Implementing and maintaining cybersecurity in a small firm or a large organization is an integral part of the business model. Certain organizations and associations have been set up to define the rules and procedures to be followed when developing an IT infrastructure or increasing its bare-minimum security. These rulebooks are known as frameworks and standards.
There are a variety of different organizations all around the world that contribute to these documents. Let us explore how these different documents can benefit everyone involved in IT worldwide and why it became necessary to create these standards and frameworks in the first place.
Framework vs Standard: What’s the difference?
By definition, the framework refers to the structure underneath or beyond a system. A framework is not defined to the point and only gives out the system’s outline and not the method to be adopted to implement that system. Hence, a company can adopt a framework in any way of their choosing and can claim to follow a certain framework as long as all the requirements of that particular framework are being met. An individual may add to a framework to make it more efficient, and they would still be following the same framework.
On the other hand, as the name implies, a standard is the best-known practice that defines the steps and procedures involved in getting a task done. Moreover, a standard that is internationally recognized would also mean that the same procedure is followed throughout the globe to perform a certain task if that particular standard has been adopted.
An organization can create its own set of rules that are only applicable within their firm or adapt to certain standards and rules that are recognized internationally. In recent years, many organizations have been working on standardizing the basic security infrastructure of organizations dealing with Personal Identification Information (PII) or financial information so that they are not easily accessible by unauthorized personnel. This ensures that all companies follow the bare-minimum requirements to keep their client’s data safe from hackers and lose minimum data in case of a successful breach.
Top IT security standards and frameworks
COBIT is the name of a security framework developed by an organization known as Information Systems Audit and Control Association (ISACA). This framework defines governance and management principles, processes, and organizational structures for enterprise information technology. COBIT provides the requirements for implementing an Information Security Management System (ISMS) and is compatible with the ISO/IEC 27000 series of standards, which will be discussed further in the article.
COBIT runs on the 5 basic principles, illustrated in the image below:
With the recent introduction of COBIT 5, it has incorporated information security as part of the framework. Three COBIT 5 processes specifically address information security: APO 13 “Manage Security,” DSS04 “Manage Continuity,” and DSS05 “Manage Security Services.”
COBIT 5 has five process areas that are specified for the Governance and Management of enterprise IT. These areas are:
- Evaluate, Direct, and Monitor (EDM)
- Align, Plan, and Organize (APO)
- Build, Acquire, and Implement (BAI)
- Deliver, Service, and Support (DSS)
- Monitor, Evaluate, and Assess (MEA)
ISO/IEC 27000 series for Information Security Management Systems (ISMS)
Information Security Management Systems (ISMS) is a compiled rulebook defining the policies, procedures, and activities involved in structuring an organizational unit responsible for handling and maintaining the cyber and information security aspects within a firm. Organizations tend to structure their own resources, scope, and responsibilities. But many of them tend to follow pre-structured, standardized, and pre-tested methodologies, such as the ISO/IEC 27000 series standards.
International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) have compiled a series/family of standards focusing on security techniques, information technology, and ISMS.
The ISO/IEC 27000 series involves various standards, such as 27001, 27005, 27032, and each of these guides in a different domain. For example, the ISO/IEC 27001 provides guidance on ISMS within an organization. Using this standard, any organization can secure their IT infrastructure by ensuring that all basic requirements are met. Moreover, ISO/IEC 27001 also provides certificates upon audits to ensure that a firm has passed the test.
ISO/IEC 27005 provides guidance on conducting risk assessments on security infrastructure and how to tackle scenarios in case of a breach.
Meanwhile, the ISO/IEC 27032 standard gives general guidance on the norms and best practices to adapt to ensure maximum virtual security.
NIST Cybersecurity Control Framework (CSF)
National Institute of Standards and Technology (NIST) created the Cybersecurity Control Framework (CSF) in collaboration with the U.S. government. This framework’s main purpose was to provide the private sector with enough information so that their critical IT infrastructure is secure. Unlike many NIST guidance documents, the CSF was designed specifically for businesses – to meet their needs and support the business objectives.
CSF is different from other frameworks as it is focused on risk management. It is presented in three parts:
- Core Functions (Identify, Protect, Detect, Respond, Recover)
- Implementation Tiers (risk management processes and practices)
- Profiles (specific to a business or industry – goals and desired outcomes)
These steps are used when adapting NIST’s CSF to increase the security of an organization, in the following order:
- Map and determine the current implemented security.
- Point and identify potential cybersecurity policies and standards.
- Understand the company’s business model and communicate new requirements.
- Create a new cybersecurity program.
NIST Special Publications 800-53 and 800-171
The NIST’s Special Publications 800-53 and 800-171 have been around for some time and have been improving over the years with further revisions. These are two different standardization documents but are very much interlinked, as most of the controls in SP 800-171 are related to SP 800-53.
Initially, the SP800-53 was designed for government agencies to protect their critical data and infrastructure. It ensured that their networks were impenetrable. However, with SP 800-171, the Department of Defense (DoD) made it mandatory for all cybersecurity vendors and contractors to implement this standard to bid on new opportunities.
NIST SP 800-171 can be adapted by both large and small organizations, as it is budget-friendly. Moreover, larger organizations might not benefit from this standard as much as smaller firms as the larger ones already have the infrastructure set in place to implement information and cybersecurity. NIST 800-171 also has the highest coverage area, and it includes all the security protocols and periodic testing, which are present in the other frameworks.
You can choose from the different frameworks and standards to implement in your organization or set it up from scratch. It is your choice whether you want to adapt to a framework or mix up a few and make an even better one to increase your security. This depends upon the type of business you are running.
There are several common elements between the information security frameworks defined in the ISO/IEC 27000 family of standards, the COBIT framework, and the NIST Cybersecurity Control Framework. Each of these addresses risks that businesses must address that depend upon digital forms of information, information systems, and information infrastructure. Each framework presents structured lists of IT Governance and IT Management activities that must be adopted and implemented to manage risk and protect digital assets effectively.