Cybersecurity Frameworks and Guidance

by John Bandler

There are many valuable frameworks for cybersecurity and information security to help organizations with the complex task of managing and securing their information assets. These frameworks are voluntary guidance, which organizations may choose to follow, adapt, or disregard. Compare this with laws and regulations, which may impose mandatory rules upon the organization (which I call "external rules").

What is a cybersecurity framework?

Simply put, a cybersecurity framework is a suggested best practice. It is not mandatory, it is voluntary guidance. Cybersecurity is complicated, we cannot expect every organization to reinvent the wheel while securing themselves.

Who creates these frameworks?

Anyone can create frameworks or other guidance. Many frameworks are written by excellent teams of smart people in excellent organizations.

Some come from government, such as the National Institute of Standards and Technology (NIST). The NIST frameworks are created and maintained by some really smart people in our government, paid for with tax dollars, and made publicly available at no cost and with no license agreement.

Some frameworks come from for-profit or not-for-profit organizations (and some from organizations that seem to blend for-profit and non-profit). Having invested resources into the framework, it may be a part of their business model. Some of these frameworks may be available for easy inspection and review, sometimes with a fee or membership, others may not. Sometimes licensing agreements are involved which may serve legitimate purposes of protecting intellectual property and business models, but there may be downsides also.

My framework is simple and was created by me, and is offered for free. It can get you started but certainly is not designed to replace the more complex frameworks.

Who are the frameworks for?

All of the frameworks (except mine) are geared for readers with a high degree of technology and information security knowledge, and for organizations with mature information security programs. This means they are too technical for most individuals to understand, and for most smaller and mid sized organizations to implement.

In contrast, my Four Pillars framework is perfect for individuals, small organizations, and many medium sized organizations. It is also a helpful tool for individuals in larger organizations to better comprehend the cybersecurity framework their organization has adopted. Should an organization using the Four Pillars framework increase in size and maturity to the point where it requires a more complex framework, it is simple for the organization to begin a transition by supplementing with more complex and detailed guidance, such as the NIST Cybersecurity Framework, or the CIS Twenty Critical Security Controls.

A listing of some frameworks

Here is a quick listing of some frameworks, which I will then briefly summarize:

  • Bandler's Four Pillars of Cybersecurity
  • Other informal guidance for small businesses
  • Critical Security Controls (CSC) from the Center for Internet Security (CIS) (was 20, now is 18)
  • Frameworks from National Institute of Standards and Technology (NIST)
    • NIST Cybersecurity Framework (CSF) v 1.1, Framework for Improving Critical Infrastructure Cybersecurity
    • NIST SP 800-53 Rev 5: NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations
    • NIST SP 800-171 Rev. 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
  • ISO 27001 (27000 series) Information Security Management Systems (ISO = Information Security Management Systems from the International Organization for Standardization (ability for third party certification services) (this is the successor to the ISO 17799 standard)
  • COBIT from ISACA (COBIT = Control Objectives for Information and Related Technology), (ISACA = Previously known as the Information Systems Audit and Control Association)
  • AICPA SSAE 18 SOC 2 & SOC 3 (ability for third party attestation services) (AICPA = American Institute of Certified Public Accountants), (SSAE = Statement of Standards for Attestation Engagement), (SOC = Service and Organization Controls). This is found in the AICPA 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy.
  • PCI-DSS Payment Card Industry (PCI) Data Security Standard (DSS)
  • NERC CIP North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Cybersecurity Standards
  • HITRUST Common Security Framework (CSF) (framework and ability for third party attestation services)

Bandler's Four Pillars of Cybersecurity

My Four Pillars of Cybersecurity model is a user-friendly cybersecurity framework which small and mid-sized organizations (and individuals) can use as guidance for their cybersecurity plan and practice. It consists of continual improvement of:

John Bandler's Four Pillars of Cybersecurity

  1. Improve knowledge and awareness for better decision making at all levels (e.g., re: cybercrime threats, information security, technology, and legal requirements)
  2. Secure computing devices
  3. Secure data
  4. Secure networks and use of the Internet.
  5. [Repeat]

I write more about it here.

Other guidance for small businesses

My framework gets you started and it is nice to extend from there to government resources, such as the FTC and NIST.

Critical Security Controls (CSC) from the Center for Internet Security (CIS)

This was 20 controls, now is 18.

--Summary coming soon--

NIST Cybersecurity Framework (CSF) v 1.1, Framework for Improving Critical Infrastructure Cybersecurity

--Summary coming someday--

NIST SP 800-53 Rev 5: NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations

--Summary coming someday--

NIST SP 800-171 Rev. 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

--Summary coming someday--

ISO 27001 (27000 series) Information Security Management Systems

(ISO = Information Security Management Systems from the International Organization for Standardization (ability for third party certification services) (this is the successor to the ISO 17799 standard)

--Summary coming someday--

COBIT from ISACA

(COBIT = Control Objectives for Information and Related Technology), (ISACA = Previously known as the Information Systems Audit and Control Association)

--Summary coming someday--

AICPA SSAE 18 SOC 2 & SOC 3 (ability for third party attestation services)

--Summary coming someday--

(AICPA = American Institute of Certified Public Accountants), (SSAE = Statement of Standards for Attestation Engagement), (SOC = Service and Organization Controls). This is found in the AICPA 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy.

PCI-DSS Payment Card Industry (PCI) Data Security Standard (DSS)

--Summary coming someday--

NERC CIP North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Cybersecurity Standards

--Summary coming someday--

HITRUST Common Security Framework (CSF) (framework and ability for third party attestation services)

--Summary coming someday--

 

Conclusion

This is not legal advice nor consulting advice, and is not tailored to your circumstances.

Additional reading

 

This article is hosted at https://johnbandler.com/cybersecurity-frameworks-and-guidance. Copyright John Bandler, all rights reserved.

Posted 10/24/2021. Updated 6/10/2022.