Types of Cybersecurity Frameworks

Organizations are increasingly exposed to risks of having their database leaked. Data leakage can be the result of physical, logical or human infringement. It is every employee’s responsibility to preserve those information confidentialities, however, not every worker is aware or know how to deal with the potential risks of a cyber-attack.

 Although some organizations raise awareness about information security and data protection and heavily invest in modern methods of information control, these actions, singularly, are still not an efficient enough to prevent hacking. In collaboration with these measures, an Information Security Programme should be implemented, fully capable of instructing and enlightening all organization’s personnel about the importance of information manipulation and their role to safeguard that information.

 This Programme should contain dissemination of the subject among all employees and elaborate internal policies, which present the expected behaviour for the organization, regarding information care and most appropriate methods to protect it as well as providing an array of consequences as a result of non-compliance to the recommended information security measures.

To enhace even more the cybersecurity, companies adopt a cybersecurity frameworks to create polices and regulations that define structures that contain practices, process and technologies to protect computer systems from security attacks. Companies apply cyber security frameworks to improve cibersecurity. An important point when choosing a cybersecurity framework must be the level of content that the framework provides, as this will tell you what you must do to make it work and achieve your intended goals. The choice of a framework should be oriented by the business needs. 

1. The ISO Series

ISO stands for International Organization for Standardization. ISO is a standardization entity, and was established in Geneva, Switzerland in 1947. It gives a set of rules and regulations that helps manage information inside an organization. It covers employees, third parties, customers, clients, peers and all assets data inside an organization. It ensures security compliance, risk management granting data’s CIA. It is a worldwide framework used by multinationals. It is an objective framework, but less complex and easier to implement in organizations. It is suitable for companies of all sizes and types.

The ISO is the most used framework worldwide, suitable for all companies and organizations types, size, industry or market field and it is easy to implement being direct with clear information. Another good point of ISO is the standards contain a series of documents that complement each other’s covering all necessary points when implementing IG. ISO series gives you an overview of ISMS that helps identify, analyse and treat data risks. For example, in the ISO/IEC 27001 you have a vocabulary explaining the meaning of all terms that helps understand the definition being easy when using it to construct your policy and a briefly guidance on how to implement it. In the ISO/IEC 27002 you will find all the controls deep explained and, in the ISO/IEC 27005 you will find in detail how to implement risk management process inside the organization. There is no usage limitation for the ISO and , you can use it independently or combined with another international framework like COBIT for example.

The ISO/IEC 27001 uses the steps based on the “Plan-Do-Check-Act” (PDCA) by structuring the management system in more detail by showing what are the control requirements and objectives and how to structure your Information Security Management System.

As a part of this structure you will find an efficient risk management process that enables companies succeed when managing risks. It shows how to build an efficient risk management lifecycle by:

•   Identifying assets, potential threats, vulnerabilities, impact.
• Analyse the probability and impact of the risk using qualitative and quantitative measurements.
• Treating the risk accordingly to its level by terminating, accepting, modifying or transferring the risks to a third party.
• Monitoring the risk.

ISO standards also provide data management guidance. How you treat the data inside your organization is very important to ensure its safety and the ISO/IEC 27001 provides you controls on how to acquire, validate, store, protect, and process data. It emphasizes the importance of a backup and provide you instructions on how dispose and destroy this data granting a successful information lifecycle management.

The ISO/IEC 27002 Provide you controls in other areas like: HR Management, physical controls, information security controls, stakeholder’s management, operations and access controls, incident management, business continuity management. A disadvantage is that all ISO series publications must be paid, they are not available for free.

2. NIST Framework

The NIST Frameworks were created in 2014 in the USA by the National Institute of Standards and Technology to strengthen cyber security on federal networks, but it can be used by any institution of any size. This framework encourages a combined usage with another framework, but it was designed to also be used totally independent. The NIST Frameworks offers a simple but effective organization based in three elements: core, levels, and profiles. The core represents a set of cyber security practices that support the five risk management functions: Identify, Protect, Detect, Respond, and Recover. Levels characterize an organization's ability and maturity to manage framework functions and controls, and profiles are intended to convey the organization's current and future cyber security postures. One more good thing about NIST is that the framework is totally free. A disadvantage about NIST is that the framework is very complex and was designed mostly to comply with the US federal legislation.

3. COBIT Framework

COBIT - Control Objectives for Information and Related Technologies, is a cybersecurity framework created by ISACA in 1990s firstly focused in auditing. In the third edition was implemented management guidelines. The latest version, COBIT 5 that was released in 2014, ISACA introduced more importance on IG and risk Management. Besides the ability of supervision and management of Information Security, COBIT provides you guidance on audit and vulnerabilities management. COBIT is organized into four major domains: Planning and Organization, Procurement and Implementation, Delivery and Support, Monitoring. ISACA also gives COBIT certifications to who that wants to learn more about the framework.

One disadvantage of COBIT: It tells you what to do but not how to do it, making it harder to implement an action plan.

4. PCI DSS (Payment Card Industry Data Security Standard)

PCI Compliance, or “PCI DSS”, is one of the largest security certifications in the world. PCI DSS is the Data Security Standard for the Payment Card Industry. This means that this certification is required for all companies that process, store and transmit card data over the internet and is required to ensure the security of this data. It is an extremely important certification for anyone who wants to sell through online payment. PCI compliance is divided into four levels. Refers to the annual amount of credit/debit card transactions processed at the company determining what is required to maintain compliance. Please see below the PCI DSS compliance levels: 

• Level 1 »» 6M + Transactions/Year
• Level 2 »» 1-6M Transactions/Year
• Level 3 »» 20K - 1M Transactions/Year
• Level 4 »» <20K Transactions/Year

Governed and preserved by the PCI Security Standards Council, certification and regulation has been maintained since 2006 by an open global forum. This board was founded by: American Express, Discover Financial Services, JCB International, MasterCard and Visa. 

PCI DSS provides a robust framework based on 12 requirements on how companies should secure their systems . Please see below the list of PCI requirements:

1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
5. Use and regularly update anti virus software or programs.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security for employees and contractors.

5. CIS Critical Security Controls

The CIS Critical Security Controls are a set of regulations and specific actions that helps safeguard against the most cyber-attacks. CIS controls was created by the SANS Institute, the Centre for Internet Security (CIS) and other institutions. Together they created the 20 Critical Security Controls (CSC) for Effective Cyber Defense. CIS Controls gives an effective framework for systems management.

CIS controls was not designed to replace any regulatory framework that already exist inside the organization. It was designed as a complementary set of regulations that will help structure the controls granting a better cyber security. CIS controls can be used combined with a lot of regulatory frameworks like: NIST Cybersecurity Framework, NIST 800-53, ISO 27000 series, ITIL, COBIT. It also can be used combined with other security regulations like: GDPR, PCI DSS, HIPAA, FISMA. Another advantage about the CIS Controls is that it is free and can be downloaded and implemented by any company

6. SABSA

The SABSA – Sherwood Applied Business Security Architecture- is a security framework that was created in 1995 by the SABSA institute. It gives a framework to develop risk management, information security and also information assurance architecture. It aims to provide a security infrastructure solution, as well as supporting critical business initiatives. SABSA framework provide guidelines that connects architecture with business value ensuring that the business needs are met having at the same time a complete security services achieving the important balance between risk and reward. SABSA is an open framework, free to all users, without the need of having a license to apply in the organizations. SABSA is a framework suitable to all types and sizes of business covering not only technical security issues, but also managing business needs and all the factors that may prevent an organization to achieve its goals. Another good advantage about SABSA is that individuals can get the SABSA Certification Framework after attend an official SABSA Foundation training course and passing the examination modules F1 & F2. The SABSA framework is also compatible with a big range of other security frameworks like ITIL, COBIT, ISO that enables the organizations to create an integrated compliance framework.