Cybersecurity Frameworks and Guidance

by John Bandler

There are many valuable frameworks for cybersecurity and information security to help organizations with the complex task of managing and securing their information assets. These frameworks are voluntary guidance, which organizations may choose to follow, adapt, or disregard. Compare this guidance with laws and regulations, which may impose mandatory rules upon the organization (which I call "external rules").

What is a cybersecurity framework?

Simply put, a cybersecurity framework is a suggested best practice. It is not mandatory, it is voluntary guidance. Cybersecurity is complicated, we cannot expect every organization to reinvent the wheel while securing themselves. (PS, there might be circumstances where a "voluntary" framework becomes mandatory thanks to a contract or other requirement).

Who creates these frameworks?

Anyone can create frameworks or other guidance. Many frameworks are written by excellent teams of smart people in excellent organizations.

Some come from government, such as the National Institute of Standards and Technology (NIST). The NIST frameworks are created and maintained by some really smart people in our government, paid for with tax dollars, and made publicly available at no cost and with no license agreement.

Some frameworks come from for-profit or not-for-profit organizations (and some from organizations that seem to blend for-profit and non-profit). Having invested resources into the framework, it may be a part of their business model. Some of these frameworks may be available for easy inspection and review, sometimes with a fee or membership, others may not. Sometimes licensing agreements are involved which may serve legitimate purposes of protecting intellectual property and business models, but there may be downsides also.

My framework is simple and was created by me, and is offered for free. It can get you started and certainly is not designed to replace the more complex frameworks.

Who are the frameworks for?

All of the frameworks (except mine) are geared for readers with a high degree of technology and information security knowledge, and for organizations with mature information security programs. This means they are too technical for most individuals to understand, and for most smaller and mid sized organizations to implement.

In contrast, my Four Pillars framework is perfect for individuals, small organizations, and many medium sized organizations. It is also a helpful tool for individuals in larger organizations to better comprehend the cybersecurity framework their organization has adopted. Should an organization using the Four Pillars framework increase in size and maturity to the point where it requires a more complex framework, it is simple for the organization to begin a transition by supplementing with more complex and detailed guidance, such as the NIST Cybersecurity Framework, or the CIS Twenty Critical Security Controls.

A listing of some frameworks

Here is a quick listing of some frameworks, which I will then briefly summarize:

  • Bandler's Four Pillars of Cybersecurity
  • Other informal guidance for small businesses
  • Critical Security Controls (CSC) from the Center for Internet Security (CIS) (was 20, now is 18)
  • Frameworks from National Institute of Standards and Technology (NIST)
    • NIST Cybersecurity Framework (CSF) v 1.1, Framework for Improving Critical Infrastructure Cybersecurity
    • NIST SP 800-53 Rev 5: NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations
    • NIST SP 800-171 Rev. 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
  • Cybersecurity Performance Goals (CPGs) from CISA (in coordination with NIST)
  • ISO 27001 (27000 series) Information Security Management Systems (ISO = Information Security Management Systems from the International Organization for Standardization (ability for third party certification services) (this is the successor to the ISO 17799 standard)
  • COBIT from ISACA (COBIT = Control Objectives for Information and Related Technology), (ISACA = Previously known as the Information Systems Audit and Control Association)
  • AICPA SSAE 18 SOC 2 & SOC 3 (ability for third party attestation services) (AICPA = American Institute of Certified Public Accountants), (SSAE = Statement of Standards for Attestation Engagement), (SOC = Service and Organization Controls). This is found in the AICPA 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy.
  • PCI-DSS Payment Card Industry (PCI) Data Security Standard (DSS)
  • NERC CIP North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Cybersecurity Standards
  • HITRUST Common Security Framework (CSF) (framework and ability for third party attestation services)
  • Cybersecurity Maturity Model Certification (CMMC) from Department of Defense (DOD)

Bandler's Four Pillars of Cybersecurity

My Four Pillars of Cybersecurity model is a user-friendly cybersecurity framework which small and mid-sized organizations (and individuals) can use as guidance for their cybersecurity plan and practice. It consists of continual improvement of:

John Bandler's Four Pillars of Cybersecurity

  1. Improve knowledge and awareness for better decision making at all levels (e.g., re: cybercrime threats, information security, technology, and legal requirements)
  2. Secure computing devices
  3. Secure data
  4. Secure networks and use of the Internet.
  5. [Repeat]

I write more about the Four Pillars here.

Other guidance for small businesses

My framework gets you started and it is nice to extend from there to government resources, such as the FTC and NIST.

Critical Security Controls (CSC) from the Center for Internet Security (CIS)

This framework is from the Center for Internet Security (CIS) which is a non-profit organization and they make it freely available if you provide a working email address and abide by their license. The framework is a set of critical security controls (CSCs), which used to be 20, but now is 18. Their controls are prioritized and start with the basics such as making an inventory of computing devices and securely configuring them. Then, the controls move on to more complicated tasks, ending with penetration testing.

As of this writing, they are at Version 8, put out on or about May 2021. The 18 controls are organized as follows:

1 Inventory and Control of Enterprise Assets
2 Inventory and Control of Software Assets
3 Data Protection
4 Secure Configuration of Enterprise Assets and Software
5 Account Management
6 Access Control Management
7 Continuous Vulnerability Management
8 Audit Log Management
9 Email and Web Browser Protections
10 Malware Defenses
11 Data Recovery
12 Network Infrastructure Management
13 Network Monitoring and Defense
14 Security Awareness and Skills Training
15 Service Provider Management
16 Application Software Security
17 Incident Response Management
18 Penetration Testing

Their links are:

You would download the controls spreadsheet (about 172 rows for the controls plus other worksheets) and their accompanying document (about 87 pages).

NIST frameworks

NIST is the National Institute of Standards and Technology, an agency of the U.S. Department of Commerce. They are funded by our federal tax dollars and do a lot of great work, thanks to many smart and hard working people there. All of the NIST frameworks are publicly available and easily downloadable for free, without any registration.

Some NIST website links are:

We will cover some of their frameworks next.

NIST Cybersecurity Framework (CSF) v 1.1, Framework for Improving Critical Infrastructure Cybersecurity

The NIST Cybersecurity Framework (NIST CSF) is organized into five main categories ("functions") of:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover.

And recognizes this is a continual process. These five categories are further subdivided into areas of focus.

  • Identify
    • Asset Management (ID.AM)
    • Business Environment (ID.BE)
    • Governance (ID.GV)
    • Risk Assessment (ID.RA)
    • Risk Management Strategy (ID.RM)
    • Supply Chain Risk Management (ID.SC)
  • Protect
    • Identity Management, Authentication and Access Control (PR.AC)
    • Awareness and Training (PR.AT)
    • Data Security (PR.DS)
    • Information Protection Processes and Procedures (PR.IP)
    • Maintenance (PR.MA)
    • Protective Technology (PR.PT)
  • Detect
    • Anomalies and Events (DE.AE)
    • Security Continuous Monitoring (DE.CM)
    • Detection Processes (DE.DP)
  • Respond
    • Response Planning (RS.RP)
    • Communications (RS.CO)
    • Analysis (RS.AN)
    • Mitigation (RS.MI)
    • Improvements (RS.IM)
  • Recover
    • Recovery Planning (RC.RP)
    • Improvements (RC.IM)
    • Communications (RC.CO)

This NIST CSF is at Version 1.0, released April 2018. Version 2.0 is in the works.

NIST CSF links include:

NIST Privacy Framework

--Summary coming someday--

https://www.nist.gov/privacy-framework

 

NIST SP 800-53 Rev 5: NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations

--Summary coming someday--

NIST SP 800-171 Rev. 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

--Summary coming someday--

Cybersecurity Performance Goals (CPGs) from CISA (in coordination with NIST)

The Cybersecurity and Infrastructure Security Agency (CISA) developed these Cybersecurity Performance Goals (CPGs) goals in coordination with NIST to supplement the NIST Cybersecurity Framework (CSF).

It is designed to be applied across all sectors, especially for small and medium sized businesses (SMB).

ISO 27001 (27000 series) Information Security Management Systems

(ISO = Information Security Management Systems from the International Organization for Standardization (ability for third party certification services) (this is the successor to the ISO 17799 standard)

--Summary coming someday--

COBIT from ISACA

(COBIT = Control Objectives for Information and Related Technology), (ISACA = Previously known as the Information Systems Audit and Control Association)

--Summary coming someday--

AICPA SSAE 18 SOC 2 & SOC 3 (ability for third party attestation services)

--Summary coming someday--

(AICPA = American Institute of Certified Public Accountants), (SSAE = Statement of Standards for Attestation Engagement), (SOC = Service and Organization Controls). This is found in the AICPA 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy.

PCI-DSS Payment Card Industry (PCI) Data Security Standard (DSS)

--Summary coming someday--

NERC CIP North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Cybersecurity Standards

--Summary coming someday--

HITRUST Common Security Framework (CSF) (framework and ability for third party attestation services)

--Summary coming someday--

Cybersecurity Maturity Model Certification (CMMC)

--Summary coming someday--

Conclusion

This is not legal advice nor consulting advice, and is not tailored to your circumstances.

Additional reading

This article is hosted at https://johnbandler.com/cybersecurity-frameworks-and-guidance. Copyright John Bandler, all rights reserved.

Posted 10/24/2021. Updated 10/28/2022.