As systems of best practices and standards, it’s important not to overlook the value of cyber security frameworks in laying a solid foundation to support your security strategies, policies, and processes. What are the leading frameworks and how can you choose the right one for your business? Read on to get the answers to these questions and more.
A Brief History of Cyber Security Frameworks
Cyber security frameworks provide a structure for organisations to help better manage their cyber security risks and reduce exposure to attacks. But why do you need a framework in the first place?
Cast your mind back to the early 2000s when hacking was very much an esoteric skill set. Cyber attacks happened, but they were isolated incidents requiring meticulous planning and significant knowledge. Today, the entry barriers to cyber attacks are far lower. Online marketplaces provide a smorgasbord of skills for hire. The adoption of as-a-service ransomware initiatives further facilitates those lacking high levels of technical skill to still conduct cyber attacks.
With the increased acceleration of digital transformation strategies expanding the attack surface for cyber attacks, the current threat landscape sees a high volume of attacks inundating companies of all sizes from all angles.
One of the earliest frameworks, NIST 800-53, emerged in 2005 as a catalogue of controls with the purpose of protecting federal information systems in the United States. Around the same time, the publication of ISO 27001 established an international standard for managing information security.
An arguably more seminal moment came in 2013 when President Barack Obama ordered the National Institute of Standards and Technology (NIST) to develop a framework to reduce cyber risks to critical infrastructure in light of repeated cyber intrusions. The same year also saw significant changes to ISO 27001, which reflected an altered risk landscape.
Frameworks established sets of formalised standards and best practices for cyber security at federal and critical infrastructure levels in recognition that these vulnerable areas weren’t adequately protected with ad hoc approaches. Eventually, the adoption of frameworks trickled down into most sectors due to repeated cyber attacks causing significant losses. Without adopting a framework, there’s a high likelihood of gaps in your security strategy and controls that threat actors will exploit.
Overviewing 5 Leading Cybersecurity Frameworks
Here is a brief run-through of five leading cyber security frameworks.
● ISO 27001 sets out the policies and procedures involved in developing an effective security program.
● The framework covers important areas such as leadership, policy, planning, documentation, and operations.
● Becoming certified for ISO 27001 requires an audit, the cost of which depends on the number of people working for your company. You also need to pay a small fee to access the framework.
● A disadvantage of this framework is that it leaves it up to individual businesses to select necessary security controls based on their own risk assessments and deemed acceptable levels of risk.
NIST Cybersecurity Framework
● The NIST Cybersecurity Framework (CSF) is a free set of guidelines outlining policies and controls for reducing cyber security risks.
● While this framework was initially created for critical infrastructure, it is flexible enough to implement in any sector by companies of any size.
● The framework's core clearly sets out five essential pillars of a comprehensive security program (Identify, Protect, Detect, Respond, and Recover).
● A drawback of NIST CSF is that it doesn’t adequately address cloud computing in a way that reflects the shared responsibility model of public cloud services.
● SOC 2 is a voluntary compliance standard that outlines criteria for securely managing user data based on five central principles: security, availability, processing integrity, confidentiality, and privacy.
● In a world where discerning customers and clients choose businesses that take proper care of their sensitive data, SOC 2 provides assurance about robust data security practices.
● Not being SOC 2 compliant in an industry where it’s expected puts your company at a competitive disadvantage.
● Getting certified as SOC 2 compliant takes anywhere from six weeks to 18 months, and since it only focuses on user information, it’s not comprehensive enough to cover all facets of an effective security program.
Center for Internet Security Critical Security Controls
● The CIS Critical Security Controls is a set of 18 cyber security best practices each with a prioritized set of actionable safeguards to mitigate against cyber attacks.
● Making the framework more accessible is the fact that the controls have three implementation groups starting with 56 safeguards for essential cyber hygiene all the way up to 153 safeguards for the highest level of implementation.
● The list of controls is informed by consensus from security experts on the best defensive techniques for dealing with the most prevalent cyber threats.
● The CIS Critical Security Controls changed quite considerably between versions 7 and 8, which reflects considerable changes in the cyber security ecosystem (work from home, increased virtualisation, lowered barriers to entry).
● These controls aren’t a replacement for a full program to manage cyber security.
NCSC Cyber Assessment Framework
● The Cyber Assessment Framework is a set of cyber security and resilience principles, objectives, and best practices to help organisations assess how well they’re managing cyber risks.
● The UK’s UK National Cyber Security Centre (NCSC) designed the framework as outcome-based rather than prescriptive about what needs to be done.
● There are 14 high-level security principles in the CAF. The Uk Government’s National Cyber Strategy has identified NCSC CAF as the go-to framework for public sector organisations.
● This framework overlaps quite heavily in places with the NIST Cybersecurity Framework.
Which Framework to Choose?
Some of the following factors are worth considering when choosing the right framework for your business:
● Framework Type: Some frameworks, such as ISO 27001 and NIST CSF help organisations build out a holistic security program. Others focus more on establishing a baseline set of controls and prioritizing their implementation (CIS CSS) or protecting specific aspects of information security (SOC 2).
● Risk Profile: Each business needs to run its own risk assessment process that establishes risk tolerance levels. Your risk profile plays a role in determining whether you choose a framework that provides baseline controls and practices within that risk tolerance or something more all-encompassing that reflects a lower tolerance for any level of cyber risk.
● Need for Certification: Certain industries and sectors come with an expectation or even a legal requirement to be certified in various frameworks, having to meet this need can help to narrow down your choices.
The Value of Consulting
Cyber security frameworks are part of an overall ecosystem for reducing cyber-related risks. But with a range of options available and each business facing a unique set of risks, it’s difficult to truly know what you need. This is where the value of cyber security consulting comes to the fore in helping you make logical decisions that best support your business.
And after you’ve chosen a framework, implementing it with minimal friction is the next challenge you face. Consulting from experienced cyber security professionals can help here too.
Contact the tmc3 team today for a partner that understands your needs and helps increase your cyber maturity levels.