams, power plants) from cyberattacks.
Like most frameworks, the NIST cybersecurity framework is complex and broad in scope. The basic document describing it runs for 55 pages. The implementation of the framework can involve thousands of person-hours and hundreds of pages of documentation, procedures, controls, etc. At the root, though, the framework is fairly easy to understand.
The framework’s core is a list of cybersecurity functions that follow the basic pattern of cyber defense: identify, protect, detect, respond, and recover. The framework provides an organized mechanism for identifying risks and assets that require protection. It lists the ways the organization must protect these assets by detecting risks, responding to threats, and then recovering assets in the event of a security incident.
There are five functions or best practices associated with NIST:
IDENTIFY
The Identify function establishes the framework for future cybersecurity-related measures taken by your company. Determining what exists, what dangers are involved with those settings, and how it connects to your company goals is critical to Framework’s success.
PROTECT
The framework contains a category known as PR.DS, which stands for “Protect Data Security.” Going deeper into the framework, PR.DS has seven sub-categories, each intended to ensure the protection of data. These include controls for protecting data at rest (PR.DS-1), protecting data in transit (PR.DS-2), and so on. To comply with PR.DS-1, for instance, the organization might mandate encryption of data at rest.
DETECT
The Detect function necessitates the creation and implementation of the necessary operations to detect the presence of a cybersecurity incident. It allows for the prompt detection of cybersecurity occurrences.
RESPOND
To guarantee that the cybersecurity program is always improving, the Respond function performs response planning, analysis, and mitigation operations.
RECOVER
It enables a fast return to regular activities in order to mitigate the effect of a cybersecurity occurrence. Recovery Planning, Improvements, and Communications are examples of outcomes for this Framework Core function.
ISO/IEC 27001
ISO 27001/27002, also known as ISO 27K, is the internationally recognized standard for cybersecurity. The framework mandates (assumes) that an organization adopting ISO 27001 will have an Information Security Management System (ISMS). ISO/IEC 27001 requires that management systematically manage the organization’s information security risks, taking threats and vulnerabilities into account.
The framework then requires the organization to design and implement information security (InfoSec) coherent and comprehensive controls. The goal of these controls is to mitigate identified risks. The framework suggests that the organization adopt an ongoing risk management process. To get certified as ISO 27001-compliant, an organization must demonstrate to the auditor that it is using what ISO refers to as the “PDCA Cycle.”
CIS 18 Controls
CIS was built in the late 2000s by a volunteer-expert coalition to create a framework for protecting companies from cybersecurity threats. It comprised 20 controls (now 18) that experts from all fields regularly update; government, academia, and industry — to be consistently modern and on top of cybersecurity threats.
CIS works well for organizations that want to start with baby steps. Their process is divided into three groups. First, they start with the basics, then move into foundational, and finally, organizational. CIS is also a great option if you want an additional framework that can coexist with other industry-specific compliance standards (such as HIPAA and NIST).
This organization works with benchmarks, or guidelines based on commonly used standards, such as NIST and HIPAA, that not only map security standards to help companies comply with them but offer alternative basic security configurations for those who don’t require compliance but want to improve their security.
These benchmarks are divided into two levels. The first is recommendations for essential security configurations that don’t affect services in performance, and the second is a more advanced level of benchmarks that offer higher-level security configuration recommendations, with a possible cost of dramatic performance.
The Payment Card Industry Data Security Standard (PCI DSS)
The PCI DSS is an example of an industry-specific regulation formed in 2004 by leading credit card companies. It applies to any organization that stores, processes, or manages credit card information.
The PCI DSS establishes a solid suite of requirements an organization can use to establish a security policy framework, but it focuses primarily on securing credit and debit card transactions, as well as any associated information.
If your organization maintains multiple types of data, however, such as a medical clinic that processes co-payments, the PCI DSS isn’t enough to establish a comprehensive set of requirements for your program’s framework.
The Health Insurance Portability and Accountability Act (HIPAA).
Better known as HIPAA, it provides a framework for managing confidential patient and consumer data, particularly privacy issues. This legislation protects electronic healthcare information and is essential for healthcare providers, insurers, and clearinghouses.
The Need For Cyber Security Frameworks?
Cyber security frameworks remove some of the guesswork in securing digital assets. Frameworks give cyber security managers a reliable, standardized, systematic way to mitigate cyber risk, regardless of the environment’s complexity.
Cyber security frameworks help teams address cyber security challenges, providing a strategic, well-thought plan to protect its data, infrastructure, and information systems. The frameworks offer guidance, helping IT security leaders manage their organization’s cyber risks more intelligently.
Companies can adapt and adjust an existing framework to meet their own needs or create one internally. However, the latter option could pose challenges since some businesses must adopt security frameworks that comply with commercial or government regulations. Home-grown frameworks may prove insufficient to meet those standards.
Bottom line, businesses are increasingly expected to abide by standard cyber security practices, and using these frameworks makes compliance easier and smarter. The proper framework will suit the needs of many different-sized businesses regardless of which of the countless industries they are part of.
In Conclusion …
Building an effective and cohesive security program is impossible without a framework that’s tailored to your company’s goals. The most effective frameworks don’t always fall into a single category, but take applicable portions of best practice frameworks, regulatory requirements, and others.
I hope you have found value in today’s article, consider subscribing and following me on my socials.
- LinkedIn: https://www.linkedin.com/in/m49d4ch3lly
- Twitter: https://twitter.com/m49D4ch3lly
- Facebook: https://www.facebook.com/m49d4ch3ly
