A framework is a common term used in cybersecurity to describe a series of documents that define the best practices an organization can follow to reduce its cybersecurity risk. Think of it as a set of guidelines or instructions that an organization can follow to reduce risk and make their infrastructure more secure. Many companies are concerned with securing their companies but have no idea where to begin. Frameworks address this issue by laying out a strategic cybersecurity plan that company executives can follow. While no plan is full proof, there are several well respected frameworks that exist that can serve as a great starting point and give management confidence that they are addressing their key security risks. Below are some of the key frameworks that you should consider when designing a cybersecurity plan:
NIST Cybersecurity Framework
This is probably the most popular cybersecurity framework, the National Institute of Standards and Framework (NIST). NIST was founded in 1901 by the US chamber of commerce to act as a non-bias source of scientific data and practices, including cybersecurity practices. Its cybersecurity framework is used by approximately 50% of US companies as of 2020. used There are five main areas to cybersecurity that the NIST framework addresses :
Identify: This means identifying assets such as critical systems, data, physical resources etc.
Protect: Developing and Implementing controls that will prevent or limit the damage of cyberattacks when it occurs.
Detect: Implementing controls that will detect cyberattacks as soon as they occur.
Respond: Develop an incident response plan so you can take quick and effective action during a cyberattack.
Recover: Develop and implement activities that will allow you to restore services, systems and data following an attack.
The NIST cybersecurity framework goes on to discuss other guidelines on how to do things like establishing or improving a cybersecurity program, communicating cybersecurity requirements to stakeholders, how to protect privacy and civil liberties and more.
PCI DSS stands for Payment Card Industry Data Security Standard. It’s a compliance framework that is also an industry mandated set of standards to help companies keep consumer’s card data safe when used by merchants and service providers. There are six main categories of compliance:
Build and Maintain a Secure Network
Protect Cardholder Data
Maintain a Vulnerability Management Program
Implement Strong Access Control Measures
Regularly Monitor and Test Networks
Maintain an Information Security Policy
This framework also addresses how to get your POS tools approved, they have a database to determine if your chosen POS solution is approved. They go on to talk about best practices of storing cardholder data, strong password policy, employee training and more.
This is the Open Web Application Security Project (OWASP), which is a nonprofit organization dedicated to the improvement of security in web application software. They have a lot of very good community projects that act as a guideline for people concerned with securing their web applications. One of them that is worth mentioning is the Security Knowledge Framework(SKF), which is a guideline on having secure code, security by design for web applications and much more. In addition to this framework their website has a ton of free resources that you can use to learn more on improving web app security. One of their most popular resources is the OWASP Top 10, which refers to the Top 10 web vulnerabilities in any given year and recommendations on how to prevent them.
The Open Group Architecture Framework (TOGAF) is an enterprise architecture methodology for enterprise software development. This framework is heavily used with 80% of global 50 companies and 60% of Fortune 500 companies using this framework in 2016. TOGAF was based on an IT management framework developed by the US defense department in the 1990s. TOGAF covers 8 areas outlined below:
Control Objectives for Information and Related Technology is a Technology Management and IT governance framework developed by ISACA(Information Systems Audit and Control Association). It was developed to help companies develop, organize and implement controls and strategies for IT Governance and Management. The most recent version is COBIT 5.0 and the guiding principles are:
ISO 27001 is an information security standard, 27001 is one iteration of the ISO series of standards. It specifies the requirements for establishing, implementing, maintaining and improving an information security management system. It is intended to be applicable to all organizations, regardless of type, size or nature. The domains it covers are:
Security frameworks provide guidance and structure when building out a security program. They are especially useful for companies that do not have a lot of security expertise such as startups or companies with inexperienced security staff. While they should not be your only source of information and they cannot ensure your protection, they are a great starting point and provide good best practice guidelines for your organization.