Ready to review the latest cyber-security frameworks?
With businesses managing increasing volumes of data, robust cybersecurity has never been more foundational to all IT systems.
According to Cybersecurity Ventures, "Worldwide cybercrime costs will hit six trillion annually by 2021."
And the growing work from home trend isn't making things easier.
- Disaster Recovery Journal
The goal of this updated article from July 2020 (with new citations) is to help you select the proper cybersecurity framework, one which matches your business needs, risk tolerance, and industry-specific compliance requirements.
We'll also be sharing some frameworks that don't apply directly to you. However, it's essential to understand what's going on with IT systems that could affect you. (Because everyone is interconnected.)
A breach in one organization can easily ignite a wildfire across millions of others.
The Center for Information Security (CIS) developed CIS v7, which lists twenty actionable security requirements all organizations can use to serve as a baseline for their cybersecurity program. In this framework, the twenty items appear in basic, easy-to-understand recommendations.
CIS is an optimal match for your first framework when building a cybersecurity program. CIS control systems are monitored and adjusted by cybersecurity experts around the world.
State institutions, public facilities, academic universities, and governmental agencies utilize these controls for an effective technical security system.
Learn More: CIS v7 Overview
The International Standardization Organization (ISO) created ISO 27001 with the International Electrotechnical Commission (IEC) to provide an international standard to manage information security properly.
Commonly used as an industry best practice, this cybersecurity framework is easy to adopt by any organization. Many companies choose to become ISO certified and typically add other security frameworks to supplement this baseline.
Through the ISO 27001 framework, ISO compliance is a great place to start when looking to revamp your company's cybersecurity.
Organizations managing financial information, intellectual assets, employee information, or housing third-party information follow ISO 27001 guidelines to ensure their data is securely protected.
Learn More: ISO 27001 Guidelines
The US Securities and Exchange Commission (SEC) created an outline to guide firms registered with the SEC on specific security measures and recommendations called the "Investigative Report on Cybersecurity."
In recent years, the SEC has transitioned its focus on cybersecurity and, in 2017, officially established its first Cyber Unit. If your organization would like to register with the SEC, you should start by complying with the firm's cybersecurity framework.
Learn More: SEC Cybersecurity
Designed specifically for service organizations and created by the AICPA (American Institute of Certified Public Accountants), SOC 2 applies to companies that store customer information in the cloud.
This framework protects customer data with policies and procedures addressing security, processing, availability, confidentiality, and integrity.
SOC 2 compliance is an excellent fit for the following scenarios:
- A Software as a Service (SaaS) organization that stores customer data in the cloud
- A cloud-computing provider
- An organization you partner with that owns infrastructure hosting other companies' customer data
Learn More: SOC 2
While CIS v7 is a great starting point, the GDPR, on the other hand, is a bit more complicated. One of the most recent and comprehensive security regulations available, the General Data Protection Regulation (GDPR), was created by the European Union (EU) to protect citizens from security breaches.
GDPR applies to organizations in the US that serve or have data of clients in the EU.
It contains almost 100 articles and eleven chapters outlining various topics on requirements for privacy and security. Companies could potentially face fines due to non-compliance.
Learn More: The Biggest GDPR Fines
If you're looking to follow the GDPR, you will need controllers and processors of data established both inside and outside the EU when offering products or services located in the EU.
HIPAA, the Health Information Portability and Accountability Act, was signed into law in the US in 1996. It outlines how PHI (Protected Health Information) can be handled and used in healthcare and medical organizations.
This framework has five main areas covering policies and procedures for administrative, general, physical, organizational, and technical purposes.
To meet HIPAA compliance, doctors, dentists, health insurance providers, and more must monitor and securely discard patient health information.
Learn More: Ten Biggest Healthcare Breaches of 2020
Designed by the New York Department of Financial Services (NYDFS), the NYDFS 500 addresses the influx of security breaches in the financial services industry.
Learn More: The Largest Financial Services Breaches
Financial institutions such as private bankers, state-chartered banks, mortgage and insurance companies, and other organizations, including foreign banks licensed to do business in New York, can use this framework as a guide to enforce security requirements.
The Payment Card Industry Security Standards Council (PCI SSC) created PCI DSS to limit credit card fraud.
Its framework offers a list of comprehensive security requirements. Organizations that follow PCI DSS compliance are often companies that transmit, process, or store credit card data.
If you're a merchant or service provider, you must comply with PCI and have specific requirements you should meet annually and quarterly to receive certification.
Learn More: Five Biggest PCI Breaches
NIST (CSF) 1.1
The National Institute of Standards and Technology (NIST) has developed many cybersecurity frameworks that serve the diverse needs of various federal governments and industries.
Designed in response to the Cybersecurity Enhancement Act (CEA) of 2014, the NIST Cybersecurity Framework (CSF) Version 1.1 was released in 2018. The update includes additional requirements for supply chain security and identity management.
CSF is an established framework for best practices. It's frequently a requirement for contractors of the US federal government.
It's also an excellent framework for businesses. Microsoft makes it very easy.
Learn More: NIST + Microsoft 365
The NIST 800-53 includes a set of federal information systems guidelines to help organizations meet the Federal Information Security Management Act (FISMA) compliance.
This framework contains over 900 requirements and is the "heaviest" or largest cybersecurity framework a company can implement.
The NIST 800-53 is popular in federal agencies and organizations that operate or maintain federal information systems, in addition to those seeking to comply with FISMA.
Learn More: New Government Targeted Threats
The NIST 800-171 framework applies to solutions for the DoD and its contractors who store, process, or transmit Controlled Unclassified Information (CUI).
This framework's security guidelines meet requirements assigned by the Defense Federal Acquisition Regulation Supplement (DFARS).
I can't imagine you aren't following some basic cybersecurity framework right now. Warning, if you're taking a wait-and-see approach, there's mounting pressure to suggest this is a high-risk proposition.
More and more states are demanding the adoption of cybersecurity frameworks. And this will only pave the way for other states to jump on board. (Legislation is funny that way.)
Learn More: Cybersecurity Legislation & Safe Harbor Trends
If you enjoyed this article, you may also like some of the related content in our free eBook.