In order to observe best practices, and to meet with technical and other requirements, organizations often use frameworks for cybersecurity compliance and regulatory compliance. These frameworks provide best practices and guidelines to assist in improving security, optimizing business processes, meeting regulatory requirements, and performing other tasks necessary to achieve specific business objectives such as breaking into a particular market niche or selling to government agencies.
Many such frameworks exist, and the recommendations set out in them can impose difficult and often expensive demands on enterprise resources – especially in situations where an organization is subject to a number of regulatory compliance regimes, whose requirements it has to meet while maintaining its own strong cybersecurity status.
Choosing which framework or frameworks to adopt can be a hard decision. In this article, we’ll be looking at some of the leading frameworks recommended for cybersecurity compliance purposes, and suggesting ways to determine which ones are most appropriate.
Who Gains From Frameworks?
Frameworks for compliance and cybersecurity provide a common language which can be used at all levels of an organization to promote more secure and efficient business practices while empowering the enterprise to meet its legal responsibilities to consumers, industry governing bodies, and regulatory authorities.
Internal auditors and other stakeholders within an organization can use frameworks to evaluate and implement the policies and controls steering the operations of the enterprise. External auditors (such as those sent by a regulatory authority) can look to the frameworks in assessing the processes and measures that the organization has in place to address their cybersecurity and compliance requirements. And third parties such as customers or potential investors can use frameworks as a guide in evaluating how trustworthy or potentially profitable an enterprise may be.
Cybersecurity Compliance Frameworks
Frameworks for cybersecurity will typically provide recommendations on implementing and managing the various aspects of a security program, such as perimeter defense, access control, authentication, encryption, monitoring, reporting, incident response, and risk management. They may also give advice on best practices, and areas that should be covered in cybersecurity awareness training.
Each framework will approach these matters in a specific way, characteristic of its particular design. This will likely be influenced by the industry standards or market sector that the framework has been designed for.
There are several cybersecurity compliance frameworks available, including the following:
Consortium for IT Software Quality (CISQ)
The Consortium for IT Software Quality (CISQ) has developed standards for automating the measuring of structural quality and the size of software applications. The standards were drawn up on the basis of exploits and vulnerabilities identified by the Open Web Application Security Project (OWASP), the SANS Institute, and Common Weakness Enumeration (CWE). The standards of the CISQ framework are commonly used in managing risks like application security.
Control Objectives for Information Related Technology (COBIT)
In 1996, the Information Security Audit and Control Association (ISACA) introduced the Control Objectives for Information Related Technology (COBIT) framework to address the issue of risk reduction in financial organizations. The latest revision of COBIT includes best practices for aligning information technology functions and processes and linking these best practices to business strategy.
Federal Risk and Authorization Management Program (FedRAMP)
The US Federal Risk and Authorization Management Program (FedRAMP) framework provides a standardized way for government agencies to evaluate the risks of cloud-based software solutions and infrastructure platforms. The framework allows existing security assessments and packages to be reused across multiple government agencies and is based on the continuous monitoring of cloud products and services for real-time cybersecurity.
National Institute of Standards and Technology (NIST)
The National Institute of Standards and Technology (NIST) is actually a division of the US Chamber of Commerce, which deals with cybersecurity issues affecting the operators and managers of critical infrastructure. Its recommendations for manufacturing, quality control, security, and other matters are based on the results of consultations with security industry experts, government agencies, and academics. The framework provides a set of controls and balances to help infrastructure operators to manage their cybersecurity risks.
The Privacy Shield Framework was established to replace the US-EU Safe Harbor guidelines which were issued to ensure that US companies complied with European Union (EU) data protection standards when transferring EU data across borders. The framework was designed to minimize and mitigate the risk of tampering when data is transferred between the EU and the USA.
Ten Steps to Cyber Security
An initiative of the UK’s Department for Business, Innovation & Skills (BIS), Ten Steps to Cyber Security is a framework which provides an overview of cybersecurity for business executives. Rather than defining specific controls (which would typically require specialist knowledge and skills), the framework uses broader and less technical descriptions and objectives to explain the risks, defenses, and solutions associated with a strong organization-wide approach to cybersecurity.
Frameworks for Regulatory Compliance
Regulatory compliance regimes usually set out highly specific and often stringent requirements for organizations and industry sectors to follow, in order to meet established standards, and to comply with existing laws. These requirements may be numerous and complex – so frameworks designed to assist in meeting with compliance demands are a welcome addition to the resource and knowledge base of most enterprises.
Identity management, data handling, and privacy matters are often at the heart of these frameworks. But issues relating to proper procedure, auditing, and reporting relevant to each discipline or market sector also make up a major part. Some typical examples include the following:
Payment Card Industry Data Security Standard (PCI DSS)
The Payment Card Industry Data Security Standard (PCI DSS) is a compliance framework setting out mandatory controls for organizations that process credit card data. Its aim is to protect the identities and information of payment card (credit or debit card) holders, and consists of multiple levels of requirements which correspond with the extent to which credit or debit card data interacts with an organization. So banks, financial institutions, commercial enterprises and service providers would tend to have to meet more compliance conditions than other organizations.
The Sarbanes-Oxley (SOX) Act of 2002 established a framework setting out mandatory controls for public companies. It was passed in the wake of accounting scandals at Enron, WorldCom, and Tyco which eroded investor confidence.
Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act (HIPAA) is a framework governing the activities of anyone who collects, stores, or processes personal health information (PHI). This includes hospitals, clinics, medical services providers, and insurance companies. The framework defines a set of mandatory controls which such organizations should have in place, to ensure the security of patient and health service consumer information.
International Organization for Standardization (ISO)
The International Organization for Standardization (ISO) is a wide-ranging and international set of standards aimed at improving and reporting on quality management and security across a spectrum of industries. There are different sub-frameworks within the larger ISO framework, with conditions applicable to specific market sectors and disciplines. For example, the ISO 27000 series provides an information security framework that can be applied to organizations of all types and sizes.
General Data Protection Regulation (GDPR)
The recently enacted General Data Protection Regulation (GDPR) is a compliance framework setting out stringent conditions, guidelines, and penalties for organizations and individuals that collect, store, and process the personal information of European Union (EU) citizens and residents. The GDPR is one of the most high-powered frameworks ever devised for protecting the data privacy of individuals. It has a global remit, since its terms apply to any organization or individual in any part of the world that deals with the personal data of customers or users from the EU.
Putting Cybersecurity Compliance Frameworks Into Perspective
It’s hardly ever advisable for organizations to attempt to create frameworks for cybersecurity or regulatory compliance, from scratch. The time, effort, and resources required for doing so all militate against this approach. And past evidence suggests that attempting to reinvent the wheel in this manner rarely results in success.
With so many established and proven frameworks already in existence, the wisest option is to select the most appropriate framework or frameworks available that cater to your needs and meet the compliance, cybersecurity, and other demands of your business environment.
As compliance regimes alter over time (often pulling in market sectors that were previously unaffected by them), and the cybersecurity landscape changes and evolves, some experts also advise adopting a “hybrid” approach to frameworks, using a selection of relevant models to inform the cybersecurity and compliance activities of the enterprise.
Share this Post