What is Cybersecurity Framework and why do you need it?
A cybersecurity framework is a framework defined by security policies and procedures for the purpose of strengthening an organization’s cybersecurity system. Through this, a standard process for security work that can be shared by all people is defined centred on specialized security personnel, and various security devices that process the defined process are also defined. The core of cyber defence is to prevent an attacker from exploiting the security vulnerabilities inherent in an organization’s assets through the means of security control. At this time, the role of various security devices is a representative activity in cyber defence.
However, exploiting vulnerabilities known only to attackers known as zero-day attacks cannot be defended. Also, you never know when and how to they would initiate the attack in advance. Therefore, these attacks are not within the control of the defender. Despite this, it is important to prepare a threat-based security management process that reflects the business environment well and to secure step-by-step response procedures.
A basic structure of Cybersecurity Framework
In May 2017, U.S. President Donald Trump announced [Framework 1.1 for Infrastructure Cyber Security Improvement] to strengthen the cybersecurity of federal networks and critical infrastructure. The Cybersecurity Framework 1.1 is a risk-based approach to managing cybersecurity risks and consists of three parts: Framework Core, Framework Implementation, and Framework Profile.
The Framework Core refers to a set of cybersecurity activities common to major infrastructure areas, expected outcomes, and applicable reference materials. The cybersecurity response process for major infrastructure is divided into Identify, Protect, Detect, Response, and Recover.
The Framework Implementation Tiers provide a step-by-step cybersecurity risk management approach that can be applied according to the organization’s risk management situation, threat environment, legal and regulatory requirements, business objectives, mission priorities, and budgets. Each stage includes a partial application (Tier 1: Partial) stage, a risk information utilization stage (Tier 2: Risk-Informed), a risk information utilization and repeat stage (Tier 3: Risk-Informed and Repeatable), and an adaptation stage (Tier 4: Adaptive).
The Framework Profile identifies the gap between the current state and the target state of the cyber security activities being carried out by the organization and suggests ways to solve the problem with a minimized gap. In consideration of the organization’s requirements, risk tolerance, and financial resources, the ‘Framework Core’ prepares the achievement target level and current status for each process, and compares the two to create a roadmap reflecting the priorities that the organization should perform and establish.
Most popular Cybersecurity Frameworks
Used by 35% of organizations, ISO 27001 is the international standard that describes best practices for implementing an ISMS (information security management system). To address the identified threats, ISO 27001 standards recommend various controls. An organization should select proper controls that can mitigate security risks to ensure it remains protected from attacks. In total, ISO 27001 advocates 114 controls, which are categorized into 14 different categories.
NIST Framework for Improving Critical Infrastructure Security
Used by 29% of organizations, the NIST (National Institute of Standards Technology) Cybersecurity Framework is a voluntary framework primarily intended for critical infrastructure organizations to manage and mitigate cybersecurity risk based on existing standards, guidelines, and practices.
CIS Critical Security Controls
Used by 32% of organizations, the CIS Critical Security Controls are a set of 20 actions designed to mitigate the threat of the majority of common cyber attacks. The framework categorizes the information security controls into three implementation groups. Implementation group 1 is for businesses that have limited cybersecurity expertise and resources. Implementation group 2 is for all organizations with moderate technical experience and resources in implementing the sub controls, whereas implementation group 3 targets companies with vast cybersecurity expertise and resources.
Used by 47% of organizations, the PCI DSS (Payment Card Industry Data Security Standard) governs the way credit and debit card information is handled.
The Standard applies to any organization (regardless of size or number of transactions) that accepts, stores, transmits or processes cardholder data.
For more information about these Cybersecurity Frameworks, visit here
For more information please contact us
Phone: (604) 757-9823
Email: [email protected]
For more IT tips & information, please visit these blogs