9.6 Cybersecurity standards and frameworks

Cybersecurity standards and frameworks provide structured approaches to managing digital risks. They help organizations align security practices with industry best practices and regulatory requirements, enhancing overall security posture and building stakeholder trust.

These frameworks offer guidelines and best practices for identifying, assessing, and mitigating cyber threats. Key components include security controls, risk assessment methods, and maturity models. Implementation involves selecting an appropriate framework, conducting gap analysis, and developing a tailored plan.

Importance of cybersecurity standards

• Cybersecurity standards provide a structured approach to managing and mitigating cyber risks, ensuring the confidentiality, integrity, and availability of information assets
• Adopting cybersecurity standards helps organizations align their security practices with industry best practices and regulatory requirements, enhancing their overall security posture
• Implementing cybersecurity standards demonstrates an organization's commitment to protecting sensitive data and builds trust among stakeholders, including customers, partners, and regulators

Overview of cybersecurity frameworks

• Cybersecurity frameworks are comprehensive sets of guidelines, best practices, and standards designed to help organizations manage and reduce cyber risks
• These frameworks provide a common language and a systematic approach to identifying, assessing, and mitigating cybersecurity threats and vulnerabilities
• Cybersecurity frameworks are developed by various industry bodies, government agencies, and international organizations to address the evolving landscape of cyber threats and regulatory requirements

Cybersecurity framework components

Top images from around the web for Cybersecurity framework components

• 

  Conceptual Design of a Cybersecurity Resilience Maturity Measurement (CRMM) Framework View original

  Is this image relevant?

• 

  Cyber Resilience: Part Three What is Cyber Resilience? – Black Swan Security View original

  Is this image relevant?

• 

  Performance of Machine Learning and other Artificial Intelligence paradigms in Cybersecurity ... View original

  Is this image relevant?

• 

  Conceptual Design of a Cybersecurity Resilience Maturity Measurement (CRMM) Framework View original

  Is this image relevant?

• 

  Cyber Resilience: Part Three What is Cyber Resilience? – Black Swan Security View original

  Is this image relevant?

1 of 3

Top images from around the web for Cybersecurity framework components

• 

  Conceptual Design of a Cybersecurity Resilience Maturity Measurement (CRMM) Framework View original

  Is this image relevant?

• 

  Cyber Resilience: Part Three What is Cyber Resilience? – Black Swan Security View original

  Is this image relevant?

• 

  Performance of Machine Learning and other Artificial Intelligence paradigms in Cybersecurity ... View original

  Is this image relevant?

• 

  Conceptual Design of a Cybersecurity Resilience Maturity Measurement (CRMM) Framework View original

  Is this image relevant?

• 

  Cyber Resilience: Part Three What is Cyber Resilience? – Black Swan Security View original

  Is this image relevant?

1 of 3

• Cybersecurity frameworks typically consist of several key components, including security controls, risk assessment methodologies, and maturity models
• Security controls are specific safeguards or countermeasures implemented to protect information assets from various threats and vulnerabilities (access control, encryption, incident response)
• Risk assessment methodologies provide a structured approach to identifying, analyzing, and evaluating cyber risks, enabling organizations to prioritize their security investments and efforts
• Maturity models help organizations assess their current cybersecurity posture and identify areas for improvement, providing a roadmap for continuous enhancement of their security capabilities

Cybersecurity framework implementation

• Implementing a cybersecurity framework involves several steps, including selecting an appropriate framework, conducting a gap analysis, and developing an implementation plan
• Organizations should carefully evaluate their specific needs, industry requirements, and regulatory obligations when choosing a cybersecurity framework that aligns with their goals and objectives
• Conducting a gap analysis helps identify the differences between an organization's current security practices and the requirements of the chosen framework, highlighting areas that need improvement
• Developing an implementation plan involves defining roles and responsibilities, allocating resources, setting timelines, and establishing metrics to measure progress and effectiveness

NIST cybersecurity framework

• The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is a widely adopted framework that provides a risk-based approach to managing cybersecurity risks
• The NIST CSF is designed to be flexible and adaptable, allowing organizations of all sizes and sectors to align their security practices with industry best practices and regulatory requirements
• The framework is organized around five core functions: Identify, Protect, Detect, Respond, and Recover, which represent the key activities in an effective cybersecurity program

NIST CSF core functions

• Identify: Develop an organizational understanding of cybersecurity risks to systems, people, assets, data, and capabilities
• Protect: Implement appropriate safeguards to ensure the delivery of critical services and protect information assets from unauthorized access, use, disclosure, disruption, modification, or destruction
• Detect: Implement appropriate activities to identify the occurrence of a cybersecurity event in a timely manner
• Respond: Develop and implement appropriate activities to take action regarding a detected cybersecurity incident, containing the impact and mitigating the potential damage
• Recover: Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident

NIST CSF implementation tiers

• The NIST CSF defines four implementation tiers that describe an organization's level of sophistication in managing cybersecurity risks: Partial, Risk-Informed, Repeatable, and Adaptive
• Partial (Tier 1): Cybersecurity risk management practices are not formalized, and risk is managed in an ad hoc and reactive manner
• Risk-Informed (Tier 2): Risk management practices are approved by management but may not be established as organization-wide policy
• Repeatable (Tier 3): The organization's risk management practices are formally approved and expressed as policy, with regular updates based on changes in business requirements and the threat landscape
• Adaptive (Tier 4): The organization adapts its cybersecurity practices based on lessons learned and predictive indicators derived from previous and current cybersecurity activities, continuously improving its security posture

NIST CSF profiles

• NIST CSF profiles are tailored versions of the framework that align with an organization's specific needs, goals, and risk appetite
• Current profile: Represents an organization's current cybersecurity posture and the outcomes it is currently achieving
• Target profile: Represents the outcomes needed to achieve the desired cybersecurity risk management goals, serving as a roadmap for improvement
• Comparing the current and target profiles helps organizations identify gaps and prioritize actions to enhance their cybersecurity posture

ISO/IEC 27000 series

• The ISO/IEC 27000 series is a family of international standards that provide best practices and guidelines for establishing, implementing, maintaining, and continually improving an information security management system (ISMS)
• The series covers various aspects of information security, including risk management, security controls, incident management, and business continuity
• The two most widely adopted standards in the series are ISO/IEC 27001, which specifies the requirements for an ISMS, and ISO/IEC 27002, which provides a comprehensive set of security controls

ISO/IEC 27001 requirements

• ISO/IEC 27001 specifies the requirements for establishing, implementing, maintaining, and continually improving an ISMS within the context of an organization's overall business risks
• The standard follows a risk-based approach and requires organizations to identify, assess, and treat information security risks based on their specific context and needs
• Key requirements of ISO/IEC 27001 include defining the scope of the ISMS, establishing an information security policy, conducting risk assessments, implementing security controls, and monitoring and reviewing the effectiveness of the ISMS

ISO/IEC 27002 controls

• ISO/IEC 27002 provides a comprehensive set of security controls that organizations can implement to protect their information assets
• The standard organizes controls into 14 domains, covering areas such as access control, cryptography, physical and environmental security, and supplier relationships
• Examples of controls include user access management, secure development practices, incident management procedures, and business continuity planning
• Organizations can select and implement controls based on their specific needs, risk assessment results, and legal and regulatory requirements

CIS critical security controls

• The Center for Internet Security (CIS) Critical Security Controls (CSC) is a prioritized set of actions that collectively form a defense-in-depth approach to help organizations protect their systems and data from cyber attacks
• The CIS CSC is designed to be practical, actionable, and effective in mitigating the most common and damaging cybersecurity threats
• The controls are regularly updated based on real-world attack patterns and input from cybersecurity experts and industry practitioners

CIS control categories

• The CIS CSC is organized into three categories: Basic, Foundational, and Organizational, reflecting the level of technical and organizational maturity required to implement each control
• Basic controls (CSC 1-6) focus on essential cyber hygiene practices and are recommended for all organizations, regardless of size or sector (inventory and control of hardware and software assets, continuous vulnerability management, controlled use of administrative privileges)
• Foundational controls (CSC 7-16) provide additional layers of defense and are recommended for organizations with moderate to high cybersecurity maturity (email and web browser protections, data recovery capabilities, network infrastructure management)
• Organizational controls (CSC 17-20) focus on people and processes and are recommended for organizations with a high level of cybersecurity maturity (implement a security awareness and training program, application software security, incident response and management)

Implementing CIS controls

• Implementing CIS controls involves a phased approach, starting with the Basic controls and progressively moving to the Foundational and Organizational controls based on an organization's maturity level and risk profile
• Organizations should prioritize the implementation of controls based on their specific needs, risk assessment results, and available resources
• Regularly monitoring and measuring the effectiveness of implemented controls is crucial to ensure continuous improvement and adapt to the evolving threat landscape
• Automation and integration of controls into existing security tools and processes can help streamline the implementation process and reduce the burden on security teams

COBIT framework

• COBIT (Control Objectives for Information and Related Technologies) is a comprehensive framework for governance and management of enterprise IT, developed by ISACA (Information Systems Audit and Control Association)
• The framework provides a set of best practices, tools, and guidance to help organizations align their IT strategies with business objectives, manage IT-related risks, and optimize the value delivered by IT investments
• COBIT is based on five key principles: meeting stakeholder needs, covering the enterprise end-to-end, applying a single integrated framework, enabling a holistic approach, and separating governance from management

COBIT principles

• Meeting stakeholder needs: COBIT helps organizations create value for their stakeholders by maintaining a balance between realizing benefits, optimizing risk levels, and using resources responsibly
• Covering the enterprise end-to-end: COBIT integrates governance and management of enterprise IT into overall corporate governance, covering all functions and processes within the organization
• Applying a single integrated framework: COBIT aligns with other relevant standards and frameworks, providing a comprehensive approach to governing and managing enterprise IT
• Enabling a holistic approach: COBIT considers several interacting components (enablers) that collectively influence the achievement of enterprise goals
• Separating governance from management: COBIT distinguishes between governance (ensuring that stakeholder needs, conditions, and options are evaluated to determine balanced, agreed-upon enterprise objectives) and management (planning, building, running, and monitoring activities in alignment with the direction set by the governance body)

COBIT enablers

• COBIT defines seven categories of enablers that collectively influence the achievement of enterprise goals: principles, policies, and frameworks; processes; organizational structures; culture, ethics, and behavior; information; services, infrastructure, and applications; and people, skills, and competencies
• Principles, policies, and frameworks provide guidance and direction for the governance and management of enterprise IT
• Processes describe an organized set of practices and activities to achieve specific objectives and produce a set of outputs in support of overall IT-related goals
• Organizational structures define the key decision-making entities and their roles and responsibilities
• Culture, ethics, and behavior of individuals and the organization are often underestimated as a success factor in governance and management activities
• Information is pervasive throughout any organization and includes all information produced and used by the enterprise, both structured and unstructured
• Services, infrastructure, and applications include the infrastructure, technology, and applications that provide the enterprise with IT processing and services
• People, skills, and competencies are linked to people and are required for successful completion of all activities and for making correct decisions and taking corrective actions

COBIT goals cascade

• The COBIT goals cascade is a mechanism that translates stakeholder needs into specific, actionable, and customized enterprise goals, IT-related goals, and enabler goals
• Stakeholder needs influence and drive the development of enterprise goals, which in turn guide the formulation of IT-related goals
• IT-related goals are further cascaded into enabler goals, which define what needs to be done to achieve the IT-related goals and, ultimately, the enterprise goals
• The goals cascade helps organizations align their IT strategies and investments with business objectives, ensuring that IT delivers value and supports the achievement of enterprise goals

PCI DSS standard

• The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements designed to ensure that all companies that process, store, or transmit credit card information maintain a secure environment
• The standard was developed by the PCI Security Standards Council, which was founded by major credit card brands (Visa, Mastercard, American Express, Discover, and JCB) to enhance the security of cardholder data and reduce credit card fraud
• PCI DSS applies to any organization that accepts, processes, stores, or transmits cardholder data, regardless of size or transaction volume

PCI DSS requirements

• PCI DSS consists of 12 high-level requirements organized into six control objectives: build and maintain a secure network and systems, protect cardholder data, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test networks, and maintain an information security policy
• Examples of specific requirements include installing and maintaining a firewall configuration to protect cardholder data, encrypting transmission of cardholder data across open, public networks, and restricting physical access to cardholder data
• Organizations must comply with all applicable requirements to be considered PCI DSS compliant and must undergo regular assessments to validate their compliance status

PCI DSS compliance levels

• PCI DSS defines four levels of compliance based on the annual transaction volume of an organization: Level 1 (over 6 million transactions), Level 2 (1-6 million transactions), Level 3 (20,000 to 1 million e-commerce transactions), and Level 4 (fewer than 20,000 e-commerce transactions or up to 1 million total transactions)
• Compliance validation requirements vary depending on the level, with Level 1 merchants subject to the most stringent validation requirements (annual on-site assessment by a Qualified Security Assessor (QSA) and quarterly network scans by an Approved Scanning Vendor (ASV))
• Lower-level merchants may be eligible for self-assessment questionnaires (SAQs) and less frequent on-site assessments, depending on their specific circumstances and the requirements of their acquiring banks

HIPAA security rule

• The Health Insurance Portability and Accountability Act (HIPAA) Security Rule establishes national standards to protect individuals' electronic personal health information (ePHI) that is created, received, used, or maintained by a covered entity or its business associates
• The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of ePHI
• Covered entities include health plans, health care clearinghouses, and health care providers who conduct certain health care transactions electronically, while business associates are entities that perform certain functions or activities on behalf of a covered entity involving the use or disclosure of ePHI

HIPAA administrative safeguards

• Administrative safeguards are administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of the covered entity's or business associate's workforce in relation to the protection of that information
• Examples of administrative safeguards include conducting risk assessments, implementing a security awareness and training program, and developing contingency plans for responding to emergencies or disasters that could damage systems containing ePHI
• Covered entities and business associates must designate a security official responsible for developing and implementing the required security policies and procedures

HIPAA physical safeguards

• Physical safeguards are physical measures, policies, and procedures to protect a covered entity's or business associate's electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion
• Examples of physical safeguards include facility access controls, workstation security, and device and media controls (such as encryption and secure disposal of hardware and electronic media containing ePHI)
• Covered entities and business associates must implement policies and procedures to limit physical access to their electronic information systems and the facilities in which they are housed while ensuring that properly authorized access is allowed

HIPAA technical safeguards

• Technical safeguards are the technology and the policy and procedures for its use that protect ePHI and control access to it
• Examples of technical safeguards include access control (unique user identification, emergency access procedures, automatic logoff), audit controls, integrity controls (mechanism to authenticate ePHI), and transmission security (encryption, integrity controls)
• Covered entities and business associates must implement technical policies and procedures that allow only authorized persons to access ePHI and must have hardware, software, and/or procedural mechanisms in place to record and examine access and other activity in information systems that contain or use ePHI

Comparing cybersecurity frameworks

• While cybersecurity frameworks share the common goal of helping organizations manage and reduce cyber risks, they differ in their scope, structure, and areas of emphasis
• The NIST CSF provides a high-level, risk-based approach to cybersecurity, focusing on five core functions (Identify, Protect, Detect, Respond, Recover) and is widely adopted across various industries and sectors
• The ISO/IEC 27000 series offers a comprehensive set of standards for establishing and maintaining an ISMS, with a strong emphasis on risk management and continuous improvement
• The CIS CSC prioritizes a set of actionable controls to mitigate the most common and damaging cyber threats, making it a practical choice for organizations looking to enhance their cybersecurity posture quickly
• COBIT takes a holistic approach to governance and management of enterprise IT, aligning IT strategies with business objectives and considering multiple enablers that influence the achievement of enterprise goals
• PCI DSS and HIPAA are industry-specific standards that focus on protecting sensitive data (cardholder data and ePHI, respectively) and ensuring compliance with regulatory requirements

Choosing a cybersecurity framework

• When selecting a cybersecurity framework, organizations should consider factors such as their industry, size, risk profile, regulatory obligations, and available resources
• Organizations should evaluate the alignment of the framework with their business objectives, the level of guidance and support provided, and the potential benefits and challenges of adoption
• It is essential to involve key stakeholders from across the organization (IT, security, compliance, legal, business units) in the decision-making process to ensure buy-in and successful implementation
• Organizations may also consider seeking guidance from external experts, such as cybersecurity consultants or auditors, to help assess their needs and recommend an appropriate framework

Integrating multiple frameworks

• Organizations may choose to adopt multiple cybersecurity frameworks to address different aspects of their security program or to meet specific regulatory or industry requirements
• When integrating multiple frameworks, it is essential to identify overlaps and gaps between the frameworks and to develop a harmonized approach that leverages their complementary strengths
• Organizations should map the requirements and controls of the selected frameworks to their existing security policies, processes, and technologies to identify