Cyber Security Frameworks, what they cover, where they are used and why.
Within the world of Information Technology Security, there are a host of frameworks employed around the world. These frameworks are essentially a system of standards, guidelines and best-practices that allow technical and security teams to keep your data, clients’ data and employee data safe and secure. If the information or the systems that host that data are compromised in any way, these frameworks at least allow us to formulate a plan that allow organisations to minimize or mitigate any potential risks (pre-attack), regain controls of the systems and data (peri-attack, or mid-attack) and also how to deal with the cleanup process (post-attack).
Frameworks are especially important for individuals and companies at any level, private or public and they ensure that everyone is playing by a common set of rules and guidelines. These guidlines allow individuals and organizations alike to determine the risk tolerance and security controls required to help reduce or mitigate the risks in defined risk areas.
Whilst most of these frameworks are very detailed, depending on your role or direction within cyber security, having at least an understanding of what the common frameworks are employed, where they are applicable (Country/Industry) and why they are applied should be sufficient. There are training courses for most frameworks, if this is required.
The common strategies to each framework are usually designed around the following points:
- Identify
- Protect
- Detect
- Respond
- Recover
Frameworks can generally be split into three different types, for example:
Control Frameworks: Used to develop a strategy for security teams, provides a baseline set of security controls, assessing the current technical state and prioritising control implementation.
Program Frameworks: Used to assess the state of the security program / s, building a comprehensive and rebost security program, measure program security / competitive analysis and simply communication between security teams and the business leaders.
Risk Frameworks: Used to define key process steps to asses and manage business risk, structure the program for risk management, identify, measure and qualtify that risk and finally to prioritise security based activities.
Some of the most common frameworks around, at the point of writing this post, are as follows:
| Framework | Description | Purpose |
|---|---|---|
| NIST ๐ | National Institute of Standards and Technology. | Comprehensive and personalized security weakness identification. |
| CIS Security Controls ๐ | Center for Internet Security. | General protection against cyber threats. |
| ISO/IEC 27001/27002 ๐ | International Organisation for Standardisation. | International standard for validating a cybersecurity program โ internally and across third parties |
| ISACA – COBIT ๐ | Control Objectives for Information Technology (from Information Systems Audit and Control Association). | Ensures quality, control, and reliability of information systems in an organization. |
| PCI DSS ๐ | Payment Card Industry Data Security Standard | Focuses on keeping users’ card data secure. |
| SOC 2 ๐ | Service Organization Controls. | Enhance an organization’s security by focusing on the following principles: Security, Availability, Processing integrity, Confidentiality and Privacy. |
| GDPR ๐ | General Data Protection Regulation | Compels enterprises to respect European Unionโs individualsโ data and privacy while doing transactions within European Union member states. |
Regardless as to the area you focus on, it doesnt necessarily need to be Cyber Security, there will be an industry framework out there and its always great information to have and at least understand.
Hit the links for the frameworks above and read through the vendor information and FAQ’s.