Professional Documents
Culture Documents
Security Risk
Security Risk
Security Risk
Cyber security frameworks are sets of documents describing guidelines, standards, and best practices designed for cyber
security risk management. The frameworks exist to reduce an organization's exposure to weaknesses and vulnerabilities
that hackers and other cyber criminals may exploit.
The word “framework” makes it sound like the term refers to hardware, but that’s not the case. It doesn’t help that the
word “mainframe” exists, and its existence may imply that we’re dealing with a tangible infrastructure of servers, data
storage, etc.
But much like a framework in the “real world” consists of a structure that supports a building or other large object, the
cyber security framework provides foundation, structure, and support to an organization’s security methodologies and
efforts.
Control Frameworks
Program Frameworks
Facilitates and simplifies communications between the cyber security team and the managers/executives
Risk Frameworks
Companies turn to cyber security frameworks for guidance. The right framework, instituted correctly, lets IT security
teams intelligently manage their companies’ cyber risks. Companies can either customize an existing framework or
develop one in-house.
Some businesses must employ specific information security frameworks to follow industry or government regulations. For
example, if your business handles purchases by credit card, it must comply with the Payment Card Industry Data Security
Standards (PCI-DSS) framework. In this instance, your company must pass an audit that shows they comply with PCI-
DSS framework standards.
The NIST Framework for Improving Critical Infrastructure Cybersecurity, or the “NIST cybersecurity framework” for
brevity’s sake, was established during the Obama Administration in response to presidential Executive Order 13636. The
NIST was designed to protect America’s critical infrastructure (e.g., dams, power plants) from cyberattacks.
NIST is a set of voluntary security standards that private sector companies can use to find, identify, and respond to
cyberattacks. The framework also features guidelines to help organizations prevent and recover from cyberattacks. There
are five functions or best practices associated with NIST:
Identify
Protect
Detect
Respond
Recover
If you want your company to start small and gradually work its way up, you must go with CIS. This framework was
developed in the late 2000s to protect companies from cyber threats. It’s made up of 20 controls regularly updated by
security professionals from many fields (academia, government, industrial). The framework begins with basics, moves on
to foundational, then finishes with organizational.
CIS uses benchmarks based on common standards like HIPAA or NIST that map security standards and offer alternative
configurations for organizations not subject to mandatory security protocols but want to improve cyber security anyway.
3. The International Standards Organization (ISO) frameworks ISO/IEC 27001 and 27002.
This framework is also called ISO 270K. It is considered the internationally recognized cyber security validation standard
for both internal situations and across third parties. ISO 270K operates under the assumption that the organization has an
Information Security Management System. ISO/IEC 27001 requires management to exhaustively manage their
organization’s information security risks, focusing on threats and vulnerabilities.
ISO 270K is very demanding. The framework recommends 114 different controls, broken into 14 categories. As a result,
ISO 270K may not be for everyone, considering the amount of work involved in maintaining the standards. However, if
implementing ISO 270K is a selling point for attracting new customers, it’s worth it.
Better known as HIPAA, it provides a framework for managing confidential patient and consumer data, particularly
privacy issues. This legislation protects electronic healthcare information and is essential for healthcare providers,
insurers, and clearinghouses.
There are cases where a business or organization utilizes more than one framework concurrently.
Cyber security frameworks help teams address cyber security challenges, providing a strategic, well-thought plan to
protect its data, infrastructure, and information systems. The frameworks offer guidance, helping IT security leaders
manage their organization’s cyber risks more intelligently.
Companies can adapt and adjust an existing framework to meet their own needs or create one internally. However, the
latter option could pose challenges since some businesses must adopt security frameworks that comply with commercial or
government regulations. Home-grown frameworks may prove insufficient to meet those standards.
Bottom line, businesses are increasingly expected to abide by standard cyber security practices, and using these
frameworks makes compliance easier and smarter. The proper framework will suit the needs of many different-sized
businesses regardless of which of the countless industries they are part of.
Frameworks help companies follow the correct security procedures, which not only keeps the organization safe but fosters
consumer trust. Customers have fewer reservations about doing business online with companies that follow established
security protocols, keeping their financial information safe.
Identify
To manage the security risks to its assets, data, capabilities, and systems, a company must fully understand these
environments and identify potential weak spots.
Protect
Companies must create and deploy appropriate safeguards to lessen or limit the effects of potential cyber security breaches
and events.
Detect
Organizations should put in motion the necessary procedures to identify cyber security incidents as soon as possible.
Respond
Companies must be capable of developing appropriate response plans to contain the impacts of any cyber security events.
Recover
IT governance definition
IT governance is an element of corporate governance, aimed at improving the overall
management of IT and deriving improved value from investment in information and
technology.
A robust corporate governance framework can help you meet the requirements of laws
and regulations such as the DPA (Data Protection Act) 2018 and the GDPR.
For instance, the GDPR requires data controllers and processors to demonstrate their
compliance with its requirements through certain documentation, including relevant
logs, policies and procedures.
Harnessing the elements of IT governance will help you create and maintain appropriate
policies and procedures to help meet your data privacy requirements.
1. Value delivery
2. Strategic alignment
3. Performance management
4. Resource management
5. Risk management
ITIL is backed by ISO/IEC 20000:2011, which is the international standard for ITSM based on which
organizations can obtain independent certification.
The ITIL framework is widely used to be created by default on many ITSM platforms.
The latest version of this framework is COBIT 2019, which was released in November 2018 and is based
on COBIT 5, introducing new concepts and addressing the latest developments affecting enterprise IT.
Developed by ISACA, the COBIT framework is compatible with other common frameworks, such as
CMMI and ITIL.
Protection.
Risk Management.
Information Management.
COBIT is a high-level tool that can be used to develop and customize policies, procedures, and processes.
It is not designed for low-level management, so it is useful to resort to other tools for those departments,
such as ITIL.
3. VAL IT Governance Framework
VAL IT is an IT governance framework developed by the Institute of Information Technology
Governance (ISACA). VAL IT expands and complements COBIT by providing a comprehensive control
framework for IT governance.
However, the main difference between the two frameworks is that VALIT focuses on investment
decisions and expected profits.
On the other hand, COBIT focuses on the implementation area, for example, is it done the right way.
Importance of IT Governance
Most boards of directors, especially family councils, do not attach particular importance to the subject of
information technology, mainly because there is no IT governance.
Board members often lack the basic knowledge needed to ask central questions not only about technology
risks but also marketing and competitive risks arising from the not use of modern technologies in
business.
This responsibility is often left to IT managers, who manage corporate information assets and they are
largely unique in decisions and most of the time according to their whims or knowledge that may be
limited or inclined.
Therefore, the lack of oversight of IT activities by boards of directors is serious because it exposes the
company to the same risks as failure to manage its accounts and assets.
Several international companies have managed this threat and have established special board-level
committees to monitor and manage information technology. It committees at the board level worked with
their audit, compensation, and governance committees. It became the role of the Technol Governance
Committee.
https://www.projectmanager.com/blog/it-governance-frameworks-definitions
https://www.simplilearn.com/what-is-a-cyber-security-framework-article
https://www.itgovernance.co.uk/it_governance