The main reason for studying cybersecurity frameworks is to use the structure and methodology, adapt it to protect your important digital assets that matter most. Inevitably in the digital economy of modern day, we depend on the interconnected digital worlds to accomplish most of the things, from reading news, receiving email, internet surfing, reaching or entertainment to web live video communication and online shopping and banking. Cybersecurity is one of the critical blocks of the area required to continue catching up with the latest changes, like upon vulnerability and exploit discovery, to be patched or upgraded to make sure it is secure for the users. So the cybersecurity framework is a system of the standards, guidelines and best practices upon proper carry out to help enterprises reduce the cybersecurity risk, from unauthorized system access, controls and hack. For most of the case, cybersecurity frameworks (depend on the industry and regulations enforce in the respective countries), enterprise required to demonstrate to comply by passing the respective standards, for example, Payment Card Industry Data Security Standards (PCI DSS) framework will be one of it on the banking sectors for those who hosted payment processors.
In general to speak, we can divide cybersecurity frameworks by types, such as control frameworks (the focus is on control, like develop a basic strategy for security team, provide baseline set of controls and checklist, use to assess current technical state of cyber exposure, and use the control framework to prioritise and mobilising resources to implement controls and follow up post remediations). Program framework is another type, is typically use to access security program state, use as checklist to make sure build up a comprehensive security program, and provide various measure for program security, or benchmarking against industry or competitor how they relative perform, as well as use to communicate security team and business leaders on the security programs effective, plan and what to do etc. Risk frameworks are three types, used widely by governance, risk management and compliance (GRC) management function, to define key process steps to assess and manage risk, develop and structure programs for risk management, identify, measure and quantify risk, as well as prioritise security activities. Beside the above quick way to divide the types, it did have few market dominance frameworks, this is what the post is about on those few.
- NIST
- CIS Critical Security Controls
- PCI DSS
- ISO/IEC 27001
NIST
NIST is short for National Institute of Standards and Technology (in USA), which is the provider of this framework. This framework is considered as the best for building cybersecurity programs. It has the ability to address the lack of standards and provide a set of rules, guidelines, and standards to be used by the organization in industries. NIST can be used whether you are in the stage of building a cybersecurity program or already you are using one. It is a top level security management tool that assesses cybersecurity risk in your organization.
NIST has five main functions. These Functions are as below:
Identify – What needs protection?
Protect – Implement safeguard to protect assets.
Detect – Identify cybersecurity incidents.
Respond – Develop techniques to defend against the incident.
Recover – Restore the service capabilities that were affected by the incident.
CIS Critical Security Controls
CIS Developed by the Center for Internet Security, origin from USA, and now global based non for profit driven organization. At the time for write the post it is now in v8 of the CIS controls. This framework provides defensive actions and best practices that can help in preventing dangerous attacks. CIS has a clear path for organizations to follow in order to achieve the security objectives.
The CIS Controls:
CIS controls consist of 20 cyberdefence recommendations divided into three main categories. The controls listed below:
Basic – Used for general purposes and should be implemented by every organization.
Control 1: Inventory and Control of Hardware Assets
Control 2: Inventory and Control of Software Assets
Control 3: Continuous Vulnerability Management
Control 4: Controlled Use of Administrative Privileges
Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
Foundation – Used to detect more specific threats.
Control 7: Email and Web Browser Protections
Control 8: Malware Defenses
Control 9: Limitation and Control of Network Ports, Protocols, and Services
Control 10: Data Recovery Capabilities
Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
Control 12: Boundary Defense
Control 13: Data Protection
Control 14: Controlled Access Based on the Need to Know
Control 15: Wireless Access Control
Control 16: Account Monitoring and Control
Organization – Focused on the non-technical aspects.
Control 17: Implement a Security Awareness and Training Program
Control 18: Application Software Security
Control 19: Incident Response and Management
Control 20: Penetration Tests and Red Team Exercises
PCI DSS
PCI DSS stands for Payment Card Industry Data Security Standard. Is a set of security standards formed by Visa, MasterCard, Discover Financial Services, JCB International and American Express in 2004. PCI DSS used to secure the transactions of credit and debit card. Every business that use transactions should use this framework to ensure the safety of the transaction.
PCI DSS requirements
There are 12 requirements to maintain data of the cardholders and ensure the security (please refer above diagram).
ISO/IEC 27001
ISO short for Information Security Management. ISO/IES 27001 designed for the security of any digital information and for any size of organization. Also, it determine the requirements that help in make the information security management system (ISMS) maintained and continually improved.
PDCA Cycle
PDCA Cycle is used to get the ISO/IEC 27001 certification. PDCA Cycle is a business management methodology that follow four steps. These four steps are as the following:
Step 1: PLAN
Step 2: DO
Step 3: CHECK
Step 4: ACT
These four steps should be implemented constantly. (Refer diagram in earlier section).
Summary
In this post we have talked about the 4 most common cybersecurity frameworks. These frameworks are: NIST, CIS Critical Security Controls, PCI DSS, and ISO/IEC 27001. Each of them was explained in detail. Feel free to contact E-SPIN for advising, consulting, coaching and implementing Cybersecurity Frameworks as well as how to provide systematic governance, risk management and compliance (GRC) and enterprise threat and vulnerability management system solutions that can cater for current and future requirements.