If you are here, reading this then I can assume you have questions. Maybe you have just started your search and stumbled across this article, but it’s also just as likely you have been searching for a while and are not finding answers to your questions. Either way, welcome! This is my reasonable attempt to first detail the types of security frameworks and later explain why you might select one over another. Let’s start off with a thought experiment, I want you to go and think about the first time you heard of a “security framework”. It might have been in a textbook, it might have been from a boss at work or a coworker during lunch. You hear, “security framework” and you think “Aha! A framework, this is something I can easily digest because it’s a “f-r-a-m-e-w-o-r-k". Then you start searching. You find references on the NIST site to rev4 vs rev5, you find the SP 800-53 document and its…WHOA(!)…500 pages long. Maybe this isn’t the best way to learn about these frameworks. So, what is the best way? Best is, of course, very subjective but I want to share with you a method of learning about these frameworks that helped me grasp the nuances of these frameworks. The 3 Cybersecurity Framework Types It helps to first sort security frameworks into similar categories, which will help you compare them to select the best fit for your organization. First, you need to realize there are three main categories of security frameworks. Control Frameworks Program Frameworks Risk Frameworks Alright, pause, hit the brakes…let’s talk about this. Why are there different categories? The simple answer is that every organization is different. Some are just starting down their security maturation journey and others have been working on it for decades. The control frameworks are usually the least difficult to adopt, followed by program frameworks. Risk frameworks require a significant investment in enumerating and classifying risks unique to your organization, and for this reason, are usually reserved for mature organizations (or those under intense scrutiny). 1. Control Frameworks What is a control? A control is nothing more than a specific piece of a security program. If we look at the CIS Controls, we can get specific examples of a control. In this screenshot, we see a "sub-control" (now called a Safeguard) that tells you to create a process that ensures secure configurations are used. Why is there a framework built around a set of controls? Because controls are easily understood, making them easier to adopt. Assemble several controls together, and bingo! You have a framework. I don’t want you leaving this section thinking the ease of adoption makes control frameworks any less effective than program or risk frameworks. That would be a mistake. Control frameworks, like the , and are effective. CIS Controls NIST 800-53 very Control Framework Resources: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final https://www.cisecurity.org/controls/cis-controls-list/ 2. Program Frameworks Program frameworks, while more difficult to adopt and implement than a control-based framework, do have a clear benefit. Not only do you get a tangible “program” that you can point to if someone asks, but you are able to clearly and simply articulate your current security state to your leadership. This is an area where we, in cybersecurity, often fall short. Visibility from the top down into the cybersecurity efforts is critical to ensure not only the success of the program but to also ensure proper relationship building and maintenance is occurring. “Hey, Chris, what the heck man? This is a blog post about security frameworks!” Yeah, yeah, I know…but never lose sight of the fact that we exist to enable the strategic objectives of your executive team (leadership). Do you want accolades and easy budget approval? Make it easy for your leadership to see how effective your security team & program is. Common program frameworks include the & . ISO 27001 is an internationally recognized standard, so if you’re reading this and have concerns that lie outside of the US, this is probably going to be your program framework of choice. ISO 27001 is also the program that gives you an ISMS, or information system management system. Emphasis on the system, because that’s what it is. NIST CSF ISO 27001 NIST CSF is best thought of as a life cycle of security management. Picture a loop, you start at “A”, progress to “B”, “C”, “D” and finally step “E”. It prescribes to you a plan to follow to ensure you are successful in your adoption of the NIST CSF. For this reason, it is very popular because it makes your life easier if you are new to security frameworks. Program Framework Resources: https://www.nist.gov/cyberframework https://www.iso.org/isoiec-27001-information-security.html 3. Risk Frameworks Building on the foundation that is often created by Control and Program frameworks, an organization will determine they require a risk-based security framework. But why? Why would an organization take on the significant burden of adopting a risk-based framework? Not just the burden of adoption, but the increased management costs associated with risk-based frameworks? Because they have a problem: Their controls and programs have identified dozens, hundreds or thousands of vulnerabilities, misconfigurations, gaps and so forth. They require a solution to this problem. The solution is a risk-based framework, that will help them prioritize the vulnerabilities identified in other programs. Frameworks like the and the provide the methods needed to create a process to manage your risk. Under NIST 800-39 there are other special publications (SP) that include 800-37, which is the risk management framework, and 800-30 which is the risk assessment process. ISO 27005 NIST 800-39 Both NIST 800-30 & NIST 800-37 are sub-components of NIST 800-39. There is an incredible amount of nuance that goes into understanding these frameworks, more than I can fit here in this article. I will have to save that for another day, but before we leave this topic, I must mention the use of the . FAIR model FAIR stands for Factor Analysis of Information Risk, it is an open and internationally recognized standard for measuring risk. The FAIR model is a method to cybersecurity risk, which is critical because neither the ISO 27005 nor the NIST SPs mentioned above define how to measure risk (quantitative or qualitative). QUANTIFY Risk Framework Resources: https://www.iso.org/standard/75281.html https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final https://csrc.nist.gov/publications/detail/sp/800-39/final https://www.fairinstitute.org/what-is-fair

Different

Who Should the CISO Report to?

5 Things to Consider Before Interviewing at Fortinet

See what I am up to on YouTube

Nominated for 2022 - HackerNoon Contributor of the Year - Cybersecurity

Too Long; Didn't Read

CTA: Download the FREE AI Productivity Shift report

Your Guide to Cybersecurity Frameworks

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Untitled Story

3 Outside-the-box Questions to Ask During a Cybersecurity Interview

10 Blockchain Entrepreneurs from CIS (Commonwealth of Independent States) to Follow

0-Days are on the Rise and that Means a Lot More Work for SOC Teams

108 Stories To Learn About Cybersecurity Tips

10 Cybersecurity Tips Everyone Should Follow

3 Outside-the-box Questions to Ask During a Cybersecurity Interview

10 Blockchain Entrepreneurs from CIS (Commonwealth of Independent States) to Follow

0-Days are on the Rise and that Means a Lot More Work for SOC Teams

108 Stories To Learn About Cybersecurity Tips

10 Cybersecurity Tips Everyone Should Follow

Light-Mode

Classic

Newspaper

Dark-Mode

Neon Noir

Minty

HN StartUps