Understanding the Top Cybersecurity Frameworks
Industry Standards that Provide Structure and Consistency to Your Cybersecurity Program
Safety. One of humanity’s most basic needs, and an absolute essential for any society to thrive.
Over the millennia, nations and tribes have always sought out tools that kept them safe from their enemies. From moats and drawbridges to impenetrable walls, from feudal foot soldiers to modern armies, and from bows and arrows to missiles — as the dangers have evolved, societies have developed solutions to counter those threats and maintain safety within their borders.
The internet has expanded the borders of our society enormously but has also weakened those borders. The internet initially promised open communication and unlimited potential for human growth and education, but it was soon revealed to be the new Wild West — malicious actors, scam artists, agitators, and agents of false information abounded, revealing how vulnerable the individuals, organizations, and governments that had embraced the internet were. Many who moved operations online put their freedom before their safety, and some organizations still underestimate their risk exposure and have failed to adopt a security mindset.
Click here to learn more about PlexTrac, The Premier Cybersecurity Reporting and Collaboration Platform.
Establishing Trust and Credibility with Cybersecurity Frameworks
For organizations that engage in online commerce, earning the business of increasingly tech-savvy customers relies partly on their ability to ensure a reasonable level of data security. There are many ways that an organization can pursue a secure status: routinely testing their systems, installing safeguards, creating operational controls, updating software, and many more methods can be taken on.
Determining the specific safeguards you need to adopt often depends on the nature of the online operations and the industry. Fortunately, you can find a bevy of guidelines to help you determine a set of safeguards that are comprehensive and tailored to your needs.
In the past couple of decades, government agencies, industry organizations, and other groups have developed a wide array of cybersecurity frameworks: a collection of operational standards and safeguards that organizations are encouraged (and sometimes required) to adopt in order to keep their own and their customers’ information secure and to prevent or mitigate the damage caused by cyberattacks. These frameworks are tailored to protect the valuable and vulnerable data that particular organizations handle.
Organizations that adopt these cybersecurity frameworks enjoy multiple benefits: the knowledge that they are taking all necessary steps to keep their data secure, the assurance of industry compliance, and the trust of their security-minded customers.
6 Popular Cybersecurity Frameworks: What, Who, and Why
Let’s take a look at some of the most used cybersecurity frameworks and how they could benefit your business.
The Center for Internet Security (CIS), founded in 2000, is a non-profit, community-based organization that works to help organizations prevent and mitigate cyber threats. In 2008, it released the first version of the CIS Critical Security Controls, and recently released its updated 8th version. CIS v8 focuses on efficiency, laying out a short list of prioritized actions to take (and tools to use) to quickly establish data security.
The CISv8 framework is often the first framework adopted by organizations due to its three tiered implementation groups; it can be thought of as three progressively more mature frameworks in one. Adopters are encouraged to focus on those controls that have the highest return on investment and are foundational for controls found in later implementation groups.
Unlike some other frameworks, CIS is not industry-specific, and is used by a wide variety of organizations in industries like aerospace, banking, pharmaceuticals, insurance, healthcare, and city-, county-, and state-level government entities, both in the US and abroad.
CIS v8 provides a level of guidance that can be applied to businesses large and small, though it is not a substitute for industry-specific regulatory or compliance frameworks.
You can read more about the CIS 20 Critical Controls here.
The Cybersecurity Maturity Model Certification (CMMC), developed by the US Department of Defense (DoD), is a series of regulatory requirements that any organization within the DoD’s supply chain must meet. The goal is protection of the sensitive defense data that must be shared with vendors to fulfill contracts for the department of defense. This class of information is formally known as “Controlled Unclassified Information,” or CUI. This information, if accessed by hackers, could put military personnel and operations in jeopardy, thus the strict need for adherence to the latest guidelines.
CMMC 2.0 is a 3-tier combination of specific cybersecurity practices, plus NIST SP 800-171, NIST SP 800-172, and other standard cybersecurity frameworks. Depending on what level of certification the organization wishes to achieve and what services it provides to the DoD, compliance is ensured by assessments performed by the organization itself, third parties, or government employees.
We’ve written an in-depth, 3-part series on CMMC and its applications, so if you want more information, you can read it here.
The Federal Financial Institutions Examination Council (FFIEC) framework is implemented using their Cybersecurity Assessment Tool (CAT), which measures the amount of risk your organization is exposed to and your cybersecurity maturity. In order to achieve FFIEC compliance, your organization must meet the standards and undergo an extensive internal environment assessment, create an actionable set of goals to address any weaknesses uncovered in the assessment, and undergo occasional risk assessments to maintain compliance.
The FFIEC CAT reviews multiple areas of risk, including technologies, networks, hardware, security policies for personnel, cybersecurity measures already in place, third-party cybersecurity services and products, and your organization’s history of cyberattacks and responses.
All federally supervised financial institutions, such as banks and credit unions, are required to comply with FFIEC guidelines.
Note that New York state provides additional guidance to the FFIEC with the NYDFS. NYDFS is very closely related to FFIEC — think of it as New York’s custom tailoring of controls for financial institutions.
The International Organization for Standardization (ISO) has created a host of management system standards, with 27001 being the most implemented infosec, cybersecurity, and data privacy standard in the world. While ISO 27001 certification is not required for any organization or industry in the US, many organizations choose to be certified to enhance their security reputation via the rigorous standards that the certification requires, and certification may be required when working with foreign organizations that are required to be certified.
While the ISO 27001 framework allows for some flexibility, organizations must prove that they have a robust cybersecurity model in place, maintain security training for all necessary staff, and conduct regular audits in order to be certified.
The National Institute of Standards and Technology (NIST) Special Publication 800-53 provides a framework for federal agencies to establish security and privacy controls for all of their information systems. This framework requires agencies and civilian organizations to adopt a number of cybersecurity controls and assessment techniques and processes, though the types of tools and methods used can vary depending on the needs of the individual organization and the type of service they provide to a federal agency.
All US federal agencies and their contractors, with the exception of those related to national security, must be in compliance with NIST 800-53. Additionally, the CMMC and NIST 800-171 are derived from the more comprehensive 800-53 standard. Thus if your organization is hoping to become a government contractor in the future, you may consider this framework to make compliance with derived frameworks easier.
The NIST Cybersecurity Framework (CSF) provides organizations of any size with a flexible framework that aims to help each organization develop the cybersecurity practices that work best for them. Although developed for the DoD, it is becoming widely adopted in industry and also relies on the NIST 800-53 framework. No organization or industry is required to adopt NIST CSF, but many do find it to be a useful tool. NIST CSF is based on 5 functions:
- Identify: define the scope of assets, systems, and data that will need to fall within the CSF
- Protect: create and enact a holistic cybersecurity system, including training, determining access control, selecting cybersecurity tools and services, etc.
- Detect: develop a schedule of system monitoring, penetration testing, and other tests to detect a breach, and put it into action
- Respond: create a plan for reporting, addressing, and correcting the fallout of a cybersecurity event
- Recover: make a response plan for the post-Respond phase, which can include remediation and corrections in security measures and communication to prevent the event from recurring
Although this framework is flexible, it is still sufficiently robust to satisfy the cybersecurity needs of a wide range of organizations. Organizations using this framework include Boeing, Intel, multiple national and international banks, and many others.
Going Freestyle: Creating Your Own Cybersecurity Framework
If your organization is not required to adopt a specific cybersecurity framework, then you have the freedom to adopt whatever framework you think will serve you best — even a framework that you create yourself. Depending on your needs, you can take the tools, processes, and strategies from preexisting frameworks and mold them to your unique standards.
In order to do this well, however, you must first conduct a rigorous and thorough security risk assessment. No framework will be effective if it does not meet your security goals, address your security weaknesses, encompass all of your vulnerable assets, and provide the means to counter and address security incidents.
And after the framework is established, you must also test the framework thoroughly and frequently. Are all of the defenses effective? Are your staff in compliance with your security standards? Does a penetration test reveal any missed weaknesses? Evaluate the effectiveness of your framework, and strive to make it better with every review.
Simplify Your Cybersecurity Framework with PlexTrac
Effective cybersecurity frameworks require frequent assessments, whether enforced by industry standards or your own need to stay on top of the latest threats, tools, and systems. Certain frameworks, such as CMMC 2.0 and FFIEC, permit organizations to conduct their own framework assessments, but the type of assessment has specific criteria and must meet specific standards in order for your organization to earn or maintain certification.
Whether your assessments are required for certification or just necessary to keep your organization in line with best practices, PlexTrac can help to streamline the assessment process. PlexTrac’s Assessments Module offers up-to-date questionnaire templates for many standard framework assessments and also helps you create custom templates that you can implement, update, and integrate into your overall pentesting and risk assessment process.
Click here to see a MiniDemo walking you through PlexTrac’s powerful Assessments Module.