Continued (series 2) …

On the technical side, there are many frameworks for a Cybersecurity program maturity. They are all good, but leaders often wonder which one to follow. At the end of the day, it is the choice of the organization and subject to industry type. A mature program, the tools, the processes and the people are all working together and successfully mitigating organizational risks. Here are the most common frameworks – you can choose one of them or choose one for maturity and then add a few elements from the other two models as appropriate. Here are the top 3 well known frameworks:

  1. NIST
  2. ISO 2700
  3. CIS 20

 

There are also 3 secondary frameworks may be important based on the industry type:

  1. HIPAA
  2. PCIDSS
  3. GDPR

 

High level details for each framework:
  • NIST (National Institute of Standards and Technology): It follows five key phases:
    1. Identify
    2. Protect
    3. Detect
    4. Respond
    5. Recover
  • ISO 27000 (International standard created by ISO): It is more common in European nations and focuses on the following key areas:
    1. Security risk assessment
    2. Security policy
    3. Asset management
    4. Human resources security
    5. communication and operations management
    6. Access control
    7. Information systems acquisition, development, and maintenance
    8. Information security incident management
    9. Business continuity management
  • CIS (Center for Internet Security): It has 3 basic categories of about 20 controls. Categories are:
    1. Basic Controls (like inventory, vulnerability, access etc.)
    2. Foundational Controls (like malware, data etc.)
    3. Organizational Controls (like training, incident response etc.)

 

Here are the 3 secondary frameworks may be important based on the industry type:
  • HIPAA (Health Insurance Portability and Accountability Act): Specific to healthcare industry. Three key components are:
    1. Administrative requirements
    2. Physical security requirements
    3. Technical security requirements
  • PCIDSS (Payment Card Industry Data Security Standards): It focuses on the consumer payment information and there are 12 requirements for companies that process or transmit card holder information)
  • GDPR (General Data Protection Regulation): It is a requirements for organizations in European Union (EU) and becoming a common practice for US organization who does business with companies from EU. There are 7 requirements:
    1. Lawfulness, fairness, and transparency
    2. Purpose limitation
    3. Data minimization
    4. Accuracy
    5. Storage limitation
    6. Integrity and confidentiality (security)
    7. Accountability

 

Inconclusion, there are many frameworks to choose from and some are required to follow based on the industry. Many small and medium organizations often struggle to allocate appropriate staffing and budget. Don’t be discouraged with these limitations and start working with any of these models and keep educating your seniors leaders. Cybersecurity program is not an optional but is a necessary element for the cost of doing business.

Leave a Reply

Your email address will not be published. Required fields are marked *