Which of the following frameworks identifies controls based on the latest information about common cyber attacks and provides benchmarks for various platforms?

The main reason for studying cybersecurity frameworks is to use the structure and methodology, adapt it to protect your important digital assets that matter most. Inevitably in the digital economy of modern day, we depend on the interconnected digital worlds to accomplish most of the things, from reading news, receiving email, internet surfing, reaching or entertainment to web live video communication and online shopping and banking. Cybersecurity is one of the critical blocks of the area required to continue catching up with the latest changes, like upon vulnerability and exploit discovery, to be patched or upgraded to make sure it is secure for the users. So the cybersecurity framework is a system of the standards, guidelines and best practices upon proper carry out to help enterprises reduce the cybersecurity risk, from unauthorized system access, controls and hack. For most of the case, cybersecurity frameworks (depend on the industry and regulations enforce in the respective countries), enterprise required to demonstrate to comply by passing the respective standards, for example, Payment Card Industry Data Security Standards (PCI DSS) framework will be one of it on the banking sectors for those who hosted payment processors.

In general to speak, we can divide cybersecurity frameworks by types, such as control frameworks (the focus is on control, like develop a basic strategy for security team, provide baseline set of controls and checklist, use to assess current technical state of cyber exposure, and use the control framework to prioritise and mobilising resources to implement controls and follow up post remediations). Program framework is another type, is typically use to access security program state, use as checklist to make sure build up a comprehensive security program, and provide various measure for program security, or benchmarking against industry or competitor how they relative perform, as well as use to communicate security team and business leaders on the security programs effective, plan and what to do etc. Risk frameworks are three types, used widely by governance, risk management and compliance (GRC) management function, to define key process steps to assess and manage risk, develop and structure programs for risk management, identify, measure and quantify risk, as well as prioritise security activities. Beside the above quick way to divide the types, it did have few market dominance frameworks, this is what the post is about on those few.

• NIST
• CIS Critical Security Controls
• PCI DSS
• ISO/IEC 27001

NIST

NIST is short for National Institute of Standards and Technology (in USA), which is the provider of this framework. This framework is considered as the best for building cybersecurity programs. It has the ability to address the lack of standards and provide a set of rules, guidelines, and standards to be used by the organization in industries. NIST can be used whether you are in the stage of building a cybersecurity program or already you are using one. It is a top level security management tool that assesses cybersecurity risk in your organization.

NIST has five main functions. These Functions are as below:

Identify – What needs protection?

Protect – Implement safeguard to protect assets.

Detect – Identify cybersecurity incidents.

Respond – Develop techniques to defend against the incident.

Recover – Restore the service capabilities that were affected by the incident.

CIS Critical Security Controls

CIS Developed by the Center for Internet Security, origin from USA, and now global based non for profit driven organization. At the time for write the post it is now in v8 of the CIS controls. This framework provides defensive actions and best practices that can help in preventing dangerous attacks. CIS has a clear path for organizations to follow in order to achieve the security objectives.

The CIS Controls:

CIS controls consist of 20 cyberdefence recommendations divided into three main categories. The controls listed below:

Basic – Used for general purposes and should be implemented by every organization.

Control 1: Inventory and Control of Hardware Assets

Control 2: Inventory and Control of Software Assets

Control 3: Continuous Vulnerability Management

Control 4: Controlled Use of Administrative Privileges

Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

Control 6: Maintenance, Monitoring, and Analysis of Audit Logs

Foundation – Used to detect more specific threats.

Control 7: Email and Web Browser Protections

Control 8: Malware Defenses

Control 9: Limitation and Control of Network Ports, Protocols, and Services

Control 10: Data Recovery Capabilities

Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches

Control 12: Boundary Defense

Control 13: Data Protection

Control 14: Controlled Access Based on the Need to Know

Control 15: Wireless Access Control

Control 16: Account Monitoring and Control

Organization – Focused on the non-technical aspects.

Control 17: Implement a Security Awareness and Training Program

Control 18: Application Software Security

Control 19: Incident Response and Management

Control 20: Penetration Tests and Red Team Exercises

PCI DSS

PCI DSS stands for Payment Card Industry Data Security Standard. Is a set of security standards formed by Visa, MasterCard, Discover Financial Services, JCB International and American Express in 2004. PCI DSS used to secure the transactions of credit and debit card. Every business that use transactions should use this framework to ensure the safety of the transaction.

PCI DSS requirements

There are 12 requirements to maintain data of the cardholders and ensure the security (please refer above diagram).

ISO/IEC 27001

ISO short for Information Security Management. ISO/IES 27001 designed for the security of any digital information and for any size of organization. Also, it determine the requirements that help in make the information security management system (ISMS) maintained and continually improved.

PDCA Cycle

PDCA Cycle is used to get the ISO/IEC 27001 certification. PDCA Cycle is a business management methodology that follow four steps. These four steps are as the following:

Step 1: PLAN

Step 2: DO

Step 3: CHECK

Step 4: ACT

These four steps should be implemented constantly. (Refer diagram in earlier section).

Summary

In this post we have talked about the 4 most common cybersecurity frameworks. These frameworks are: NIST, CIS Critical Security Controls, PCI DSS, and ISO/IEC 27001. Each of them was explained in detail. Feel free to contact E-SPIN for advising, consulting, coaching and implementing Cybersecurity Frameworks as well as how to provide systematic governance, risk management and compliance (GRC) and enterprise threat and vulnerability management system solutions that can cater for current and future requirements.

What is the information and cyber security risk type framework?

What is information security framework?

What framework consists of standards guidelines and best practices to manage cybersecurity risk?

Which cybersecurity framework function is the most important?