The main reason for studying cybersecurity frameworks is to use the structure and methodology, adapt it to protect your important digital assets that matter most. Inevitably in the digital economy of modern day, we depend on the interconnected digital worlds to accomplish most of the things, from reading news, receiving email, internet surfing, reaching or entertainment to web live video communication and online shopping and banking. Cybersecurity is one of the critical blocks of the area required to continue catching up with the latest changes, like upon vulnerability and exploit discovery, to be patched or upgraded to make sure it is secure for the users. So the cybersecurity framework is a system of the standards, guidelines and best practices upon proper carry out to help enterprises reduce the cybersecurity risk, from unauthorized system access, controls and hack. For most of the case, cybersecurity frameworks (depend on the industry and regulations enforce in the respective countries), enterprise required to demonstrate to comply by passing the respective standards, for example, Payment Card Industry Data Security Standards (PCI DSS) framework will be one of it on the banking sectors for those who hosted payment processors. Show
In general to speak, we can divide cybersecurity frameworks by types, such as control frameworks (the focus is on control, like develop a basic strategy for security team, provide baseline set of controls and checklist, use to assess current technical state of cyber exposure, and use the control framework to prioritise and mobilising resources to implement controls and follow up post remediations). Program framework is another type, is typically use to access security program state, use as checklist to make sure build up a comprehensive security program, and provide various measure for program security, or benchmarking against industry or competitor how they relative perform, as well as use to communicate security team and business leaders on the security programs effective, plan and what to do etc. Risk frameworks are three types, used widely by governance, risk management and compliance (GRC) management function, to define key process steps to assess and manage risk, develop and structure programs for risk management, identify, measure and quantify risk, as well as prioritise security activities. Beside the above quick way to divide the types, it did have few market dominance frameworks, this is what the post is about on those few.
NISTNIST is short for National Institute of Standards and Technology (in USA), which is the provider of this framework. This framework is considered as the best for building cybersecurity programs. It has the ability to address the lack of standards and provide a set of rules, guidelines, and standards to be used by the organization in industries. NIST can be used whether you are in the stage of building a cybersecurity program or already you are using one. It is a top level security management tool that assesses cybersecurity risk in your organization. NIST has five main functions. These Functions are as below: Identify – What needs protection? Protect – Implement safeguard to protect assets. Detect – Identify cybersecurity incidents. Respond – Develop techniques to defend against the incident. Recover – Restore the service capabilities that were affected by the incident. CIS Critical Security ControlsCIS Developed by the Center for Internet Security, origin from USA, and now global based non for profit driven organization. At the time for write the post it is now in v8 of the CIS controls. This framework provides defensive actions and best practices that can help in preventing dangerous attacks. CIS has a clear path for organizations to follow in order to achieve the security objectives. The CIS Controls: CIS controls consist of 20 cyberdefence recommendations divided into three main categories. The controls listed below: Basic – Used for general purposes and should be implemented by every organization. Control 1: Inventory and Control of Hardware Assets Control 2: Inventory and Control of Software Assets Control 3: Continuous Vulnerability Management Control 4: Controlled Use of Administrative Privileges Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers Control 6: Maintenance, Monitoring, and Analysis of Audit Logs Foundation – Used to detect more specific threats. Control 7: Email and Web Browser Protections Control 8: Malware Defenses Control 9: Limitation and Control of Network Ports, Protocols, and Services Control 10: Data Recovery Capabilities Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches Control 12: Boundary Defense Control 13: Data Protection Control 14: Controlled Access Based on the Need to Know Control 15: Wireless Access Control Control 16: Account Monitoring and Control Organization – Focused on the non-technical aspects. Control 17: Implement a Security Awareness and Training Program Control 18: Application Software Security Control 19: Incident Response and Management Control 20: Penetration Tests and Red Team Exercises PCI DSSPCI DSS stands for Payment Card Industry Data Security Standard. Is a set of security standards formed by Visa, MasterCard, Discover Financial Services, JCB International and American Express in 2004. PCI DSS used to secure the transactions of credit and debit card. Every business that use transactions should use this framework to ensure the safety of the transaction. PCI DSS requirements There are 12 requirements to maintain data of the cardholders and ensure the security (please refer above diagram). ISO/IEC 27001ISO short for Information Security Management. ISO/IES 27001 designed for the security of any digital information and for any size of organization. Also, it determine the requirements that help in make the information security management system (ISMS) maintained and continually improved. PDCA Cycle PDCA Cycle is used to get the ISO/IEC 27001 certification. PDCA Cycle is a business management methodology that follow four steps. These four steps are as the following: Step 1: PLAN Step 2: DO Step 3: CHECK Step 4: ACT These four steps should be implemented constantly. (Refer diagram in earlier section). SummaryIn this post we have talked about the 4 most common cybersecurity frameworks. These frameworks are: NIST, CIS Critical Security Controls, PCI DSS, and ISO/IEC 27001. Each of them was explained in detail. Feel free to contact E-SPIN for advising, consulting, coaching and implementing Cybersecurity Frameworks as well as how to provide systematic governance, risk management and compliance (GRC) and enterprise threat and vulnerability management system solutions that can cater for current and future requirements. What is the information and cyber security risk type framework?An information security framework, when done properly, will allow any security leader to more intelligently manage their organizations cyber risk. The framework consists of a number of documents that clearly define the adopted policies, procedures, and processes by which your organisation abides.
What is information security framework?The Information Security Framework (ISF) defines the approach, guiding principles, roles and responsibilities set forth by the ICRC to manage an information security risk, in order to protect ICRC information and information systems against loss of confidentiality, integrity and availability.
What framework consists of standards guidelines and best practices to manage cybersecurity risk?Framework Version 1.1. The Cybersecurity Framework is ready to download. ... . New to Framework. This voluntary Framework consists of standards, guidelines and best practices to manage cybersecurity risk. ... . Online Learning. Intro material for new Framework users to implementation guidance for more advanced Framework users.. Which cybersecurity framework function is the most important?I'll concentrate here on the first one, identity. This is the most basic and fundamental of all of the NIST Cybersecurity functions and as such, it is the most important.
|