Cybersecurity frameworks are a little bit mind boggling at first glance. You know your business would be better off if you chose one and stuck to it. So you do a little search engine sleuthing and come away more confused than a kid who skipped from pre-algebra to advanced calculus. There are over 250 frameworks worldwide. Some are industry specific, others are more general and may be applied across a variety of industries. One framework might fit your business perfectly or you might require elements of several. And should you get accredited under a particular framework? Is it worth it? Is it required? How do you decide?
What is a Framework?
A physical framework is the essential supporting structure of a building, vehicle, or object. The building you’re sitting in is dependent on its framework for staying upright. Strip out the seats, the dashboard, the electronics, and the engine, and you’re left with your car’s essential structure or framework.
In the world of ideas, a framework is the basic structure that underlies a system or concept. Democracy is a framework for running a government. The concept of “democracy” doesn’t get in to every nitty gritty detail of the law or day-to-day life–it simply presents a guiding principle around which to build a civilized society.
Plenty of industries use frameworks too. Teachers use curriculum frameworks to create clear standards for what students in certain grade levels should be learning and how they should be tested to see if those standards have been met. Accounting frameworks provide guidelines for how financial statements must be structured so that auditors can review them efficiently and effectively.
Similarly, cybersecurity frameworks are documented policies, procedures, and processes that define how information is managed by a business. These guidelines tell you how to handle both expected parts of your business (credit card transactions, for instance) and unexpected parts (data breaches). The guidelines are rigorous and well defined to provide consistency across all systems, devices, employees, and end users.
Let’s review the four most commonly employed cybersecurity frameworks in use today.
NIST CSF and NIST 800-53
Full name: National Institute of Standards and Technology Cybersecurity Framework
Early in 2013, President Obama signed Executive Order 13636 with the goal of developing a cybersecurity framework to protect the United States’ critical infrastructure. The National Institute of Standards and Technology was selected to work with stakeholders from industry, academia, and government to establish the framework. It was initially released in 2014 with an update in 2018.
NIST CSF is a high level, 40-page document written in plain language. The goal of NIST CSF is to provide a basic framework that anyone within an organization can read and comprehend (not just the serious info sec employees). NIST CSF was created to be broad and to make sharing information about security experiences easier for organizations across different industries. The NIST CSF may be a good fit for smaller companies that need a basic best practice framework to align with.
The essential processes of the NIST CSF are: Identify, Protect, Detect, Respond, and Recover.
Full name: NIST Special Publication 800-53
Not to be confused with the NIST CSF, Special Publication 800-53 is a massive regulatory document that guides government organizations in their compliance with FIPS 200 certification. This more robust set of standards is mandatory for all U.S. agencies and partners.
CIS Security Controls
Full name: The Center for Internet Security Critical Security Controls for Effective Cyber Defense
This framework was initially developed in 2008 in response to a series of data losses in the U.S. defense industry. Initial contributors to the project included forensic experts, penetration testers, and U.S. government agencies.
The CIS Controls are twenty key actions that should be implemented to block or mitigate cyber attacks. This is a small, prioritized list of actionable controls to implement for immediate results. CIS Controls are good for anyone looking for a baseline program or starting point. They are modified and/or validated annually.
ISO 27001/27002
Full name: International Organization for Standardization 27001/27002
The ISO and the International Electrotechnical Commission (IEC) jointly publish ISO 27001 and ISO 27002. ISO 27001 is a cybersecurity framework that lays out the formal specifications for an information security management system (ISMS). ISO 27002 details the best practices for creating a comprehensive IT security program.
The standard was last published in 2013 with a few updates since that time. The framework is comprised of a six step planning process that engages multiple departments within an organization. These frameworks are applicable to all types of organizations, regardless of size or industry. ISO 27001/27002 is the de facto framework outside the United States. It is less complex and easier to implement than NIST 800-53 and, as such, is used by many organizations that don’t have to comply with U.S. federal regulations.
Organizations that employ the standard may undergo an audit to become certified by the accrediting body. To be certified, an organization must prove that it is using the PDCA Cycle (Plan, Do, Check, and Act).
PCI DSS
Full name: Payment Card Industry Data Security Standard
The PCI Security Standards Council was formed in 2006 by the world’s top five credit card companies. The council created and maintains the PCI DSS framework. PCI DSS compliance is mandatory for all organizations that store, process, or transmit cardholder data. The overall goal being to reduce credit card fraud. There are four levels of compliance based on the number of transactions a business handles in a year.
So Which One Do I Use?
You just read 900 words on cybersecurity frameworks. Do you know which one you should use? If you’re a government agency or contractor, the answer is easy. Go straight to NIST 800-53. If you handle credit card data, you know you have to adopt the PCI DSS at a minimum. But what about every other business? It’s not a straightforward decision. And factors like state regulations and industry compliance standards will also inform your decision.
If you need assistance in evaluating your security position, please reach out to Asylas at info@asylas.com or 615-622-4591. We are a full-service, people-oriented information security firm. We can help you choose a framework and comply with it.