Cybersecurity Frameworks: What They Are & How to Use Them

With the easy availability of tools and knowledge, cyberattacks of all sorts are running rampant, putting pressure on organizations to better defend themselves.

Security is a continuous process that grows over time — exactly why organizations need to create a strong foundation. Two important questions every organization has asked themselves are: Where do we start, and have we done enough?

Cybersecurity frameworks can help you find answers to these questions. They act as a reference to compare with your organization's security state. In this article, you'll learn about different security frameworks. We'll start by covering what a security framework is, why organizations need them, and how organizations can benefit from them. Then we'll go through some top cybersecurity frameworks, including:

• NIST
• ISO 27001
• CIS Controls
• SOC2
• PCI DSS
• HIPAA
• MITRE ATT&CK
• OSCF

(For the latest in all things security, check out these security & InfoSec events.)

What is a security framework?

When you think of implementing security for your infrastructure, network, applications or any other assets, it might be difficult to know where to start. There are so many aspects of cybersecurity and cyber hygiene that it can be overwhelming.

Then there's another angle: how do you know if what you're doing is enough? How do you know what the baseline is? Security frameworks can help you understand what this baseline is.

Essentially, a cybersecurity framework is a structured set of best practices, standards, and guidelines designed to help businesses manage cybersecurity risks. It helps organizations identify, assess, and manage potential risks and protect their digital assets.

Aligning your security with these frameworks reduces the chances of your being breached. That's because frameworks are designed to consider:

• What risks organizations face
• How attackers can exploit security weaknesses

(Understand the differences between vulnerabilities, threats, and risk.)

Benefits of using security frameworks

Security frameworks tend to be precautionary: they offer concrete steps to improve security and manage potential threats and vulnerabilities. Most cyber frameworks aren't intended to be offensive in nature (with some exceptions, like threat hunting frameworks which, by nature, are proactive). Frameworks help kickstart your security journey, and provide you with knowledge of the steps you should take to set up the first lines of defense.

Some clear benefits include:

• Consistency. Since they provide a standardized set of guidelines and best practices, they help organizations implement consistent security measures.
• Fundamental. By following an established framework, companies can avoid reinventing the wheel and instead save time and resources by implementing well-documented processes.
• Trustworthy. Using security frameworks demonstrates an organization's commitment to safeguarding data, which helps build trust with stakeholders, clients, and partners. 
  

Who should use security frameworks

Most security frameworks generally apply to almost all kinds of organizations. Small, medium, and large enterprises can use security frameworks to protect their assets, operations, and data. Similarly, regulated industries like healthcare and financial services should (often are required) to align with frameworks like HIPAA and PCI DSS, respectively to protect consumer data.

You can tweak these frameworks to make them more suitable for your organization. As most security frameworks are designed with flexibility and scalability in mind, they can help you create a strong security foundation over the long run. Security frameworks can also help you fill gaps in your existing security model.

Today's most used cybersecurity frameworks

Now, let’s turn to the most common and most well-known frameworks in the industry.

NIST Cybersecurity Framework

The NIST cybersecurity framework is among the most popular. It's a result of a U.S. presidential order aimed at enhancing security against both internal threats and external threats. The NIST framework was initially created to secure critical infrastructure like power plants and dams. However, this framework has multiple guidelines that apply to organizations generally.

The framework focuses on six core functions which are further split into categories and subcategories.

1. Identify: Identify all the assets that you need to secure and define the scope.
2. Protect: Implement security best practices to ensure the security of the assets.
3. Detect: Create systems to monitor what's happening and detect any suspicious or malicious activity.
4. Respond: Be prepared for when things go wrong. Inform the stakeholders and contain attacks. Here, already-established incident response plans do a lot of the work.
5. Recover: Create processes and mechanisms to repair the damage and restore the state post-incident.
6. Govern: Establish and monitor the organization's risk management strategy.

Businesses of all sizes and domains can follow the NIST framework to protect their assets and improve their security posture. Importantly, companies that want to work with the U.S. government must comply with this framework. You can also get your service or product NIST certified if it meets the requirements.

ISO 27001

ISO 27001 is widely considered the baseline for information security management systems (ISMS). It focuses on the three pillars of cybersecurity: confidentiality, integrity, and availability, also known as the CIA triad. (Not the other CIA ;) ISO 27001 provides guidelines to keep an organization's data safe. As most organizations deal with sensitive data, ISO 27001 is applicable to almost every organization.

This framework provides guidelines for 114 security objectives and controls covering the following aspects:

• Information security policies
• Organization of information security
• Human resources security
• Asset management
• Access control
• Cryptography
• Physical and environmental security
• Operational security
• Communications security
• System acquisition, development, and maintenance
• Supplier relationships
• Information security incident management
• Information security aspects of business continuity management
• Compliance

Along with security benefits, ISO 27001 provides reputational benefits. If you meet all the requirements, you can certify in ISO 27001, which increases the trust and confidence of your customers and other stakeholders.

It's also widely adopted and is applicable across different sectors, including manufacturing, IT, and nonprofits. SaaS providers and data-service platforms like data storage solutions and data processing tools can greatly benefit from implementing this framework.

CIS Controls

The Center for Internet Security (CIS) has published eighteen security practices called CIS Critical Security Controls, aka CIS controls, to enhance security. CIS controls don't just increase security but also help you plan security strategies for your organization. It covers implementation, monitoring, training, and incident handling. This framework aims to improve the overall security of an organization — which means that all organizations can benefit from it.

CIS controls are categorized into different sections: basic, foundational, and organizational. This categorization will help you prioritize your tasks. Here are the CIS controls:

1. Inventory and control of enterprise assets
2. Inventory and control of software assets
3. Data protection
4. Secure configuration of enterprise assets
5. Account management
6. Access control management
7. Continuous vulnerability management
8. Audit log management
9. Email and web browser protections
10. Malware defenses
11. Data recovery
12. Network infrastructure management
13. Network monitoring and defense
14. Security awareness and skills training
15. Service provider management
16. Application software security
17. Incident response management
18. Penetration testing

These controls helps minimize the risk of cyber threats like denial of service, data breaches, identity theft, corporate espionage, and privacy loss.

CIS provides certification for software security vendors if they meet the requirements of the CIS Benchmark profile.

SOC2: Service Organization Controls

Short for Service Organization Controls, the SOC2 framework was developed by AICPA to enhance an organization's security by focusing on the following principles:

• Security
• Availability
• Processing integrity
• Confidentiality
• Privacy

SOC2, along with being a security framework, is also an auditing standard. It provides tough procedures to audit systems and controls to ensure that partners and vendors securely manage client data. It applies to most organizations but is one of the hardest to implement, considering its extensive auditing processes and compliance requirements.

Post-audit, auditors generate a SOC2 report that's specific to an organization, proving the organization's compliance with the standards. The SOC2 framework and audit are mostly applicable to organizations providing services and systems to other organizations, as it focuses on improving the trust between providers and clients.

SOC2 compliance is mostly required for SaaS providers that store, process, or transmit sensitive customer data. It's also typically required for companies looking to work with SaaS vendors.

PCI DSS

The practice of online payment is more common than ever. And card payments are among the most common modes of payment. The Payment Card Industry Data Security Standard (PCI DSS) framework, as the name suggests, specifically focuses on keeping users' card data secure and preventing unauthorized access to their data. There are twelve requirements for an organization to be PCI DSS compliant which are further broken down into 277 sub-requirements:

1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
5. Protect all systems against malware and regularly update antivirus software or programs.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data by a business's need to know.
8. Identify and authenticate access to system components.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security for all personnel.

This framework applies to any organization providing, storing, transporting, or using payment card data. Organizations can get PCI DSS certified by meeting the requirements.

(Explore the zero trust concept.)

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) is the guideline for the healthcare industry, as it focuses on the privacy of medical records and health data. HIPAA provides best practices to secure healthcare information along with guidelines to train individuals and conduct risk assessments.

One major challenge organizations face is keeping up with the shifting guidelines as technology changes. Because HIPAA is not specific to any technology, any organization can implement HIPAA practices. Of course, for any healthcare or related industry, HIPAA is likely mandatory.

Organizations can get HIPAA certification by meeting the standards set for these major rules:

• Privacy
• Security
• Breach notification
• Omnibus
• Enforcement

HIPAA is essential for healthcare providers and insurers.

MITRE ATT&CK Framework

The MITRE ATT&CK Framework is one of the most detailed cybersecurity frameworks, covering a variety of tactics, techniques, and procedures. It includes guidelines for detecting and preventing cybersecurity threads based on the known adversarial behaviors of criminals and outlines tactics that these criminals use at each stage of a cyberattack.

In addition, it provides mitigation instructions you can use to defend yourself from attacks. This framework is beneficial for security operations centers (SOCs), especially when it comes to detecting malicious and suspicious activity and evaluating the current state of an organization's security.

The framework is categorized into three matrices: Enterprise, Mobile, and Industrial Control Systems (ICS). The framework covers these tactics:

1. Reconnaissance
2. Resource development
3. Initial access
4. Execution
5. Persistence
6. Privilege escalation
7. Defense evasion
8. Credential access
9. Discovery
10. Lateral movement
11. Collection
12. Command and control
13. Exfiltration
14. Impact

MITRE doesn't provide certification for organizations, but all organizations can benefit from this framework.

(Compare the MITRE ATT&CK framework with common cyber kill chain models.)

Open Cybersecurity Schema Framework

This framework, announced at 2022 Black Hat, is a new player in town. Open Cybersecurity Schema Framework (OCSF) is an open-source project that covers various domains and events.

This framework is a result of several major players in the security industry — Splunk, AWS, Cloudflare, among others — coming together to create a common ground for logs and alerts as well as a common format and data model.

OSCF aims to make the detection, investigation, and handling of attacks more efficient. Data and intelligence play a major role in security. Various tools and systems generate humungous amounts of data. It might slow down things for an organization to deal with this amount of data, extract value from it, and act upon it.

OSCF mainly focuses on improving this aspect of security to reduce the time taken by the process so that organizations can act faster. This framework benefits almost all organizations.

Framing cybersecurity

We've covered some of the most popular cybersecurity frameworks that organizations can benefit from. Some of these frameworks are applicable to specific industries or use cases, while others are applicable to organizations generally.

You'll also find some best practices overlapping. For example, encryption is a practice that every framework recommends: it's a go-to cyber best practice.