Cybersecurity Frameworks and Guidance by John Bandler

(Please note that this article is in-progress and not yet complete!)

There are many valuable frameworks for cybersecurity and information security that help organizations with the complex task of managing and securing their information assets. These frameworks are voluntary guidance, which organizations may choose to follow, adapt, or disregard. Compare this with external laws and regulations, which may impose mandatory rules upon the organization.

Many of these frameworks are written by excellent teams of smart people in excellent organizations.

At the outset, consider that some frameworks may be an integral part of a business model, others may not. Some frameworks may be available for easy inspection and review, others may not.

The NIST frameworks are created and maintained by some really smart people in our government, paid for with tax dollars, and are an excellent public resource freely available at no cost, with no license agreement.

Other frameworks may be part of a business model, proprietary, cost money, and be subject to licensing agreements. These licensing agreements may serve legitimate purposes of protecting intellectual property and business, but may also have downsides.

All of the frameworks (except mine) are geared for readers with a high degree of technology and information security knowledge, and for organizations with mature information security programs. This means they are too technical for most individuals to understand, and for most smaller and mid sized organizations to implement. In contrast, my Four Pillars framework is perfect for individuals, small organizations, and many medium sized organizations. It is also a helpful tool for individuals in larger organizations to better comprehend the cybersecurity framework their organization has adopted. Should an organization using the Four Pillars framework increase in size and maturity to the point where it requires a more complex framework, it is simple for the organization to begin a transition by supplementing with more complex and detailed guidance, such as the NIST Cybersecurity Framework, or the CIS Twenty Critical Security Controls.

Here is a quick listing of some frameworks, which I will then briefly summarize:

  • Bandler's Four Pillars of Cybersecurity
  • 20 Critical Security Controls from the Center for Internet Security (CIS)
  • Frameworks from National Institute of Standards and Technology (NIST)
    • NIST Cybersecurity Framework (CSF) v 1.1, Framework for Improving Critical Infrastructure Cybersecurity
    • NIST SP 800-53 Rev 5: NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations
    • NIST SP 800-171 Rev. 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
  • ISO 27001 (27000 series) Information Security Management Systems (ISO = Information Security Management Systems from the International Organization for Standardization (ability for third party certification services)
  • COBIT from ISACA (COBIT = Control Objectives for Information and Related Technology), (ISACA = Previously known as the Information Systems Audit and Control Association)
  • AICPA SSAE 18 SOC 2 & SOC 3 (ability for third party attestation services) (AICPA = American Institute of Certified Public Accountants), (SSAE = Statement of Standards for Attestation Engagement), (SOC = Service and Organization Controls). This is found in the AICPA 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy.
  • PCI-DSS Payment Card Industry (PCI) Data Security Standard (DSS)
  • NERC CIP North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Cybersecurity Standards
  • HITRUST Common Security Framework (CSF) (framework and ability for third party attestation services)

Bandler's Four Pillars of Cybersecurity

My Four Pillars of Cybersecurity model is a user-friendly cybersecurity framework which small and mid-sized organizations (and individuals) can use as guidance for their cybersecurity plan and practice. It consists of continual improvement of:

John Bandler's Four Pillars of Cybersecurity

  1. Knowledge and awareness of cybercrime threats, information security, technology, and legal requirements
  2. Protection of computing devices
  3. Protection of data
  4. Protection of networks and safe use of the internet.

 

 

 

Summary of other frameworks coming soon!

 

This article is hosted at https://johnbandler.com/cybersecurity-frameworks-and-guidance. Copyright John Bandler, all rights reserved.

Posted 10/24/2021. Updated 10/29/2021.