Cybersecurity Frameworks: The Ultimate Manual
Protecting digital assets and maintaining compliance must be a top priority for every organization. Cybersecurity frameworks make this possible.
Read on to learn more about cybersecurity frameworks, how they work, and how to apply different frameworks to your business.
What Are Cybersecurity Frameworks Anyway?
A cybersecurity framework is a system of standards and guidelines to manage digital cyber risks. In many cases, cybersecurity frameworks align with a specific security objective or regulation.
Cybersecurity frameworks are designed to give organizations a systematic, repeatable, and reliable way to manage cyber risks—regardless of the environment or its complexities.
Many cybersecurity frameworks are mandatory to comply with industry-specific or regional guidelines. For example, to process credit and debit card transactions, businesses must comply with the PCI DSS (payment card industry data security standards) framework.
Some frameworks aren’t necessarily mandatory, but they’re strongly encouraged for businesses that want to maintain strict data security standards.
How Cybersecurity Frameworks Work
Each cybersecurity framework has its own rules, guidelines, processes, and best practices to maintain compliance.
Some frameworks might require audits by a third party to see if your organization is compliant. Others require your company to self-govern and attest that you’re following the guidelines. For the non-mandatory frameworks, it’s up to your organization to ensure the guidelines are being followed internally.
Generally speaking, cybersecurity frameworks can be segmented into three main categories:
- Cybersecurity Control Frameworks — Control frameworks are used to establish a strategy for your team that will ultimately become a baseline set of controls. Implementing the control will be a top priority as your team assesses the technical state of your security environment.
- Cybersecurity Program Frameworks — Program frameworks are a more comprehensive system. These are designed to simplify the collaboration between stakeholders, business leaders, and the security team.
- Cybersecurity Risk Frameworks — Risk frameworks establish the steps required to analyze and manage cyber risks. Teams will define, measure, and quantify risks, then prioritize security initiatives based on the risk analysis.
Understanding cybersecurity frameworks and how they work is much easier when looking at real examples. While there are dozens of different frameworks out there, I’ve identified the most common and relevant ones below:
Example #1: NIST Cybersecurity Framework
The National Institute of Standards and Technology (NIST) is part of the US Department of Commerce. Established by Congress more than 100 years ago, the organization’s mission is to promote innovation and competition by advancing science, standards, and technology in ways that improve quality of life and economic security.
The NIST cybersecurity framework is one of the most popular examples. The document that describes the framework is more than 40 pages long.
Depending on the size of your organization, implementation could involve thousands of labor hours.
The framework was initially put in place to protect critical infrastructure in the US, like power plants and dams, from cyber attacks. But the principles can be applied to any organization that wants to improve cybersecurity policies.
There are five main components of implementing this framework: identify, protect, detect, respond, and recover. We’ll take a closer look at these stages in greater detail later on in this guide.
Example #2: ISO/IEC 27001
ISO/IEC 27001 is an international standard for cybersecurity. The framework assumes that a company has adopted ISO 27001 and uses an ISMS (information security management system).
This framework was established by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).
ISO/IEC 27001 is designed to help organizations of all sizes improve data security management. This is accomplished through an ISMS.
The framework gives companies a methodology to protect sensitive data, safeguard customer information, and maintain relationships with partners across different industries.
ISO/IEC 27001 doesn’t have specific requirements or tools that your organization must adopt for data security. Instead, the framework establishes best practices for maintaining your security processes and policies within an ISMS.
The framework is designed to protect three key components of information for an organization—availability, integrity, and confidentiality.
We have an in-depth guide to ISO/IEC 27001 that you can use to learn more about this framework and its implementation.
Example #3: CIS
The CIS (Center for Internet Security) is a non-profit organization that helps public and private companies safeguard information against cyber threats.
The CIS framework is made up of 20 different controls that are updated on a regular basis. These controls come from experts in different fields, including governments, specific industries, and academia.
For organizations that want to ease their way into cybersecurity framework implementation, the CIS framework is a great place to start. The implementation is segmented into three groups:
Many organizations apply the CIS framework as a way to ensure that two or more other frameworks can work together without hindering each other. For example, if you want to apply NIST and ISO/IEC 27001, the CIS framework can help make that possible.
Example #4: SOC 1 and SOC 2
SOC 1 and SOC 2 are cybersecurity frameworks designed to build trust between vendors and partners. Developed by the AICPA (American Institute of Public Accountants), the framework describes an extensive auditing process for controls and third-party systems.
SOC 2 is a more sophisticated and complex audit compared to SOC 1. The goal of the audit is to determine how well a service organization handles sensitive data.
The reports can be used to provide a specific company with information about a potential vendor before they enter a relationship. They can also be used as a marketing tool for organizations that maintain compliance with these strict standards.
There are over 60 compliance requirements in the SOC 2 framework. It’s one of the most challenging frameworks to implement, but it’s a crucial part of any third-party risk management policy.
Example #5: GDPR
GDPR stands for General Data Protection Regulation. The GDPR framework was enacted in 2016 as an effort to protect sensitive data for citizens in the EU (European Union).
This framework is mandatory for organizations that collect and store data from people in the EU, including US businesses that have European customers or website visitors.
There are nearly 100 different articles that describe an organization’s responsibilities to maintain GDPR compliance. This includes data access rights for consumers, data breach notification requirements, and more.
For example, if your company has a data breach containing sensitive customer information, you must notify your country’s national regulator within 72 hours of discovering the breach.
Failing to maintain GDPR compliance can lead to hefty fines. Companies can be fined as high as €20,000,000 or 4% of global revenue.
How to Get Started With Cybersecurity Frameworks
Getting started with your first cybersecurity frameworks can be intimidating if you don’t know where to start. Fortunately, this process can be simplified into five simple steps.
The exact process will vary depending on the framework in question. But the NIST (National Institute of Standards and Technology) has a quick start guide that’s broad enough to cover other frameworks.
Step 1 — Identify Critical Assets
The first thing you need to do is assess your current processes and assets. What organizational activities are the most important for your company to operate?
For example, if you have an ecommerce business, maintaining your website and online payment gateway is required to receive money from customers. If you have a healthcare practice, storing and protecting patient medical records is required for patient care.
You also need to map out where information is coming from and where it’s going. This will ultimately make it easier for you to find potential vulnerabilities where information flows.
Identifying all of your hardware, software, and applications is a crucial part of this process as well. NIST recommends keeping an accurate inventory of all these tools. The inventory doesn’t need to be complex, and most organizations can manage this in a single spreadsheet.
This step also involves your team defining cybersecurity expectations. How will your initiatives support critical assets and resources?
The final step of this stage involves identifying potential risks, threats, and vulnerabilities to your assets. These threats can be both internal and external.
For example, an employee accidentally sharing sensitive data on the web would be internal. Hackers trying to breach your network or database would be external.
Step 2 — Protect Sensitive Data
Now you need to develop a system to appropriately protect the assets defined in the first step. The exact process here will depend on the framework you’re implementing.
Generally speaking, you’ll need to have some type of access control system in place. Having unique accounts and a credentialing policy for every employee is a good starting point. This ensures that only authorized users can access databases, applications, devices, and information.
All sensitive data should be protected with encryption. This includes the data while it’s in storage as well as when it’s in motion. Make sure you destroy any sensitive data that’s not required or no longer required for different initiatives.
Data protection also involves device and network protection policies. Things like firewalls and endpoint security systems all fall into this category.
Establishing a backup policy for your sensitive data is also important here. If data is lost or compromised, you should be able to restore it with an accurate and secure backup.
User training is another crucial aspect of data protection. You need to make sure everyone in your organization understands their specific roles and responsibilities as well as the overall cybersecurity policies you’re implementing.
Step 3 — Set Up Event Detection Systems
You need to set up a system that detects whenever a cybersecurity event occurs.
To do this effectively, you need to have a testing process to detect unauthorized actions or users in your network. Your team should be aware of their responsibilities to report certain activities. This includes internal reporting as well as external reporting to governing authorities.
You need a system in place that logs all cyber actions. This is an important resource to detect anomalies or changes within a system. Many cybersecurity tools even use AI to learn network patterns so they can detect unusual behavior.
While manual review of logs and human interaction with reports are both important, much of the event detection process can be automated with technology.
There are countless enterprise tools on the market for threat detection. Even basic malware protection software could fall into this category. But many of these tools are more advanced and can accommodate the needs of an enterprise network.
Step 4 — Plan Your Response
How will your team react after a security event has been detected? You must implement a set of standards and procedures for these scenarios.
Don’t wait until an event occurs to ensure your readiness. You should run tests on a regular basis to practice proper responses. Some of these tests can be planned, and others can be simulated drills without giving your team any notice to prepare.
In addition to the internal response steps, you must also establish any legal reporting requirements or information sharing requirements to maintain compliance.
For example, what steps do you need to take if you learn that your sensitive customer data was breached? We briefly mentioned this earlier when discussing GDPR compliance as an example. This must be outlined thoroughly in your response plan.
All internal and external stakeholders in your organization should be part of this process, as certain actions can have big-picture impacts on an organization.
Let’s say your company falls victim to a ransomware attack. While government authorities advise against paying a ransom, that decision ultimately falls on your company.
Step 5 — Prepare For Recovery
Establishing appropriate recovery plans for cyber incidents is the final step of this process.
Much of this will be outlined by the steps you’ve taken previously. For example, by now you should already have a plan in place to backup your data. So if data was lost during a breach, you’d know that part of the recovery plan means accessing the backup.
In some cases, the framework you’re implementing will have a more specific procedure here.
But all frameworks will ultimately have the same goal during the recovery stage—ensure your organization can be operational as quickly and safely as possible while maintaining compliance.