A cybersecurity framework is a series of documents defining the best practices an organization follows to manage its cybersecurity risk. Such frameworks reduce a company’s exposure to vulnerabilities.
Every day, companies of all sizes, industries, and business environments face the challenge of ensuring the security of their critical systems and data. To help address these challenges, an organization needs a strategic, well-thought cybersecurity plan to protect its critical infrastructure and information systems.
As such, companies should look to cybersecurity frameworks for guidance. When applied properly, a cybersecurity framework enables IT security leaders to manage their companies’ cyber risks more intelligently. An organization can adapt an existing cybersecurity framework to meet its own needs or develop one internally.
Some companies must adopt information security frameworks to comply with commercial or government regulations. For example, a company that handles credit card transactions must prove that it complies with the well-known Payment Card Industry Data Security Standards (PCI-DSS) framework. This would require the company to pass an audit. In other cases, organizations adopt cybersecurity risk management frameworks voluntarily.
National Institute of Standards and Technology (NIST)
Another recognized cybersecurity framework is the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity.
The NIST Cybersecurity Framework (CSF) is a set of guidelines that private sector companies can follow to identify, detect, and respond to cyberattacks. The NIST framework also includes guidelines to help companies prevent and recover from attacks.
NIST compiled these optional standards after former United States President Barack Obama signed an executive order in 2014. The executive order aimed to establish a cybersecurity framework to help protect the country’s critical infrastructure.
The five main functions of NIST’s cybersecurity framework:
- Identify: Companies must first understand their environments to manage cybersecurity risk to systems, assets, data, and capabilities.
- Protect: Organizations must develop and implement the appropriate safeguards to limit or contain the effects of possible cybersecurity events.
- Detect: Organizations must implement the appropriate procedures to identify cybersecurity events as soon as possible.
- Respond: Companies must be able to develop response plans to contain the impacts of cyber incidents.
- Recover: Companies must develop and implement effective methods to restore the capabilities or services that were damaged by cybersecurity events.
There are cybersecurity elements as a part of other frameworks as well, such as ISO 27002, and Control Objectives for Information and Related Technologies, known as COBIT.