Popular Cybersecurity Frameworks

The purpose of this article is to provide security professionals with a foundational understanding of management practices needed for effective cybersecurity. To that end, this article makes extensive use of standards and best practices documents that have broad support and are used to guide — and in many cases require — approaches to cybersecurity implementation. These documents focus, mainly and in checklist fashion, on what needs to be done, but they do not provide tutorial material on the “how.”

This article begins with challenges that necessitated cybersecurity frameworks. The section that follows discusses the popular cybersecurity frameworks and their importance.

What necessitates A cybersecurity Framework

1. Scale and complexity of cyberspace.

Digitalization increasingly impacts all aspects of our lives and business. The rapid adoption of mobile devices, data centers, cloud computing services, IoT deployments, as well as increasing dependency on machine learning and artificial intelligence tools.

2. Nature of the threat

The cyberspace complexity means businesses, governments, and people are fighting different threats — from ransomware, fake news, and social engineering on all their infrastructure and devices. With such heightened risks, decision- makers acknowledge that cybersecurity is a national security priority.

3. User needs versus security implementation

Most users do not really give thought when they key in their usernames and passwords while making online transactions. The users trust the website and believe that the application they are using is doing the right thing. But there is an inherent conflict between greater ease of use and greater range of options on the one hand and robust security on the other. Security professionals should be fully aware of the fact that while they need to give utmost precedence to system security, they cannot overlook user experience.

4. Cyber Risk Quantification

This is to prioritize risks according to their potential for financial loss, thus allowing responsible people in an organization to make more informed decisions on cybersecurity investments.

Because of these challenges, there is an ongoing effort to develop best practices, documents, and standards that provide guidance to security professionals charged with making resource allocation decisions as well as those charged with implementing effective cybersecurity. The good news is that a great deal of thought, experimentation, and implementation experience have already gone into the development of policies, procedures, and overall guidance for cybersecurity system management teams. Several organizations, based on wide professional input, have developed best practice types of documents as well as standards for implementing and evaluating cybersecurity.

ISO

This is probably the most important set of standards for cybersecurity; the ISO 27000 suite of information security standards. The ISO, which was founded in 1946, has issued more than 12,000 standards in a broad range of areas. Its purpose is to promote the development of standardization and related activities to facilitate international exchange of goods and services and to develop cooperation in the sphere of intellectual, scientific, technological, and economic activity. It has issued standards covering everything from screw threads to solar energy. One important area of ISO standardization deals with the Open Systems Interconnection (OSI) communications architecture and the standards at each layer of this architecture.

In the area of information security, together the ISO and IEC have developed a growing family of standards in the ISO/IEC 27000 series that deal with ISMSs.

1. 27001: ISMS Requirements: Provides a mandatory set of steps — such as defining a target environment, assessing risks, and selecting appropriate controls — for creating an ISMS, against which an organization can certify its security arrangements.
2. 27002: Code of Practice for Information Security Controls: Provides a framework of security controls that can be used to help select the controls required in an ISMS.
3. 27005: Information Security Risk Management System Implementation Guidance: Provides information security risk management guidance, including advice on risk assessment, risk treatment, risk acceptance, risk reporting, risk monitoring, and risk review. Examples of risk assessment methodologies are included as well.
4. 27014: Governance of Information Security: Provides guidance on principles and processes for the governance of information security, by which organizations can evaluate, direct, and monitor the management of information security.
5. 27036: Information Security for Supplier Relationships: Outlines information security for external parties for both the acquirers and suppliers. It supports organizations in implementing information security controls related to supplier relationships.

NIST

In its own words, NIST states in Section 2.0 of the Framework:

The Framework provides a common language for understanding, managing, and expressing cybersecurity risk both to internal and external stakeholders. It can be used to help identify and prioritize actions for reducing cybersecurity risk, and it is a tool for aligning policy, business, and technological approaches to managing that risk. It can be used to manage cybersecurity risk across entire organizations, or it can be focused on the delivery of critical services within an organization.

In short, the CSF is a voluntary framework, providing guidance for organizations to help manage their cybersecurity risks. This guidance is based on existing best-practice standards and guidelines and provides a way of making other frameworks and control sets align with each organization’s unique cybersecurity needs.

To understand how to secure your information, you first need to know what ‘security’ really entails. From a crude perspective, you might say that you simply want to stop criminals accessing your information. This is a laudable goal, but only a fraction of what security is about.

While the CSF is applicable to any organization in any part of the world, which is particularly true of Version 1.1, its primary audience is organizations heavily involved in critical infrastructure. Organizations intending to get into the critical infrastructure supply chain may also want to take note of this framework.

The Framework specifies in its executive summary that it is “a living document and will continue to be updated and improved as industry provides feedback on implementation”. As past experiences are taken note of, and the lessons learned from them are integrated into newer versions, the CSF will be continually improved and kept up to date with ever-evolving “threats, risks, and solutions”.

COBIT 5

Linking business goals with IT infrastructure is the main aspect of COBIT business orientation. This is done by providing different maturity models and creating different metrics for a company to measure the framework’s achievement. ISACA decided its next generation of guidance covered by COBIT 5 should cover the governance and management of enterprise IT (GEIT) and should address the following:

1. Integrate into COBIT 5 all ISACA’s frameworks and guidance
2. Take on board other major frameworks and standards
3. Take into account the pervasive nature of IT in businesses today and the increasing growth and dependency of businesses on other businesses, on IT organizations including outsourcing, reliance on suppliers, other service providers and consultants
4. Put in place an information model to deal with the significant increase in information and the need, not only to manage information but also to select appropriate information to make effective business decisions.
5. Recognize that increased guidance is required to cover innovation that is increasingly based on emerging technologies and is vital for businesses to remain efficient and effective as well as extend their customer base.
6. Cover not just IT processes but also ensure end-to-end business and IT functional responsibilities are addressed by the provision of governance and management of enterprise IT using organizational structures, policies, and culture.
7. Ensure the delivery of enterprise IT is fully engaged with the business to ensure core business expectations are achieved: Value Creation, Business user satisfaction, regulatory and contractual compliance, and recognize that controls are needed to effectively handle the growth in user-initiated and user-controlled IT

CIS Controls

Developed by the Center for Internet Security (CIS), the CIS Critical Security Controls are a prescriptive, prioritized set of cybersecurity best practices and defensive actions that can help prevent the most pervasive and dangerous attacks and support compliance in a multi-framework era.

The CIS controls are divided into categories: basic, foundational, and organizational families. For ease of implementation, each control is further subdivided into sections.

SOC 2

This is an auditing procedure for ensuring service providers have proper data and privacy protections in place for sensitive data. For security-conscious businesses, SOC 2 compliance is a minimal requirement when considering a SaaS provider. Developed by the American Institute of CPAs (AICPA), SOC 2 defines criteria for managing customer data based on five “trust service principles” — security, availability, processing integrity, confidentiality and privacy.

SOC 2 reports are unique to each organization. In line with specific business practices, each designs its own controls to comply with one or more of the trust principles. These internal reports provide you (along with regulators, business partners, suppliers, etc.) with important information about how your service provider manages data.

There are two types of SOC reports:

• Type I describes a vendor’s systems and whether their design is suitable to meet relevant trust principles.
• Type II details the operational effectiveness of those systems.

Payment Card Industry (PCI) Data Security Standard (DSS)

The PCI DSS is a global information standard designed to prevent fraud through increased control of credit card data. Organizations of all sizes must follow PCI DSS standards if they accept payment cards from the 5 major credit card brands Visa, MasterCard, American Express, Discover, and the Japan Credit Bureau. Compliance with PCI DSS is required for any organization that stores, processes, or transmits payment and cardholder data.

Conclusion

This article reviews some documents available to cybersecurity planners and implementers. Although there is considerable overlap in these documents, recognizing the differences can make the use of these documents more effective.

Article by Wamaitha Mwangi. Wamaitha is a Cybersecurity Researcher. Her research area is on Governance, Risk, and Compliance. She is a member of SheHacks_KE and a volunteer with CyDc, an organization that mentors high school students in Cybersecurity. Follow her: Facebook: Wamaitha Mwangi; Twitter: @wamaitha_g. LinkedIn: Wamaitha Mwangi.