dev-resources.site
for different kinds of informations.
Cybersecurity frameworks
Published at
10/23/2023
Categories
cybersecurity
intermediate
framework
governance
Author
swapanroy
Author
9 person written this
swapanroy
open
What is CyberSecurity framework?
A cybersecurity frameworks describes guidelines, and standards/plan designed for cybersecurity and it's associated risk management. The frameworks intent is to reduce an organization's exposure to exploits and vulnerabilities that cyber-criminals may use.
NIST's Cybersecurity Framework is widely recognized, but there are other cybersecurity frameworks and standards that organizations may tailor and use. Below is a comparison of some of these frameworks, along with their common vs differentiating factors.
Common Factors: Most of the frameworks share a common area of focus which includes risk management, protection of digital assets, data security and aligning cybersecurity with organizational goals. Framework provides a structured approach for enhancing cybersecurity, and can be tailored to an organization's needs and risk apetite.
Differentiating Factors: The differences between the frameworks lie in the specific industry focus, level of prescriptiveness, and methodologies used. Some, like the NIST Framework and ISO/IEC 27001, are widely applicable across industries, while others, like HITRUST and CIS Controls, are more industry-specific. COBIT focuses on governance, while FAIR provides a unique quantitative risk analysis approach.
| Framework / Standard | URL | Common Factors | Differentiating Factors | Example |
|---|---|---|---|---|
| NIST Cybersecurity Framework | NIST Cybersecurity Framework | - Risk-based approach - Core functions (Identify, Protect, Detect, Respond, Recover) - Tiered maturity model | - Highly adaptable for various industries - Broadly recognized and used globally | A manufacturing company uses NIST's framework to identify critical assets and vulnerabilities and develop a response plan for a potential cyberattack. |
| CIS Controls (Center for Internet Security) | CIS Controls | - Prioritized cybersecurity best practices - Focus on reducing the attack surface - Mapped to other frameworks (e.g., NIST, ISO 27001) | - More prescriptive in terms of specific controls - Targets specific security improvements | A financial institution may implement CIS Controls to reduce its attack impact by applying specific controls e.g. network segmentation and privilege management(role based access). |
| ISO/IEC 27001 (Information Security Management System) | ISO/IEC 27001 | - Comprehensive information security management system - Risk management-based approach - Internationally recognized | - Highly structured and process-oriented | A global IT services company seeks ISO 27001 certification to establish a comprehensive information security management system and to meet international security standards to gain projects/recogniation. |
| COBIT (Control Objectives for Information and Related Technologies) | COBIT | - Governance framework for IT and cybersecurity - Aligns IT and business goals - Process improvement model | - Strong focus on governance and control objectives - Tailored specially for IT management and governance | A large corporation may use COBIT to ensure IT and business alignment by establishing governance practices and a maturity model for IT processes. |
| HITRUST Common Security Framework (CSF) | HITRUST CSF | - Healthcare-specific framework - Aligns with HIPAA and other healthcare regulations - Comprehensive controls for PHI protection | - Specifically designed for the healthcare industry - Requires HITRUST certification | A hospital may adopt HITRUST CSF to comply with HIPAA's security requirements and safeguard electronic health records (EHRs) effectively. |
| CIS RAM (Center for Internet Security Risk Assessment Method) | CIS RAM | - Risk assessment methodology - Aligns with CIS Controls - Provides guidelines for identifying and mitigating security risks | - Focused on risk assessment and mitigation - Works well in conjunction with other frameworks | A financial institution may use CIS RAM to perform a risk assessment on its digital banking platform and then applies CIS Controls to mitigate identified risks. |
| FAIR (Factor Analysis of Information Risk) | FAIR Institute | - Quantitative risk analysis methodology - Focus on understanding and managing information risk - Business-focused risk assessment | - Unique for its quantitative risk analysis approach - Tailored for organizations looking for deep risk analysis | A cybersecurity consulting firm may use FAIR to conduct a quantitative risk analysis for a financial client to assess the potential financial impact of a data breach accurately. |
| OWASP (Open Web Application Security Project) | OWASP | - Focus on web application security - Provides a Top Ten list of critical web application security risks - Offers tools and resources for developers and security professionals | - Specialized in web application security - Primarily for developers and security professionals in the context of web application development | A software development company may follow OWASP guidelines to identify and mitigate common web application security risks, such as SQL injection and cross-site scripting (XSS), during application development. |
Please feel free to add ...
governance Article's
30 articles in total
Implementing Kubernetes Security with Kyverno: A Journey Through Resource Management
read article
Cloud Cost Optimization
read article
Data Governance… when there's no Data nor Governance
read article
Gobierno de Datos… cuando no hay Gobierno ni Datos
read article
5 Signs You’ve Built a Secretly Bad Architecture (And How to Fix It)
read article
Building a Robust Data Governance Framework: Best Practices and Key Considerations 
read article
The Pitfalls of Philosopher King -Why Morality Alone Isn’t Enough for Effective Leadership
read article
Understanding Data Governance in the Digital Age
read article
Identifying the Risks Organizations Face - Key Considerations for Risk Governance
read article
Crafting a Balanced Governance Strategy for a Growing Fintech Startup
read article
Conventional Use of AWS CDK
read article
The AI Alliance: Shaping the Future of Artificial Intelligence Together
read article
The Power of Storytelling in Digital Business Case Development
read article
Navigating the Future of Business in the Digital Age
read article
Improving Cloud governance using an automated naming generation tool.
read article
Data Governance in Modern Data Engineering
read article
Integration of Apache Iceberg in S3, Glue, Athena, Matillion, and Snowflake – Part 2
read article
Integration of Apache Iceberg in S3, Glue, Athena, Matillion, and Snowflake – Part 1
read article
Rapidly Ship Industry-Standard APIs
read article
Why your performance work is not seen
read article
API Security Best Practices: Enable Good Governance
read article
Understanding the governance of Cilium.
read article
Open source at Fastly is getting opener
read article
The 5 Disciplines of Cloud Governance
read article
Top GRC Trends for 2024 and Beyond
read article
New Features: Snowflake International Tags & Shared Tags
read article
The Dawn of Technocracy
read article
Cybersecurity frameworks
currently reading
Risk management frameworks
read article
Why your DevOps Toolchain Needs a Governance Platform
read article
Featured ones: