A Beginner’s Guide to Cybersecurity Frameworks

  • 05 October 2020

As rates of cybersecurity incidents rise and data security laws become stricter, organizations must take steps to protect the information under its control. But safeguarding your company’s information can be a daunting task. 

So, where do you start? You can start by implementing a cybersecurity framework.

In this article, we’ll look at four of the most prevalent cybersecurity frameworks — to help you get started on your journey toward better information security. 

But first, let’s define what a cybersecurity framework is.

What is a cybersecurity framework?

  • What is a cybersecurity framework?

    A cybersecurity framework is a series of documents containing cybersecurity guidance, requirements, and “controls.” By following the framework, a business can improve its cybersecurity status — and, ultimately, better protect its data and systems from internal and external threats.

What are the benefits of implementing a cybersecurity framework?

Running a business is a time-consuming and complicated task and many business leaders – especially those without any background in cybersecurity – worry that implementing a cybersecurity framework will create extra work.

And, while it does take time and effort to follow a cybersecurity framework through to completion, it’s almost certainly going to save you time, stress — and money — in the long-term. Here’s how:

  • It will strengthen your network protection, reducing your risk of a cybersecurity attack.
  • It will help ensure better data security practices among staff, reducing the risk of accidental data loss, such as via misdirected email.
  • It increases awareness of cybersecurity among staff, leading to a reduced risk from social engineering attacks.
  • It improves your reputation among consumers and business partners.

Implementing a cybersecurity framework is also a fundamental way of meeting your legal obligations under data privacy laws, such as: 

  • The EU General Data Protection Regulation (GDPR
  • The California Consumer Privacy Act (CCPA)
  • The South Africa Protection of Personal Information Act (POPIA

Under these laws — and many others worldwide — it is necessary for businesses to maintain a reasonable level of data security. Implementing a cybersecurity framework is an excellent way to achieve this.

Looking for more information about regional and industry-specific data protection laws? Visit our compliance content hub

What sorts of organizations should implement a cybersecurity framework?

Implementing a cybersecurity framework is mandatory in some industries. For example, organizations that handle cardholder data must comply with the PCI DSS framework.

However, a business of virtually any size — and in any industry — can adopt a cybersecurity framework at relatively low cost. 

One way that a small business can achieve cybersecurity compliance is by choosing a flexible framework —  such as the CIS Controls or NIST Cybersecurity Framework, and prioritizing the implementation of controls according to its business needs and operating context.

Now, let’s look at four of the best-known cybersecurity frameworks.

Introduction to CIS Controls

The Center for Internet Security (CIS) Controls framework can help you mitigate and defend against the most basic cyberattacks. 

Here are the 20 CIS Controls:

Basic CIS Controls

  1. Inventory and Control of Hardware Assets
  2. Inventory and Control of Software Assets
  3. Continuous Vulnerability Management
  4. Controlled Use of Administrative Privileges
  5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
  6. Maintenance, Monitoring, and Analysis of Audit Logs

Foundational CIS Controls

  1. Email and Web Browser Protections
  2. Malware Defenses
  3. Limitation and Control of Network Ports, Protocols, and Services
  4. Data Recovery Capabilities
  5. Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
  6. Boundary Defense
  7. Data Protection
  8. Controlled Access Based on the Need to Know
  9. Wireless Access Control
  10. Account Monitoring and Control

Organizational CIS Controls

  1. Implement a Security Awareness and Training Program
  2. Application Software Security
  3. Incident Response and Management
  4. Penetration Tests and Red Team Exercises
“Note: The 20 controls are divided into sub-controls. You can prioritize the implementation of these sub-controls in a way that works for your business. A small business with a modest cybersecurity budget could implement all of the controls to some extent, but it would be unable to implement all sub-controls. More mature organizations — where cybersecurity should be a top priority — should aim to implement all sub-controls.”

CIS Control 13: Data Protection 

To give you an idea of what the CIS controls require, we’ll take a closer look at Control 13: Data Protection. CIS Control 13 provides some practical steps to help you protect data from exfiltration and cyberattacks.

At its core, Control 13 requires organizations to:

  • Use a combination of encryption, integrity protection, and data loss prevention (DLP) methods to ensure the security of data
  • Limit and report on data exfiltration attempts
  • Mitigate the effects of data compromise

Control 13 contains nine sub-controls. Some of these are achievable for businesses of all sizes, such as:

  • 13.1: Maintain an Inventory of Sensitive Information
  • 13.2: Remove Sensitive Data or Systems Not Regularly Accessed by Organization
  • 13.6: Encrypt Mobile Device Data

If your organization has moderate” or “significant” resources, it can implement further sub-controls, such as:

  • 13.3: Monitor and Block Unauthorized Network Traffic
  • 13.4: Only Allow Access to Authorized Cloud Storage or Email Providers
  • 13.5: Monitor and Detect Any Unauthorized Use of Encryption

By implementing the CIS controls and sub-controls on a priority basis, businesses can implement a reasonably effective cybersecurity program. 

Looking for a straightforward way to implement multiple sub-controls across several CIS controls? implement email security software. Email is the entry-point for 96% of phishing attacks.

Introduction to the NIST Cybersecurity Framework

The NIST Cybersecurity Framework (full title: Framework for Improving Critical Infrastructure Cybersecurity) is a comprehensive set of security controls and guidance for private sector organizations.

Currently, at version 1.1, the framework aims to improve the general level of cybersecurity among US organizations. The framework is guidance — it’s entirely voluntary  — and it can be customized according to a company’s sector, resources, and risk profile.

The framework’s “core” consists of cybersecurity activities and outcomes — written in accessible language that should be understandable to non-technical teams. (Phew!)

The core activities and outcomes are sorted into five functions, which are further divided into categories. We’ve listed them below. 

  1. Identify: The “Identify” function provides the essential, foundational activities and outcomes necessary to use the framework. Outcomes categories associated with this function include:
    • ID.AM: Asset Management
    • ID.BE: Business Environment
    • ID.RA: Risk Assessment
  2. Protect: The “Protect” function activities help mitigate the impact of a potential cyberattack or data breach. Protect outcome categories include:
    • PR.AC: Identity Management and Access Control
    • PR.AT: Awareness and Training
    • PR.DS: Data Security
  3. Detect: The “Detect” function enables businesses to quickly detect that a cybersecurity event has occurred. Detect outcome categories include:
    • DE.AE: Anomalies and Events 
    • DE.CM: Security Continuous Monitoring
    • DE.DP: Detection Processes
  4. Respond: Implementing the “Respond” function will ensure your business takes appropriate action during a cybersecurity event. Outcome categories in this function include:
    • RS.RP: Response Planning 
    • RS.CO: Communications 
    • RS.AN: Analysis
  5. Recover: The “Recover” function allows an organization to return to normal functioning after a cyberattack. Recover function outcome categories include:
    • RC.RP: Recovery Planning 
    • RC.IM: Improvements
    • RC.CO: Communications

Each function’s categories are, in turn, divided into subcategories. For example:

  • ID.AM (function: Identity, category: Asset Management):
    • ID.AM-1: Physical devices and systems within the organization are inventoried
    • ID.AM-2: Software platforms and applications within the organization are inventoried
    • ID.AM-3: Organizational communication and data flows are mapped

The subcategories all come with “informative references”, which are practical resources to help businesses achieve the outcomes. 

For example, ID.AM-1 (Identify: Asset Management) includes the following references:

  • CIS Control
  • ISO 27001:2013 Annexes A.8.1.1 and A.8.1.2
  • NIST Special Priority (SP) 800-53 (revision 4) CM-8 and PM-5

Introduction to ISO 27000 Series

“While implementing ISO 27000 controls is not legally mandatory, there is an expectation of ISO-compliance in many industries and contexts. For example, for public cloud storage service providers that process personal information, achieving ISO 27018 compliance is crucial.”

The ISO 27000 Series (sometimes called the ISO/IEC 27000 Series) is a family of information security standards published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

The ISO 27000 Series is extensive, covering information security requirements, guidelines, and sector-specific standards. Examples of some of the published standards in the ISO 27000 Series include:

  • ISO 27000: Information Security Management Systems — Overview and Vocabulary
  • ISO 27003: Information Security Management System Implementation Guidance
  • ISO 27018: Code of Practice for Protection of Personally Identifiable Information (PII) in Public Clouds Acting as PII Processors
  • ISO 27019: Information Security for Process Control in the Energy Industry
  • ISO 27032: Guideline for cybersecurity
  • ISO 27033: IT network security

Businesses of all sizes can implement one or more of the ISO 27000 Series standards. These are internationally recognized standards and are well-respected around the world. 

While implementing ISO 27000 controls is not legally mandatory, there is an expectation of ISO-compliance in many industries and contexts. For example, for public cloud storage service providers that process personal information, achieving ISO 27018 compliance is crucial.

ISO 27001

To give you a feel for ISO 27000 implementation, we’re going to take a closer look at one of the more popular standards in the series: ISO 27001, full name “Information technology — Security techniques — Information security management systems — Requirements.

ISO 20071 aims to enable businesses to establish, implement, maintain, and continually improve an information security management system (ISMS). Unlike the CIS Controls or the NIST Cybersecurity Framework, ISO 20071 is not available for free.

The ISO 27001 standard consists of ten “clauses,” and an annex containing 114 controls, sorted into 14 sets. A business can prioritize its implementation of these controls according to its operational requirements.

An essential part of complying with ISO 27001 is risk assessment. An ISO 27001 risk assessment can be broken down into several stages:

  • Creating a risk assessment methodology that accounts for:
    • Your operating context
    • Risk criteria
    • Risk tolerance
  • Identifying information assets, such as:
    • Digital documents
    • Paper files
    • Storage devices
    • Mobile devices
  • Identifying threats:

ISO 27001 compliance is an ongoing process that requires the commitment of employees across your whole organization. Once a company has implemented sufficient controls, it can undergo an audit and obtain ISO 27001 certification.

Tessian is ISO 27001 certified. You can read more about your integrations, compatibility, and partnerships here

Introduction to PCI DSS

The PCI DSS applies to all organizations that accept, transmit, or store information associated with payment cards (known as “merchants”). The PCI DSS sits alongside the PCI PTS (for manufacturers) and the PCI PA-DSS (for software developers).

Unlike the other frameworks we’ve looked at, the PCI DSS is mandatory for any business that qualifies as a merchant. The Payment Card Industry Council enforces PCI DSS compliance, and — in some jurisdictions — it is incorporated into law.

The framework’s requirements differ according to how many Visa transactions a merchant processes per year. There are four levels of PCI DSS requirements:

  • Level 1: Any merchant that: 
    • Processes more than 6 million Visa transactions per year, or
    • Is determined by Visa as needing to meet level 1 requirements
  • Level 2: Any merchant that processes 1-6 million Visa transactions per year
  • Level 3: Merchants that process 20,000-1 million eCommerce Visa transactions per year
  • Level 4: Any merchant that:
    • Processes fewer than 20,000 Visa transactions per year, or
    • Processes fewer than 1 million non-eCommerce Visa transactions per year

As you can see, eCommerce merchants have slightly stricter requirements due to the risks of transacting online. 

If a merchant suffers a data breach, it might be required to move up a level to continue making card transactions. This is one of many reasons you should take a “security-first” approach and implement as many cybersecurity controls as your budget allows.

The PCI DSS consists of 12 requirements, which can be summarized as:

  1. Use a firewall
  2. Change default passwords and other security parameters
  3. Protect cardholder data in storage
  4. Encrypt cardholder in transit
  5. Implement and update antivirus software 
  6. Ensure systems and applications are secure
  7. Restrict access to cardholder data
  8. Assign unique user IDs 
  9. Maintain physical safeguards over cardholder data
  10. Monitor access to cardholder data and network resources 
  11. Test security systems 
  12. Maintain an information security policy

In fewer words: Merchants must protect cardholder data from internal and external threats

How can Tessian help with cybersecurity framework implementation?

As we’ve seen, all cybersecurity frameworks require businesses to protect the information in their control from threats such as:

Across three solutions, Tessian detects and prevents email-based cybersecurity threats. Why email? Read more about why email is the threat vector cybersecurity leaders are most concerned about on our blog. 

You can also learn why rule-based DLP solutions are failing and why the world’s top organizations (in some of the most regulated industries) trust Tessian.