Popular Information Security Frameworks
Technical aspects of managing information security risks fall to the IT function. It is necessary to have familiarity with the following common frameworks IT uses to manage security risks:
1. ISO/IEC 27001 and 27002
2. NIST Cyber Security Framework (CSF)
3. Cybersecurity Capability Maturity Model (C2M2)
4. HITRUST Cyber Security Framework (CSF)
5. IASME Governance Framework
ISO/IEC 27001 and 27002: With a joint effort from the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), frameworks were published in 2005. The frameworks are the most widely recognized and are meant to be widely applicable across industry and company size.
NIST Cyber Security Framework (CSF): The National Institute of Standards and Technology created a cybersecurity framework that can be applied across industries irrespective of size or type of organization. This framework focuses on the following five core functions related to security incidents:
1. Identify
2. Protect
3. Detect
4. Respond
5. Recover
The framework provides an organization-based context and view on cybersecurity risks. This helps to manage the cybersecurity risk through putting processes in place.
Current risk management methods try to mitigate the threat environment within legal and regulatory requirements and business objectives and constraints. Risks are mitigated through tier selection, which meets organization goals, identifies critical assets, and reduces cybersecurity risk to acceptable levels.
The organization identifies three tiers of risks: Tier 1 (Partial), Tier 2 (risk informed), and Tier 3 (repeatable). These tiers are based on the risk management process, as well as having an integrated risk management program and external participation. These are not maturity levels. The three-tier model encourages movement to a higher level of risk to reduce risk and be cost effective.
Cybersecurity Capability Maturity Model (C2M2): Though created by the U.S. Department of Energy, this model can apply to organizations of all sectors, sizes, and types. It includes a supplemental toolkit to be used in conjunction with the model itself to evaluate the organization’s information security program maturity.
HITRUST Cyber Security Framework (CSF): The (HITRUST) Health Information Trust Alliance is based on the ISO/IEC 27001/27002 frameworks. It incorporates requirements from healthcare-related federal legislation and is intended for organizations handling personal health information (PHI). HITRUST received NIST CSF certification in 2018, providing a means to assure compliance with NIST framework’s objectives.
IASME Governance Framework: The IASME (Information Assurance for Small and Medium Enterprises Consortium) governance framework is designed to improve small and medium enterprise (SMEs) cybersecurity services. This framework is similar to ISO 27001 but with high-end security tools at reduced cost for SMEs. This IASME certification allows organizations to get free cybersecurity insurance in the United Kingdom.