The Cybersecurity Frameworks to Know
With such a wide range of complex and evolving cybersecurity threats, many organizations turn to established cybersecurity frameworks to provide a methodical approach for mitigating risk and securing digital assets.
Often developed and maintained by a combination of academic institutions, regulatory bodies, and industry experts, cybersecurity frameworks attempt to provide consistent language, tools, and structured ways to organize security policies, processes, and controls. Some cybersecurity frameworks even focus on specific industries, while others are meant to be flexible enough to help any organization identify, assess, and control its risk.
Some of the most commonly used cybersecurity frameworks are:
NIST Special Publication 800-53
The National Institute of Standards and Technology’s (NIST) SP 800-53 provides the cybersecurity standards that all federal agencies must comply with. This cybersecurity framework organizes risk into tiers based on impact and provides 18 “security control families” that organizations use to mitigate their threats. The NIST SP 800-53 framework can also serve as a foundation for building a larger, ever-evolving cybersecurity program.
The NIST Cybersecurity Framework (CSF)
The NIST Framework for Improving Critical Infrastructure Cybersecurity is aimed at helping to protect critical infrastructure, but its elements can be used by any organization. The CSF’s structured methodology helps organizations create their own threat identification, protection, response, and recovery processes and define their own approach to asset-based risk mitigation.
The International Organization for Standardization (ISO) 27001/27002 standard for cybersecurity requires organizations to have a comprehensive security program in place in order to meet compliance. The ISO standard outlines specific processes, controls, and policies that need to be in place, including reviews of threats and vulnerabilities and the mitigations needed to control them.
Federal Information Security Modernization Act (FISMA)
The Federal Information Security Modernization Act (FISMA) cybersecurity framework, managed by the Cybersecurity & Infrastructure Security Agency (CISA), is designed to protect federal government information systems and data against cyberthreats by implementing a strict review of digital assets, applications, systems, and data sources. FISMA standards also apply to the service vendors that work alongside and on behalf of federal agencies. FISMA provides tools that help organizations categorize assets based on risk and conduct cybersecurity risk assessments, complete security reviews, and monitor their IT infrastructure.
Control Objectives for Information and Related Technologies
Created by the Information Systems Audit and Control Association (ISACA), the Control Objectives for Information and Related Technologies (COBIT) framework provides organizations with an IT management approach that helps organizations design, implement, and maintain information management and governance strategies. COBIT is defined by its balance between operational and technical language, requirements, and perspectives regardless of industry.
The International Society of Automation (ISA) ANSI/ISA 62443
The ANSI/ISA 62443 framework is designed to help to secure and protect industrial automation and control system technologies. The ANSI/ISA 62443 framework presents a “secure development lifecycle” that organizations can use to review, secure, and manage the security of the critical systems that often control utility, industrial, and transportation controls.