We have entered the era of multiple security frameworks. Sometimes mandatory, often voluntary, security frameworks are created to provide federal and commercial organizations with an effective roadmap for securing IT systems. The goal is to reduce risk levels and prevent or mitigate cyber-attacks.
To accomplish this task, security frameworks typically provide a series of documented, agreed and understood policies, procedures, and processes necessary to secure the confidentiality, integrity and availability of information systems and data.
In the United States, the overarching framework is the National Institute of Standards and Technology (NIST) Cyber Security Framework. As part of the Department of Commerce, NIST is responsible for developing technical standards and guidelines for information security, among other things. Although the NIST standards apply to U.S. federal agencies and critical infrastructure, it is also widely used throughout the private sector.
In addition, specialized frameworks are less comprehensive and address specific aspects of information compliance. HIPAA, for example, provides security requirements to protect patient privacy; PCI in the retail sector address credit card processing, FedRAMP covers Federal cloud standards and the energy sector relies on the NERC Critical Infrastructure Plan. The list is long, and today even individual States are adopting their own cyber security frameworks (i.e., NYDFS).
If there is a drawback to security frameworks, however, it is that most provide a “30,000-foot view” of information security. Most identify potential risks as well as how to protect, detect, respond and even recover from cyber-attacks. Specific implementation steps, on the other hand, are rarely addressed.
SteelCloud is a CIS partner – https://www.cisecurity.org/