In this article we will discuss about Cybersecurity Frameworks That Help Reduce Cyber Risk.
Today, it’s virtually inevitable that digital technology and data will be essential to some aspect of your life. It could be your work, your personal relationships, your living situation, and so forth. If you run a business, you’re for sure utterly dependent on devices and data.
Unfortunately, as we are now reminded on a daily basis, bad people with bad intentions are eager to steal the data that you and your business need to function. Their motivations vary, but in general, malicious actors either want to profit from your devices and data or disrupt them—or both.
WHAT IS A CYBERSECURITY FRAMEWORK?
A cybersecurity framework is, essentially, a system of standards, guidelines, and best practices to manage risks that arise in the digital world. They typically match security objectives, like avoiding unauthorized system access with controls like requiring a username and password.
If that is confusing, it might help to first understand what a framework is in general. In the physical world, a framework is a system of beams that hold up a building. In the world of ideas, a framework is a structure that underpins a system or concept. A framework is a way of organizing information and, in most cases, related tasks.
Frameworks have been around for a long time. In financial accounting, for example, frameworks help accountants keep track of financial transactions. An accounting framework is build around concepts like assets, liabilities, costs, and controls. Cybersecurity frameworks take the framework approach to the work of securing digital assets. The framework is designed to give security managers a reliable, systematic way to mitigate cyber risk. No matter how complex the environment might be.
Cybersecurity frameworks are often mandatory, or at least strongly encouraged. For companies that want to comply with state, industry, and international cybersecurity regulations. For example, in order to handle credit card transactions, a business must pass an audit attesting to their compliance with the Payment Card Industry Data Security Standards (PCI DSS) framework.
TYPES OF CYBERSECURITY FRAMEWORKS
In the most recent RSA conference Frank Kim, previous CISO for SANS institute and one of the top cybersecurity experts provided a great explanation for these various framework types. He split them into three categories and outlined their purposes –
- Develop a basic strategy for security team
- Provide baseline set of controls
- Assess current technical state
- Prioritize control implementation
- Assess state of security program
- Build comprehensive security program
- Measure program security/ competitive analysis
- Simplify communication between security team and business leaders
- Define key process steps to assess/manage risk
- Structure program for risk management
- Identify, measure, and quantify risk
- Prioritize security activities
Let’s take a look at seven common cybersecurity frameworks.
- NIST Cybersecurity Framework
- ISO 27001 and ISO 27002
NIST Cybersecurity Framework
The NIST Cybersecurity Framework was established in response to an executive order by former President Obama — Improving Critical Infrastructure Cybersecurity — which called for greater collaboration between the public and private sector for identifying, assessing, and managing cyber risk. While compliance is voluntary, NIST has become the gold standard for assessing cybersecurity maturity, identifying security gaps, and meeting cybersecurity regulations.
ISO 27001 and ISO 27002
Created by the International Organization for Standardization (ISO), ISO 27001 and ISO 27002 certifications are considered the international standard for validating a cybersecurity program — internally and across third parties. With an ISO certification, companies can demonstrate to the board, customers, partners, and shareholders that they are doing the right things to manage cyber risk. Likewise, if a vendor is ISO 27001/2 certified it’s a good indicator (although not the only one) that they have mature cybersecurity practices and controls in place.
The downside is that the process requires time and resources; organizations should only proceed if there is a true benefit, such as the ability to win new business. The certification is also a point-in-time exercise and could miss evolving risks that continuous monitoring can detect.
Service Organization Control (SOC) Type 2 is a trust-based cybersecurity framework and auditing standard developed by the American Institute of Certified Public Accountants (AICPA) to help verify that vendors and partners are securely managing client data.
SOC2 specifies more than 60 compliance requirements and extensive auditing processes for third-party systems and controls. Audits can take a year to complete. At that point, a report is issued which attests to a vendors’ cybersecurity posture.
Because of its comprehensiveness, SOC2 is one of the toughest frameworks to implement. Especially for organizations in the finance or banking sector that face a higher standard for compliance than other sectors. Nevertheless, it’s an important framework that should be central to any third-party risk management program.
Introduced to mitigate the rise in attacks on U.S. critical infrastructure and growing third-party risk. The North American Electric Reliability Corporation – Critical Infrastructure Protection (NERC CIP) is a set of cybersecurity standards designed to help those in the utility. And power sector reduce cyber risk and ensure the reliability of bulk electric systems.
The framework requires impacted organizations to identify and mitigate cyber risks in their supply chain. NERC-SIP stipulates a range of controls including categorizing systems and critical assets, training personnel, incident response and planning, recovery plans for critical cyber assets, vulnerability assessments, and more. Read more about effective strategies for achieving NERC-CIP compliance.
The Health Insurance Portability and Accountability Act (HIPAA) is a cybersecurity framework that requires healthcare organizations to implement controls for securing and protecting the privacy of electronic health information. Per HIPAA, in addition to demonstrating compliance against cyber best practices — such as training employees — companies in the sector must also conduct risk assessments to manage and identify emerging risks.
The General Data Protection Regulation (GDPR) was adopted in 2016 to strengthen data protection procedures. And practices for citizens of the European Union (EU). The GDPR impacts all organizations that are established in the EU or any business that collects and stores the private data of EU citizens — including U.S. businesses.
The framework includes 99 articles pertaining to a company’s compliance responsibilities including a consumer’s data access rights, data protection policies and procedures, data breach notification requirements (companies must notify their national regulator within 72 hours of breach discovery), and more.
Fines for non-compliance are high; up to €20,000,000 or 4% of global revenue, and the EU is not shy about enforcing them.
The Federal Information Security Management Act (FISMA) is a comprehensive cybersecurity framework that protects federal government information and systems against cyber threats. FISMA also extends to third parties and vendors who work on behalf of federal agencies. The FISMA framework is aligned closely with NIST standards and requires agencies and third parties to maintain an inventory of their digital assets. And identify any integrations between networks and systems. Sensitive information must categorize according to risk. And security controls must meet minimum security standards as defined by FIPS and NIST 800 guidelines. Impacted organizations must also conduct cybersecurity risk assessments, annual security reviews, and continuously monitor their IT infrastructure.