Frameworks to Consider for CybersecurityIT GRC/Cybersecurity | 3 Min Read |09 September 21|by Dr. Michael C. Redmond, PhD
What are the Top 3 Takeaways after I’ve Finished this Article?
- What are the controls that should be implemented to have a robust Information/Cybersecurity program?
- How should organizations prioritize Information/Cybersecurity risk?
- Standards that can be used as guidance in creating even better Information/Cybersecurity programs
What is the Difference, if Any?
Information Security includes protecting classified information in all forms that must be protected including, but not limited to: paper documents, photos, media, spoken information, and electronic data. Cybersecurity is a component of Information Security pertaining to the protection of critical systems such as the network and computer systems in order to ultimately protect electronic data from attacks. In creating a robust Information/Cybersecurity program, the standards treat Information/Cybersecurity as a cohesive topic.
Some organizations have put more of their resources into Information/Cybersecurity and hardening the technology because of the increase in ransomware and breaches. They are forgetting about the importance of also managing the data itself through governance and risk assessments, unless required by a regulation or standard that they must be compliant with.
Information/Cybersecurity threats are a key concern and mitigating risks is critical. At the same time, protecting data from internal sources that wish to affect the confidentiality, integrity, and/or availability of data is of prime importance.
In order to manage the risks, policies should be created and approved by top management as part of Governance. An Information Security risk assessment should be conducted in order to assess the potential consequences if vulnerabilities were to be exploited. As part of the process, Information Security risk owners should be identified.
Information Security risk treatment should consider the findings of the risk assessment.
Awareness training is essential in order to mitigate against employees unintentionally affecting the Information Security of the organization.
Guidelines to Consider
There are many guidelines and different industries have their own requirements, but ISO (International Standard Organization) Standards and NIST (National Institute of Standards and Technology span across most industries as additional if not the primary guidelines they wish to implement. The best framework is to include a combination of the different standards into your existing framework as opposed to just choosing one standard to follow.
International Standards Organization 27000 family pertains to protecting all Information Security assets. These standards include guidance for Cyber Security as well.
According to ISO.org, ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization.
According to ISO.org, ISO/IEC 27002:2013 gives guidelines for organizational information security standards and information security management practices including the selection, implementation, and management of controls taking into consideration the organization's information security risk environment(s).
According to ISO.org, ISO/IEC 27003:2017 provides explanation and guidance on ISO/IEC 27001:2013.
According to ISO.org, ISO/IEC 27032:2012 provides guidance for improving the state of Cybersecurity, drawing out the unique aspects of that activity and its dependencies on other security domains, in particular: information security, network security, internet security, and critical information.
In addition to these three ISO standards, the ISO 27000 family of standards includes many additional standards including:
- ISO/IEC 27004:2016 which pertains to metrics and monitoring and measuring the information security management system.
- ISO/IEC 27005:2008, pertaining to Information security risk management
The Cybersecurity Framework consists of standards, guidelines, and best practices to manage cybersecurity risk. The Framework integrates industry standards and best practices to help organizations manage their cybersecurity risks.
SP 800-53 Rev. 5
Security and Privacy Controls for Information Systems and Organizations Per NIST, this publication provides security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks.
It’s critical to have Information/Cybersecurity as part of your culture so that all employees are consistently aware and can help protect the organization’s Information / Security assets. Organizations can implement both ISO and NIST controls in perfecting your program, as well as those found in industry regulations, standards, and guidelines.