What are cybersecurity frameworks and what are the most common cybersecurity frameworks in the industry?
Cybersecurity framework is a collection of best practices that an organization employs to manage and maintain its security risks and threats. And the overall purpose of the cybersecurity framework is to minimize the exposure and impact of cyberattacks to an organization. Moreover, it enables organizations to identify the areas that are most at risk for data losses, data breaches, identity theft and other compromising activities staged by cybercriminals. In addition, it provides guidance as organizations work through their risk assessment and security assessment endeavors. It allows cybersecurity leaders to manage organizational risks and security threats more efficiently.
Cybersecurity framework provides the structure and methodology that organization need to protect their valuable assets. Cyberattacks and security threats are nowadays increasing regardless of the sectors and the size of organizations in the world. Furthermore, cybersecurity frameworks are systems of best practices, standards, and guidelines to manage cybersecurity risks in an organization. Besides, cybersecurity frameworks are mandatory for companies that want to comply with industry, state and international laws and regulations. And it provides a means to measure risk tolerance, establish and select security controls in the organization as per risk assessment requirements.
Common cybersecurity frameworks include the following:
NIST cybersecurity framework: The NIST CSF is a collection of standards, guidelines, and best practices that organizations should use to manage cybersecurity risk and security threats.This is the most comprehensive framework applicable across critical infrastructures and commercial organizations. In addition, it aligns with security controls and practices in other cybersecurity frameworks.
There are five main functions of NIST’s cybersecurity framework:
- Identify: developing an organization’s understanding about managing cybersecurity risks to systems, entities and capabilities
- Protect: developing and implementing appropriate security controls to ensure delivery and protection of critical services and assets
- Detect: developing and implementing appropriate measures to detect and identify the occurrence of a cybersecurity incident
- Respond: developing and implementing appropriate measures to take appropriate action addressing the detected cybersecurity event
- Recover: developing and imlementing appropriate measures to manage and maitain security plans for resilience and restoration of affected assets
NIST 800-53: NIST 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations,” is a comprehensive cybersecurity control framework used to manage security programs. It defines hundreds of security controls across the following 18 security controls:
- Access control (AC)
- Awareness and training (AT)
- Audit and accountability (AU)
- Security assessment and authorization (CA)
- Configuration management (CM)
- Contingency planning (CP)
- Identification and authentication (IA)
- Incident response (IR)
- Maintenance (MA)
- Media protection (MP)
- Physical and environmental protection (PE)
- Planning (PL)
- Personnel security (PS)
- Risk assessment (RA)
- System and services acquisition (SA)
- System and communications protection (SC)
- System and information integrity (SI)
- Program management (PM)
ISO/IEC 27001: ISO/IEC 27001, “Information technology – Security techniques – Information security management systems (ISMS) – Requirements,” is an international standard for information security and risk management endeavors. The fourteen categories of the standard are listed as follows:
- Information security policies
- Organization of information security
- Human resource security
- Asset management
- Access control
- Cryptography
- Physical and environmental security
- Operations security
- Communications security
- System acquisition, development, and maintenance
- Supplier relationships
- Information security incident management
- Information security aspects of business continuity management
- Compliance
ISO/IEC 27002: ISO/IEC 27002, “Security Techniques — Code of practice for information security controls,” is built on top of the ISO/IEC 27001 standard by further providing guidelines for organizations to select, implement and manage their security controls based on their risk appetite. And it provides best practices and recommendations for organizations to build, develop and maintain their onw version of ISMSs.
CIS Critical Security Controls: The CIS controls, established by SANS Institue, are a publication of twenty best practices and guideline for information security domain of an organization.
- CIS Control 1: Inventory and Control of Hardware Assets
- CIS Control 2: Inventory and Control of Software Assets
- CIS Control 3: Continuous Vulnerability Management
- CIS Control 4: Controlled Use of Administrative Privileges
- CIS Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
- CIS Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
- CIS Control 7: Email and Web Browser Protections
- CIS Control 8: Malware Defenses
- CIS Control 9: Limitation and Control of Network Ports, Protocols, and Services
- CIS Control 10: Data Recovery Capabilities
- CIS Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
- CIS Control 12: Boundary Defense
- CIS Control 13: Data Protection
- CIS Control 14: Controlled Access Based on the Need to Know
- CIS Control 15: Wireless Access Control
- CIS Control 16: Account Monitoring and Control
- CIS Control 17: Implement a Security Awareness and Training Program
- CIS Control 18: Application Software Security
- CIS Control 19: Incident Response and Management
- CIS Control 20: Penetration Tests and Red Team Exercises
Organizations can take these cybersecurity frameworks as reference to develop their own framework, instead of building one from scratch.