Most Common Cybersecurity Frameworks

What is an IT security framework?

A cybersecurity framework is a collection of best practices which provides a common language and set of standards for organizations and industries to understand their security postures. With a framework in place it becomes much easier to define the processes and procedures of any organization and it must take to assess, monitor, and mitigate security risks.

Common popular Cybersecurity Frameworks

1. NIST Cybersecurity Framework

NIST Cybersecurity Framework is a set of guidelines for mitigating organizational cybersecurity risks, published by the US National Institute of Standards and Technology (NIST) based on existing standards, guidelines, and practices. It is for Improving Critical Infrastructure Cybersecurity and it focus on critical infrastructure such as power plants, banks and dams from cyberattacks, but any organization that wants to improve its cybersecurity can apply the CSF principles.

It’s main features are: Identify, Protect, Detect, Respond, and Recover. It provides an organized system to identify risks and assets requiring protection and lists how a company can protect these assets in the event of a security incident happens effective risk detection, threat response, and asset recovery.

2. ISO/IEC 27001 and ISO 27002

International Organization for Standardization (ISO), and International Electrotechnical Commission, ISO 27001 and ISO 27002 are together the international standard for validating an organization’s cybersecurity posture from both internally and with the help of third parties. If a vendor is ISO 27001/2-certified, it has mature cybersecurity practices and controls in place.

Under this framework, it’s assumed that a company already has an Information Security Management System (ISMS) in place. First, management must consider all threats and vulnerabilities to manage the organization’s information security risks. Then the company should design and implement coherent, comprehensive security controls to mitigate the identified risks effectively.

The framework also encourages organizations adopting ISO 27001/2 to implement an ongoing risk management process.

3. COBIT

COBIT framework was developed in the mid-1990 by ISACA, it’s an independent organization of IT governance professionals. ISACA offers the well-known Certificates like Information Systems Auditor and Certified Information Security Manager certifications.

COBIT mainly focused on reducing IT risks. COBIT 5, released in 2012, included new technology and industry trends to help organizations balance their IT and business goals. The current version is COBIT 2019. COBIT is most used framework to achieve Sarbanes-Oxley compliance.

4. PCI DSS

PCI DSS is stand for Payment Card Industry Data Security Standard. It was created to ensure businesses process card payments were secure, and to help reduce card fraud and it’s data.

The achieves through enforcing tight controls surrounding storage, transmission and processing of cardholder data that businesses handle. PCI DSS is focuses on protecting sensitive data of cardholder.

The payment standard has 12 principle requirements, all of which are covered by these six categories:

1. Build and maintain a secure network
2. Protect card data
3. Maintain a vulnerability program
4. Implement strong access control measures
5. Regularly monitor and test networks
6. Maintain an Information security policy

5. SOC2

SOC2 Framework was developed by the American Institute of Certified Public Accountants (AICPA), SOC2 stands for Service Organization Control (SOC) Type 2 or SOC2 is a trust-based cybersecurity framework and auditing standard which can be used to verify that vendors and partners are managing their client’s data securely.

SOC 2 audits have more than 60 compliance requirements and large auditing processes for third-party systems and controls. These audits can take about a year to complete, after which a report is issued attesting to a vendor’s cybersecurity posture.

SOC2 is also one of the hardest cybersecurity frameworks to implement, especially for organizations in the finance sector.

6. HIPAA

HIPAA stands for Health Insurance Portability and Accountability Act, which includes cybersecurity framework for healthcare sector, help organizations to implement the required controls for securing and protecting the privacy of personal health information of patients.

It focus on cyber security risk as well as user authentication, training employees, and setting strong passwords), it also talks about importance of conducting risk assessments to manage and identify possible risks.

7. GDPR

GDPR stands for General Data Protection Regulation which focuses on privacy protections for citizens of the European Union (EU).

The GDPR covers all organizations working in the EU, or any business that collects and stores the private or personal data of EU citizens, including businesses based in the American content or elsewhere.

Same like SOC2, GDPR is also a comprehensive cybersecurity framework. It includes 99 articles outlining an organization’s compliance responsibilities, such as consumer data access rights, data breach notification requirements, and data protection policies and procedures.

Moreover, if any company fail to comply with GDPR then it can lead to heavy fines: up to 4% of global revenue or €20 million, whichever is greater — and the EU is most strict when handing out punishments.