Cybersecurity Framework
What are Cybersecurity Frameworks?
Cybersecurity frameworks are a set of policies, and procedures implemented to create an effective security posture. These frameworks provide organizations with the guidance to protect their assets from cyber threats by identifying, assessing, and managing risks that could lead to data breaches, system outages, or other disruptions.
Cybersecurity frameworks help organizations develop and maintain an effective security strategy that meets the specific needs of their environment. Through evaluating current security practices and identifying gaps in protection, these frameworks help cybersecurity teams implement appropriate safeguards to protect critical assets. Below are the most commonly seen information security and cybersecurity frameworks. Their purposes and links to the most recently published guidelines.
NIST Framework
What it is: The National Institute of Standards and Technology (NIST) Framework is a voluntary guideline of standards. The National Institute of Standards and Technology (NIST) is a non-regulatory federal agency that develops and promotes standards and guidelines for a wide range of industries, including cybersecurity. The NIST Cybersecurity Framework (CSF) is a set of guidelines designed to help organizations improve their cybersecurity posture.
PDF Link: Security and Privacy Controls for Information Systems and Organizations (nist.gov)
Excel Link: Control Catalog and Baselines as Spreadsheets | CSRC (nist.gov)
MITRE ATT&CK
What it is: (Adversarial Tactics, Techniques, and Common Knowledge) is a framework that was developed by MITRE corporation, a not-for-profit organization that works to advance public interests in science and engineering. MITRE ATT&CK is widely used by cybersecurity professionals to understand and respond to cyber threats.
Link: MITRE ATT&CK® Framework
ISO 27001 and ISO 27002
What it is: Developed by the International Organization for Standardization (ISO)
ISO 27001 is an international standard that provides a systematic approach to risk assessment, control selection, and implementation. It includes requirements for establishing an Information Security Management System (ISMS).
ISO 27002 is a code of practice that outlines more specific and detailed security controls. When implemented together, these two standards provide organizations with a comprehensive approach to information security management.
Link 27001: ISO 27001 Standard (cssia.org)
CIS
What it is: The Center for Internet Security (CIS) provides best practices for organizations seeking to protect their networks from cyber threats. This framework includes 20 controls, covering many security areas, such as access control, asset management, and incident response.