There are numerous challenges to building and managing an information security program. Organizations need to comply with industry regulations, state directives and even international statutes in some cases.
Frameworks offer a way to address your cyber defense. They help organizations oversee and administer cybersecurity practices to optimize results and reduce risks.
However, there is no one-size-fits-all approach to mitigating cyber risk, and often, organizations use a hybrid approach – customizing their security strategies by using the standards that apply to their unique business needs.
Four frequently used standards are:
• CIS Controls
• NIST Cybersecurity Framework
• PCI DSS
The Center for Internet Security Controls are a “recommended set of actions for cyber defense that provide specific and actionable ways to thwart the most pervasive attacks.” They are a free framework, created in 2008 and updated by a community review process.
An international consortium of experts created the standards. The group includes private sector companies, government agencies, institutions and individuals involved in cyber analysis, software vulnerability, solution finding, software users, consultants, policy-makers, executives, academia and auditors who have experience in the field of cyber defense.
There are 20 Controls – decided on by the aforementioned experts – that help stop the majority of most cyberattacks. The Controls prioritize defenses so that organizations can quickly decide which high-value issues they should focus on before applying resources on additional issues unique to their business.
You can download the CIS Controls here.
National Institute of Standards and Technology (NIST) Cybersecurity Framework
NIST has been around for a long time. One of the nation’s oldest physical science laboratories, it was founded in 1901 and is now part of the US Department of Commerce.
In 2014, the NIST Cybersecurity Framework Version 1.0 set computer security guidelines for private sector companies in the US can assess and improve their cybersecurity. It offers catalogs of cybersecurity outcomes as well as methods to assess and manage those outcomes. It is not recognized outside the United States.
In April 2018, NIST updated this framework with Version 1.1.
NIST has three parts –- Core, Profile, and Tiers.
The Core’s data is organized into five functions – identify, protect, detect, respond, and recover. These functions are subdivided into 22 categories. Each category defines 98 subcategories of cybersecurity outcomes and controls. Pay close attention to the word outcomes in that last sentence. The Core should be thought of as a list of potential outcomes – how, when or even if to achieve them is left up the each company using the framework – to achieve, not a set of actions to take.
The Profile consists of cybersecurity activities and outcomes. It is designed to allow a company that uses software with this framework to create a target profile or baseline profile customized for the infrastructure common to the company’s industry or the type of business it is.
Tiers include the cybersecurity risks and their degree of sophistication.
Understand that NIST is not about companies achieving every Core outcome. Businesses are encouraged to use the framework to help them identify and prioritize cybersecurity improvements, taking into consideration their own business risks.
A joint technical committee that includes the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) developed the ISO/IEC framework. The committee’s purpose was to develop, maintain and promote standards in the trades of information technology (IT) and Information and Communications Technology (IEC).
The committee created a number of cybersecurity frameworks, called the ISO/IEC 27000-series. While ISO/IEC 27001 is commonly discussed, ISO/IEC 27002 is a well-known implementation guidance for 27001.
ISO/IEC 27001 is specifications for an information security management system. It is a framework of policies and procedures that include legal, physical and technical controls involved in an organization’s information risk management activities. The documentation that created the standard explains that it was developed to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system.”
The framework defines a six-part approach to assure cybersecurity:
1. Define a security policy.
2. Define the scope of the information security management system.
3. Perform a risk assessment.
4. Manage identified risks.
5. Select objectives and controls to be applied.
6. Create an application statement.
ISO/IEC 27002 is a guidance document that helps explain how organizations can comply with 27001 requirements.
There are also a number of other standards in the ISO/IEC 27000-series, which can be found here. Like 27002, the other documents are all codes of practice that support 27001.
PCI DSS Framework
PCI DSS (Payment Card Industry Data Security Standard) is used by retailers and other industries to assure the security of credit, debit and cash card transactions. It also protects cardholders against misuse of their personal information.
The PCI Standard is mandated by the credit card brands, and compliance validations are performed regularly.
Originally, five different programs were started by large credit card companies: Visa, MasterCard, American Express, Discover and JCB. In 2006, the Payment Card Industry Security Standards Council was formed to consolidate the original policies into a comprehensive standard for global use.
PCI DSS, while it may seem like a challenging legal obligation to navigate, offers robust security measures that will help keep your organization safe. In fact, a 2017 Verizon study found that “organizations experiencing a data breach were less likely to be compliant with 10 out of the 12 PCI DSS Key Requirements,” with “no organization affected by payment card data breaches found to be in full compliance with the PCI DSS.”
Which cybersecurity framework is right for you?
Many organizations implement cybersecurity frameworks and, often, they use more than one. While highly-regulated industries are more likely to follow these frameworks, it’s important to remember that all organizations should be utilizing cyber defense and following some form of best practices. It’s also important to remember that these frameworks work in different ways and are not meant as replacements for each other or other controls.
There is no such thing as a one-size-fits-all security strategy, and each framework should be evaluated thoroughly before you decide to implement. A hybrid approach is commonly used, as organizations vary widely in size and focus (though, of course, there are often industry-specific compliance requirements).
But it all boils down to this – whichever framework(s) you choose to utilize, a detailed and comprehensive defense strategy is now more important than ever to secure your business.