Cybersecurity Frameworks
Every organization that uses information technology should have a plan for maintaining security. Many organizations have created frameworks for organizations to ensure that their cybersecurity plans are complete.
Learning Objectives
You should be able to:
- Describe the NIST Cybersecurity Framework
- Describe the CIS Controls
Cybersecurity Frameworks
NIST Cybersecurity Framework
The National Institute of Standards and Technology (NIST) provides cybersecurity guidance. NIST's Cybersecurity Framework describes five major cybersecurity categories of actions that organizations should employ. The framework can be downloaded for free from nist.gov.
Below, the five categories are described.
- Identify: Organizations must identify their assets and the threats that those assets face. You cannot protect something if you do not know that you have it. You also cannot protect against threats that you have not considered.
- Protect: Implement practices and tools to protect against threats. Stopping an attack is more desirable than cleaning up a successful attack.
- Detect: Systems should be monitored. At some point, an attack will be successful. An organization must be able to recognize when an attack has been successful.
- Respond: Incidents must be contained. Evidence should be gathered. Stakeholders should be informed.
- Recover: Normal operations should be restored. Lessons learned should be documented, and steps should be taken to avoid repeating incidents.
It should be noted that the NIST Cybersecurity Framework is not a checklist. The framework helps organizations think about and craft their cybersecurity policies and practices.
CIS Controls
The Center for Internet Security (CIS) Controls serves more as a checklist. They produce a list of the practices that organizations should follow. Version 8's list of controls is included below. More details can be found at cissecurity.org.
- Inventory and Control of Enterprise Assets
- Inventory and Control of Software Assets
- Data Protection
- Secure Configuration of Enterprise Assets and Software
- Account Management
- Access Control Management
- Continuous Vulnerability Management
- Audit Log Management
- Email and Web Browser Protections
- Malware Defenses
- Data Recovery
- Network Infrastructure Management
- Network Monitoring and Defense
- Security Awareness and Skills Training
- Service Provider Management
- Application Software Security
- Incident Response Management
- Penetration Testing
Several other cybersecurity frameworks exist. All frameworks can add value to organizations if the organizations are thoughtful in their use. Organizations should avoid adopting frameworks without thinking critically about how those frameworks apply to their specific needs.
Compare
- Briefly review the NIST Cybersecurity Framework (e.g., focusing on the table of contents).
- Briefly review the CIS controls.
- What elements are similar?
- What differences do you note?
Reflection
- Why should organizations adopt cybersecurity frameworks?
- What might be wrong with using third-party checklists for assessing your organization's cybersecurity posture?
Key Terms
- NIST Cybersecurity Framework: A set of guidelines and best practices developed by the National Institute of Standards and Technology (NIST) to help organizations manage and reduce cybersecurity risks. The framework provides a common language and systematic approach to identify, protect, detect, respond to, and recover from cyber threats. It is widely used across various industries to enhance cybersecurity posture and ensure compliance with regulatory requirements.
- CIS Controls: A set of prioritized cybersecurity best practices developed by the Center for Internet Security (CIS) to help organizations improve their security posture. The CIS Controls consist of specific, actionable recommendations that address the most common and impactful cyber threats. They are designed to be practical and effective, providing a clear roadmap for organizations to enhance their cybersecurity defenses.