What is a Cyber Security Framework?

Cyber security frameworks are sets of documents describing guidelines, standards, and best practices designed for cyber
security risk management. The frameworks exist to reduce an organization's exposure to weaknesses and vulnerabilities
that hackers and other cyber criminals may exploit.

The word “framework” makes it sound like the term refers to hardware, but that’s not the case. It doesn’t help that the
word “mainframe” exists, and its existence may imply that we’re dealing with a tangible infrastructure of servers, data
storage, etc.

But much like a framework in the “real world” consists of a structure that supports a building or other large object, the
cyber security framework provides foundation, structure, and support to an organization’s security methodologies and
efforts.

As we are about to see, these frameworks come in many types.

What Are the Types of Cyber Security Frameworks?

Frameworks break down into three types based on the needed function.

Control Frameworks

 Develops a basic strategy for the organization’s cyber security department

 Provides a baseline group of security controls

 Assesses the present state of the infrastructure and technology

 Prioritizes implementation of security controls

Program Frameworks

 Assesses the current state of the organization’s security program

 Constructs a complete cybersecurity program

 Measures the program’s security and competitive analysis

 Facilitates and simplifies communications between the cyber security team and the managers/executives

Risk Frameworks

 Defines the necessary processes for risk assessment and management

 Structures a security program for risk management

 Identifies, measures, and quantifies the organization’s security risks

 Prioritizes appropriate security measures and activities

op Cyber Security Frameworks

When it comes to picking a cyber security framework, you have an ample selection to choose from. Here are the
frameworks recognized today as some of the better ones in the industry. Naturally, your choice depends on your
organization’s security needs.

Companies turn to cyber security frameworks for guidance. The right framework, instituted correctly, lets IT security
teams intelligently manage their companies’ cyber risks. Companies can either customize an existing framework or
develop one in-house.

Some businesses must employ specific information security frameworks to follow industry or government regulations. For
example, if your business handles purchases by credit card, it must comply with the Payment Card Industry Data Security
Standards (PCI-DSS) framework. In this instance, your company must pass an audit that shows they comply with PCI-
DSS framework standards.

1. The NIST Cyber Security Framework.

The NIST Framework for Improving Critical Infrastructure Cybersecurity, or the “NIST cybersecurity framework” for
brevity’s sake, was established during the Obama Administration in response to presidential Executive Order 13636. The
NIST was designed to protect America’s critical infrastructure (e.g., dams, power plants) from cyberattacks.

NIST is a set of voluntary security standards that private sector companies can use to find, identify, and respond to
cyberattacks. The framework also features guidelines to help organizations prevent and recover from cyberattacks. There
are five functions or best practices associated with NIST:

 Identify

 Protect

 Detect

 Respond

 Recover

2. The Center for Internet Security Critical Security Controls (CIS).

If you want your company to start small and gradually work its way up, you must go with CIS. This framework was
developed in the late 2000s to protect companies from cyber threats. It’s made up of 20 controls regularly updated by
security professionals from many fields (academia, government, industrial). The framework begins with basics, moves on
to foundational, then finishes with organizational.

CIS uses benchmarks based on common standards like HIPAA or NIST that map security standards and offer alternative
configurations for organizations not subject to mandatory security protocols but want to improve cyber security anyway.
 3. The International Standards Organization (ISO) frameworks ISO/IEC 27001 and 27002.

This framework is also called ISO 270K. It is considered the internationally recognized cyber security validation standard
for both internal situations and across third parties. ISO 270K operates under the assumption that the organization has an
Information Security Management System. ISO/IEC 27001 requires management to exhaustively manage their
organization’s information security risks, focusing on threats and vulnerabilities.

ISO 270K is very demanding. The framework recommends 114 different controls, broken into 14 categories. As a result,
ISO 270K may not be for everyone, considering the amount of work involved in maintaining the standards. However, if
implementing ISO 270K is a selling point for attracting new customers, it’s worth it.

4. The Health Insurance Portability and Accountability Act.

Better known as HIPAA, it provides a framework for managing confidential patient and consumer data, particularly
privacy issues. This legislation protects electronic healthcare information and is essential for healthcare providers,
insurers, and clearinghouses.

There are many other frameworks to choose from, including:

 SOC2 (Service Organization Control)

 NERC-CIP (North American Electric Reliability Corporation Critical Infrastructure Protection)

 GDPR (General Data Protection Regulation)

 FISMA (Federal Information Systems Management Act)

 HITRUST CSF (Health Information Trust Alliance)

 PCI-DSS (Payment Card Industry Data Security Standards)

 COBIT (Control Objectives for Information and Related Technologies)

 COSO (Committee of Sponsoring Organizations)

There are cases where a business or organization utilizes more than one framework concurrently.

Why Do We Need Cyber Security Frameworks?

Cyber security frameworks remove some of the guesswork in securing digital assets. Frameworks give cyber security
managers a reliable, standardized, systematic way to mitigate cyber risk, regardless of the environment’s complexity.

Cyber security frameworks help teams address cyber security challenges, providing a strategic, well-thought plan to
protect its data, infrastructure, and information systems. The frameworks offer guidance, helping IT security leaders
manage their organization’s cyber risks more intelligently.

Companies can adapt and adjust an existing framework to meet their own needs or create one internally. However, the
latter option could pose challenges since some businesses must adopt security frameworks that comply with commercial or
government regulations. Home-grown frameworks may prove insufficient to meet those standards.
 Bottom line, businesses are increasingly expected to abide by standard cyber security practices, and using these
frameworks makes compliance easier and smarter. The proper framework will suit the needs of many different-sized
businesses regardless of which of the countless industries they are part of.

Frameworks help companies follow the correct security procedures, which not only keeps the organization safe but fosters
consumer trust. Customers have fewer reservations about doing business online with companies that follow established
security protocols, keeping their financial information safe.

Cyber Security Framework Best Practices

Although every framework is different, certain best practices are applicable across the board. Here, we are expanding on
NIST’s five functions mentioned previously.

 Identify

To manage the security risks to its assets, data, capabilities, and systems, a company must fully understand these
environments and identify potential weak spots.

 Protect

Companies must create and deploy appropriate safeguards to lessen or limit the effects of potential cyber security breaches
and events.

 Detect

Organizations should put in motion the necessary procedures to identify cyber security incidents as soon as possible.

 Respond

Companies must be capable of developing appropriate response plans to contain the impacts of any cyber security events.

 Recover

IT governance definition
IT governance is an element of corporate governance, aimed at improving the overall
management of IT and deriving improved value from investment in information and
technology.

IT governance frameworks enable organisations to manage their IT risks effectively and

ensure that the activities associated with information and technology are aligned with
their overall business objectives

Why is IT governance important?

IT governance enables an organisation to:

 Demonstrate measurable results against broader business strategies and goals.

 Meet relevant legal and regulatory obligations, such as those set out in the GDPR (General Data
Protection Regulation) or the Companies Act 2006.
 Assure stakeholders they can have confidence in your organisation's IT services.
 Facilitate an increase in the return on IT investment; and
 Comply with certain corporate governance or public listing rules or requirements.

What is corporate governance?

Corporate governance is "a toolkit that enables management and the board to deal
more effectively with the challenges of running a company. Corporate governance
ensures that businesses have appropriate decision-making processes and controls in
place so that the interests of all stakeholders are balanced.”- ICSA, The Governance
Institute.

A robust corporate governance framework can help you meet the requirements of laws
and regulations such as the DPA (Data Protection Act) 2018 and the GDPR.

For instance, the GDPR requires data controllers and processors to demonstrate their
compliance with its requirements through certain documentation, including relevant
logs, policies and procedures.

Harnessing the elements of IT governance will help you create and maintain appropriate
policies and procedures to help meet your data privacy requirements.

The five domains of IT governance

The IT Governance Institute (a division of ISACA) breaks down IT governance into five
domains:

1. Value delivery
2. Strategic alignment
3. Performance management
4. Resource management
5. Risk management

Other IT governance frameworks and models to

consider
In addition to the frameworks listed above, there are several other models and
frameworks you should consider for effective IT governance:

 King reports of corporate governance (versions I to IV).

 ISO/IEC 31000:2018 (risk management).
 ISO/IEC 27001:2013 (information security).
  Business continuity management and disaster recovery.
 Knowledge management, including intellectual capital.
 Programme management and project governance, including PRINCE2® and PMBOK®.

Most Important IT Governance Frameworks:

Here are the well-known IT governance frameworks for companies and corporates:

1. ITIL Framework For IT Governance

ITIL framework, developed by Axelos, is the most popular and widely used IT Service Management
(ITSM) framework, and its latest version, ITIL 4, was released in February 2019.

ITIL is backed by ISO/IEC 20000:2011, which is the international standard for ITSM based on which
organizations can obtain independent certification.

ITIL Governance Framework covers important ITSM areas such as:

 Service strategy, design, transition, operation, and improvement.

 Problems management.
 Accident Management.
 IT Change Management

The ITIL framework is widely used to be created by default on many ITSM platforms.

2. COBIT Governance Framework

COBIT Framework is one of the top IT Governance frameworks that can be defined as an internationally
recognized IT governance control framework that helps organizations meet business challenges in
regulatory compliance, and risk management and align their strategy with regulatory objectives.

The latest version of this framework is COBIT 2019, which was released in November 2018 and is based
on COBIT 5, introducing new concepts and addressing the latest developments affecting enterprise IT.

Developed by ISACA, the COBIT framework is compatible with other common frameworks, such as
CMMI and ITIL.

The COBIT framework focuses on several key areas:

 Protection.
 Risk Management.
 Information Management.

COBIT is a high-level tool that can be used to develop and customize policies, procedures, and processes.

It is not designed for low-level management, so it is useful to resort to other tools for those departments,
such as ITIL.
3. VAL IT Governance Framework
VAL IT is an IT governance framework developed by the Institute of Information Technology
Governance (ISACA). VAL IT expands and complements COBIT by providing a comprehensive control
framework for IT governance.

However, the main difference between the two frameworks is that VALIT focuses on investment
decisions and expected profits.

On the other hand, COBIT focuses on the implementation area, for example, is it done the right way.

For management to be effective, it should be supported by senior management, however, leadership

support is not enough.

VAL IT supports senior management by providing a comprehensive framework supported by processes

and other guidance materials to help management executives understand, discuss and evaluate IT-backed
business investments.

4. AS8015-2005 IT Governance Framework:

AS8015-2005 Framework is a technical IT Governance framework developed in Australia and appeared
in 2005, it is 12 pages long and includes six principles for effective IT management.

5. CMMI IT Governance Framework:

CMMI IT is an IT governance framework defined as a requirements integration framework, this
framework uses a scale of 1 to 5 to understand how an organization performs, matures, and achieves goals
over time.

6. FAIR IT Governance Framework:

FAIR is an IT governance framework Known as complete information risk analysis, this framework
focuses on cyber security and assessing the risks to which the organization is exposed, then making
important decisions for the performance of the organization.

7. ISO/IEC 38500:2015 IT Governance Framework:

ISO/IEC 38500:2015 is an IT Governance Framework that helps people at the top of the organization
better understand their legal and ethical obligations in their companies' use of information technology.

8. COSO IT Governance Framework:

COSO is an IT Governance Framework that focuses on more general operations than IT operations and
develops a plan to manage risk and reduce the organization's exposure to fraud and theft.

Importance of IT Governance
Most boards of directors, especially family councils, do not attach particular importance to the subject of
information technology, mainly because there is no IT governance.

Board members often lack the basic knowledge needed to ask central questions not only about technology
risks but also marketing and competitive risks arising from the not use of modern technologies in
business.
This responsibility is often left to IT managers, who manage corporate information assets and they are
largely unique in decisions and most of the time according to their whims or knowledge that may be
limited or inclined.

Therefore, the lack of oversight of IT activities by boards of directors is serious because it exposes the
company to the same risks as failure to manage its accounts and assets.

Several international companies have managed this threat and have established special board-level
committees to monitor and manage information technology. It committees at the board level worked with
their audit, compensation, and governance committees. It became the role of the Technol Governance
Committee.

https://www.projectmanager.com/blog/it-governance-frameworks-definitions

https://www.simplilearn.com/what-is-a-cyber-security-framework-article

https://www.itgovernance.co.uk/it_governance