5 Top Cyber Security Frameworks

Posted on

Many organisations must comply with a mixture of state-mandated, industry-specific and international cyber security regulations. This includes, but isn’t limited to:

  • SOX (the Sarbanes–Oxley Act)
  • The NYDFS Cybersecurity Regulation
  • The SEC cyber security disclosure rules
  • CMMC (Cybersecurity Maturity Model Certification)
  • DORA (Digital Operational Resilience Act) in the EU

These can be challenging to navigate, particularly if you also throw in privacy legislation like the CPRA (California Privacy Rights Act) and the EU GDPR (General Data Protection Regulation). The US may even see a federal privacy law in due course.

These types of laws require you to secure your data and/or systems, often permitting a risk-based approach.

The good news is that this makes compliance less arduous.

The bad news is that these laws can be vague about how to go about security.

This is where implementing an existing, best-practice cybersecurity framework can come in handy. It gives you clear direction on implementing effective defenses.

Let’s go through five popular cybersecurity frameworks.

1. NIST Cybersecurity Framework

The NIST CSF (Cybersecurity Framework) offers a straightforward yet flexible framework, which was updated to version 2.0 in February 2024.

In NIST’s own words, CSF v2.0 “aims to help all organizations — not just those in critical infrastructure, its original target audience — to manage and reduce risks.”

The Framework consists of a ‘core’, with:

  • Functions: govern, identify, protect, detect, respond, and recover.
  • Categories: cybersecurity activities or practices that collectively comprise the associated function. For example, ‘identify’ comprises asset management, risk assessment, and improvement.
  • Subcategories: specific outcomes of each category.

The CSF also has ‘profiles’ and ‘tiers’:

  • Profiles describe the organization’s current/target cybersecurity posture with respect to the Framework’s core.
  • Tiers reflect the rigor or maturity of the organization’s cybersecurity practices. These can help inform the organization’s profiles.

The NIST CSF helps organizations get a sense of what types of security measures lead to what sorts of outcomes, without obligation to implement all of them.

The Framework also makes clear, through its tiers, that you can implement both individual measures and overall security programs to different levels of maturity, depending on your needs.

2. CIS Critical Security Controls

Now at version 8, the CIS Critical Security Controls outlines, as the name suggests, critical controls for security. This framework limits itself to 18 prioritized controls:

  1. Inventory and control of enterprise assets
  2. Inventory and control of software assets
  3. Data protection
  4. Secure configuration of enterprise assets and software
  5. Account management
  6. Access control management
  7. Continuous vulnerability management
  8. Audit log management
  9. Email and web browser protections
  10. Malware defenses
  11. Data recovery
  12. Network infrastructure management
  13. Network monitoring and defense
  14. Security awareness and skills training
  15. Service provider management
  16. Application software security
  17. Incident response management
  18. Penetration testing

The idea is that this relatively short list of recommended controls can prevent most common cyber attacks.

3. NIST SP 800-53

NIST SP 800-53 Rev. 5Security and Privacy Controls for Information Systems and Organizations, is a more comprehensive control set.

This publication looks at 20 categories (broad areas of security and privacy):

  1. Access control
  2. Awareness and training
  3. Audit and accountability
  4. Assessment, authorization, and monitoring
  5. Configuration management
  6. Contingency planning
  7. Identification and authentication
  8. Incident response
  9. Maintenance
  10. Media protection
  11. Physical and environmental protection
  12. Planning
  13. Program management
  14. Personnel security
  15. Personally identifiable information processing and transparency
  16. Risk assessment
  17. System and services acquisition
  18. System and communications protection
  19. System and information integrity
  20. Supply chain risk management

Each of these areas is broken up into specific controls, making for an overall set of more than 1,000 controls.

4. PCI DSS

The PCI DSS (Payment Card Industry Data Security Standard) governs the way payment card information is handled. This contractually enforced standard is designed to reduce payment card fraud, and is administered by the PCI SSC (Security Standards Council).

The Standard applies to any organization (regardless of size or number of transactions) that accepts, stores, transmits, or processes cardholder data. As such, it’s widely adopted across the globe.

PCI DSS v4.0 outlines the following 12 high-level requirements:

  1. Install and maintain network security controls
  2. Apply secure configurations to all system components
  3. Protect stored account data
  4. Protect cardholder data with strong cryptography during transmission over open, public networks
  5. Protect all systems and networks from malware
  6. Develop and maintain secure systems and software
  7. Restrict access to system components and cardholder data by business need to know
  8. Identify users and authenticate access to system components
  9. Restrict physical access to cardholder data
  10. Log and monitor all access to system components and cardholder data
  11. Test security of systems and networks regularly
  12. Support information security with organizational policies and programs

These are broken up into 277 sub-requirements. However, many organizations within scope of the Standard don’t have to meet them all. By reducing your scope, you can significantly limit the number of requirements you must meet.

5. ISO 27001

ISO 27001 is the international standard that describes best practice for implementing an ISMS (information security management system). Organisations can achieve independent, accredited certification to the Standard to demonstrate their compliance.

ISO 27001 is the world’s foundational information security standard. Its core ideas lie at the heart of every other cybersecurity standard and regulation.

Those ideas include:

  • The CIA triad
  • Risk assessment
  • Control selection
  • Legal compliance
  • Policies and procedures
  • Continual improvement
  • Incident response and ICT continuity

The CIA triad – confidentiality, integrity, and availability – can be found in every other cybersecurity framework and law.

Another advantage of ISO 27001 is that it requires you to identify your legal and contractual requirements.

Doing this ensures you’ll implement security with those requirements in mind.

Want to accelerate your ISO 27001 implementation?

Need more help with your ISO 27001 project? Get help from the pioneers that led the world’s first ISO 27001 certification project.

We offer a range of solutions to help you prepare for certification, including gap analysis, internal audits and even a FastTrack™ service for small organisations. This gets you to certification readiness in just six months.

Learn more about how we can help

The post 5 Top Cyber Security Frameworks appeared first on IT Governance Blog.

Leave a Reply

Related Posts