As rates of cybersecurity incidents rise and data security laws become stricter, organizations must take steps to protect the information under its control. But safeguarding your company’s information can be a daunting task.
So, where do you start? You can start by implementing a cybersecurity framework.
In this article, we’ll look at four of the most prevalent cybersecurity frameworks — to help you get started on your journey toward better information security.
But first, let’s define what a cybersecurity framework is.
A cybersecurity framework is a series of documents containing cybersecurity guidance, requirements, and “controls.” By following the framework, a business can improve its cybersecurity status — and, ultimately, better protect its data and systems from internal and external threats.
Running a business is a time-consuming and complicated task and many business leaders – especially those without any background in cybersecurity – worry that implementing a cybersecurity framework will create extra work.
And, while it does take time and effort to follow a cybersecurity framework through to completion, it’s almost certainly going to save you time, stress — and money — in the long-term. Here’s how:
Implementing a cybersecurity framework is also a fundamental way of meeting your legal obligations under data privacy laws, such as:
Under these laws — and many others worldwide — it is necessary for businesses to maintain a reasonable level of data security. Implementing a cybersecurity framework is an excellent way to achieve this.
Implementing a cybersecurity framework is mandatory in some industries. For example, organizations that handle cardholder data must comply with the PCI DSS framework.
However, a business of virtually any size — and in any industry — can adopt a cybersecurity framework at relatively low cost.
One way that a small business can achieve cybersecurity compliance is by choosing a flexible framework — such as the CIS Controls or NIST Cybersecurity Framework, and prioritizing the implementation of controls according to its business needs and operating context.
Now, let’s look at four of the best-known cybersecurity frameworks.
The Center for Internet Security (CIS) Controls framework can help you mitigate and defend against the most basic cyberattacks.
Here are the 20 CIS Controls:
To give you an idea of what the CIS controls require, we’ll take a closer look at Control 13: Data Protection. CIS Control 13 provides some practical steps to help you protect data from exfiltration and cyberattacks.
At its core, Control 13 requires organizations to:
Control 13 contains nine sub-controls. Some of these are achievable for businesses of all sizes, such as:
If your organization has “moderate” or “significant” resources, it can implement further sub-controls, such as:
By implementing the CIS controls and sub-controls on a priority basis, businesses can implement a reasonably effective cybersecurity program.
The NIST Cybersecurity Framework (full title: Framework for Improving Critical Infrastructure Cybersecurity) is a comprehensive set of security controls and guidance for private sector organizations.
Currently, at version 1.1, the framework aims to improve the general level of cybersecurity among US organizations. The framework is guidance — it’s entirely voluntary — and it can be customized according to a company’s sector, resources, and risk profile.
The framework’s “core” consists of cybersecurity activities and outcomes — written in accessible language that should be understandable to non-technical teams. (Phew!)
The core activities and outcomes are sorted into five functions, which are further divided into categories. We’ve listed them below.
Each function’s categories are, in turn, divided into subcategories. For example:
The subcategories all come with “informative references”, which are practical resources to help businesses achieve the outcomes.
For example, ID.AM-1 (Identify: Asset Management) includes the following references:
The ISO 27000 Series (sometimes called the ISO/IEC 27000 Series) is a family of information security standards published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
The ISO 27000 Series is extensive, covering information security requirements, guidelines, and sector-specific standards. Examples of some of the published standards in the ISO 27000 Series include:
Businesses of all sizes can implement one or more of the ISO 27000 Series standards. These are internationally recognized standards and are well-respected around the world.
While implementing ISO 27000 controls is not legally mandatory, there is an expectation of ISO-compliance in many industries and contexts. For example, for public cloud storage service providers that process personal information, achieving ISO 27018 compliance is crucial.
To give you a feel for ISO 27000 implementation, we’re going to take a closer look at one of the more popular standards in the series: ISO 27001, full name “Information technology — Security techniques — Information security management systems — Requirements.”
ISO 20071 aims to enable businesses to establish, implement, maintain, and continually improve an information security management system (ISMS). Unlike the CIS Controls or the NIST Cybersecurity Framework, ISO 20071 is not available for free.
The ISO 27001 standard consists of ten “clauses,” and an annex containing 114 controls, sorted into 14 sets. A business can prioritize its implementation of these controls according to its operational requirements.
An essential part of complying with ISO 27001 is risk assessment. An ISO 27001 risk assessment can be broken down into several stages:
ISO 27001 compliance is an ongoing process that requires the commitment of employees across your whole organization. Once a company has implemented sufficient controls, it can undergo an audit and obtain ISO 27001 certification.
The PCI DSS applies to all organizations that accept, transmit, or store information associated with payment cards (known as “merchants”). The PCI DSS sits alongside the PCI PTS (for manufacturers) and the PCI PA-DSS (for software developers).
Unlike the other frameworks we’ve looked at, the PCI DSS is mandatory for any business that qualifies as a merchant. The Payment Card Industry Council enforces PCI DSS compliance, and — in some jurisdictions — it is incorporated into law.
The framework’s requirements differ according to how many Visa transactions a merchant processes per year. There are four levels of PCI DSS requirements:
As you can see, eCommerce merchants have slightly stricter requirements due to the risks of transacting online.
If a merchant suffers a data breach, it might be required to move up a level to continue making card transactions. This is one of many reasons you should take a “security-first” approach and implement as many cybersecurity controls as your budget allows.
The PCI DSS consists of 12 requirements, which can be summarized as:
In fewer words: Merchants must protect cardholder data from internal and external threats.
As we’ve seen, all cybersecurity frameworks require businesses to protect the information in their control from threats such as:
Across three solutions, Tessian detects and prevents email-based cybersecurity threats. Why email? Read more about why email is the threat vector cybersecurity leaders are most concerned about on our blog.