# Cyber Security Frameworks ## ISO 27001 - 27002 Framework (International) ISO 27002 framework comprises international standards that detail the controls that an organization should use to manage information systems’ security. The ISO 27002 is designed for use alongside ISO 27001, ## NIST Cybersecurity Framework The NIST Cybersecurity Framework was developed to respond to the presidential Executive Order 13636. The functions are identify, protect, detect, respond, and recover. ### NIST SP 800-12 The framework provides an overview of control and computer security within an organization. Also, NIST SP 800-12 focuses on the different security controls an organization can implement to strengthen cybersecurity defense. Although most of the control and security requirements were designed for federal and governmental agencies, they are highly applicable to private organizations seeking to enhance their cybersecurity programs. NIST SP 800-12 enables companies to maintain policies and programs for securing sensitive IT infrastructure and data. ### NIST SP 800-14 ### NIST SP 800-26 ### NIST 800-53 Cybersecurity Framework The National Institute of Standards and Technology created the NIST 800-53 publication for enabling federal agencies to realize effective cybersecurity practices. NIST 800-53 is unique as it contains more than 900 security requirements, making it among the most complicated frameworks for organizations to implement. NIST 800-53 is a useful framework for organizations maintaining federal information systems, companies with systems that interact with federal information systems, or institutions seeking FISMA compliance. ## IASME Governance IASME governance refers to cybersecurity standards designed to enable small and medium-sized enterprises to realize adequate information assurance. The IASME governance outlines a criterion in which a business can be certified as having implemented the relevant cybersecurity measures. ## SOC 2 The American Institute of Certified Public Accountants (AICPA) developed the SOC 2 framework. The framework also provides SaaS companies with guidelines and requirements for mitigating data breach risks and strengthening their cybersecurity postures. SOC 2 contains 61 compliance requirements, which makes it among the most challenging frameworks to implement. ## FedRAMP FedRAMP (Federal Risk and Authorization Management Program) is a framework designed for government agencies. The framework provides standardized guidelines that can enable federal agencies to evaluate cyber threats and risks to the different infrastructure platforms and cloud-based services and software solutions. ## HIPAA HIPAA (Health Insurance Portability and Accountability Act) contains various guidelines for enabling organizations to implement sufficient controls for securing employee or customer health information. ## GDPR GDPR (General Data Protection Regulation) is one of the latest frameworks enacted to secure personally identifiable information belonging to European citizens. ## FISMA FISMA (Federal Information Systems Management Act) is a cybersecurity framework designed for federal agencies. The compliance standard outlines a set of security requirements that government agencies can use to enhance their cybersecurity posture. - Categorizing information to security levels - Identify minimum security controls for protecting information - Refine the controls by using risk assessments - Document the controls and develop a security plan - Implement required controls - Evaluate the effectiveness of implemented controls - Determine security risks to federal systems or data - Authorize the use of secure information systems - Continuous monitoring of implemented controls. ## Center for Information Security (CIS) v7 CIS v7 lists 20 actionable cybersecurity requirements meant for enhancing the security standards of all organizations. The framework categorizes the information security controls into three implementation groups. - Implementation group 1 is for businesses that have limited cybersecurity expertise and resources. - Implementation group 2 is for all organizations with moderate technical experience and resources in implementing the sub controls, - whereas implementation group 3 targets companies with vast cybersecurity expertise and resources. ## COBIT COBIT (Control Objectives for Information and Related Technologies) is a cybersecurity framework that integrates a business’s best aspects to its IT security, governance, and management. ISACA (Information Systems Audit and Control Association) developed and maintains the framework. The COBIT cybersecurity framework is useful for companies aiming at improving production quality and, at the same time, adhere to enhanced security practices. ## COSO (Committee of Sponsoring Organizations) COSO (Committee of Sponsoring Organizations) is a framework that allows organizations to identify and manage cybersecurity risks. The core points behind the framework’s development include monitoring, auditing, reporting, controlling, among others. Also, the framework consists of 17 requirements, which are categorized into five different categories. The categories are control environment, risk assessments, control activities, information and communication, and monitoring and controlling. ## TC CYBER The TC CYBER (Technical Committee on Cyber Security) framework was developed to improve the telecommunication standards across countries located within the European zones. The framework recommends a set of requirements for improving privacy awareness for individuals or organizations. ## HITRUST CSF HITRUST (Health Information Trust Alliance) cybersecurity framework addresses the various measures for enhancing security. The framework was developed to cater to the security issues organizations within the health industry face when managing IT security. ## CISQ (Consortium for IT Software Quality) CISQ (Consortium for IT Software Quality) provides security standards that developers should maintain when developing software applications. The vulnerabilities and exploits which the Open Web Application Security Project (OWASP), SANS Institute, and CWE (Common Weaknesses Enumeration) identify form the basis upon which the CISQ standards are developed and maintained. ## Ten Steps to Cybersecurity (UK Gov) The Ten Steps to Cybersecurity is an initiative by the UK’s Department for Business. It provides business executives with a cybersecurity overview. The framework recognizes the importance of providing executives with knowledge of cybersecurity issues that impact business development or growth and the various measures to mitigate such problems. ## NY DFS NY DFS (New York Department of Financial Services) is a cybersecurity framework covering all institutions operating under DFS registrations, charters, or licenses. The framework consists of several cybersecurity requirements that can enhance financial organizations’ security postures and the third parties they interact with for different businesses. ## NERC CIP NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) is a cybersecurity framework that contains standards for protecting critical infrastructures and assets. In total, the framework has nine standards comprising of 45 requirements. For example, the sabotage reporting standard requires an electric organization to report unusual occurrences and security disturbances to relevant bodies. ## Australia