With the easy availability of tools and knowledge, cyberattacks of all sorts are running rampant, putting pressure on organizations to better defend themselves.
Security is a continuous process that grows over time — exactly why organizations need to create a strong foundation. Two important questions every organization has asked themselves are: Where do we start, and have we done enough?
Cybersecurity frameworks can help you find answers to these questions. They act as a reference to compare with your organization's security state. In this article, you'll learn about different security frameworks. We'll start by covering what a security framework is, why organizations need them, and how organizations can benefit from them. Then we'll go through some top cybersecurity frameworks, including:
(For the latest in all things security, check out these security & InfoSec events.)
When you think of implementing security for your infrastructure, network, applications or any other assets, it might be difficult to know where to start. There are so many aspects of cybersecurity and cyber hygiene that it can be overwhelming.
Then there's another angle: how do you know if what you're doing is enough? How do you know what the baseline is? Security frameworks can help you understand what this baseline is.
Essentially, a cybersecurity framework is a structured set of best practices, standards, and guidelines designed to help businesses manage cybersecurity risks. It helps organizations identify, assess, and manage potential risks and protect their digital assets.
Aligning your security with these frameworks reduces the chances of your being breached. That's because frameworks are designed to consider:
(Understand the differences between vulnerabilities, threats, and risk.)
Security frameworks tend to be precautionary: they offer concrete steps to improve security and manage potential threats and vulnerabilities. Most cyber frameworks aren't intended to be offensive in nature (with some exceptions, like threat hunting frameworks which, by nature, are proactive). Frameworks help kickstart your security journey, and provide you with knowledge of the steps you should take to set up the first lines of defense.
Some clear benefits include:
Most security frameworks generally apply to almost all kinds of organizations. Small, medium, and large enterprises can use security frameworks to protect their assets, operations, and data. Similarly, regulated industries like healthcare and financial services should (often are required) to align with frameworks like HIPAA and PCI DSS, respectively to protect consumer data.
You can tweak these frameworks to make them more suitable for your organization. As most security frameworks are designed with flexibility and scalability in mind, they can help you create a strong security foundation over the long run. Security frameworks can also help you fill gaps in your existing security model.
Now, let’s turn to the most common and most well-known frameworks in the industry.
The NIST cybersecurity framework is among the most popular. It's a result of a U.S. presidential order aimed at enhancing security against both internal threats and external threats. The NIST framework was initially created to secure critical infrastructure like power plants and dams. However, this framework has multiple guidelines that apply to organizations generally.
The framework focuses on six core functions which are further split into categories and subcategories.
Businesses of all sizes and domains can follow the NIST framework to protect their assets and improve their security posture. Importantly, companies that want to work with the U.S. government must comply with this framework. You can also get your service or product NIST certified if it meets the requirements.
ISO 27001 is widely considered the baseline for information security management systems (ISMS). It focuses on the three pillars of cybersecurity: confidentiality, integrity, and availability, also known as the CIA triad. (Not the other CIA ;) ISO 27001 provides guidelines to keep an organization's data safe. As most organizations deal with sensitive data, ISO 27001 is applicable to almost every organization.
This framework provides guidelines for 114 security objectives and controls covering the following aspects:
Along with security benefits, ISO 27001 provides reputational benefits. If you meet all the requirements, you can certify in ISO 27001, which increases the trust and confidence of your customers and other stakeholders.
It's also widely adopted and is applicable across different sectors, including manufacturing, IT, and nonprofits. SaaS providers and data-service platforms like data storage solutions and data processing tools can greatly benefit from implementing this framework.
The Center for Internet Security (CIS) has published eighteen security practices called CIS Critical Security Controls, aka CIS controls, to enhance security. CIS controls don't just increase security but also help you plan security strategies for your organization. It covers implementation, monitoring, training, and incident handling. This framework aims to improve the overall security of an organization — which means that all organizations can benefit from it.
CIS controls are categorized into different sections: basic, foundational, and organizational. This categorization will help you prioritize your tasks. Here are the CIS controls:
These controls helps minimize the risk of cyber threats like denial of service, data breaches, identity theft, corporate espionage, and privacy loss.
CIS provides certification for software security vendors if they meet the requirements of the CIS Benchmark profile.
Short for Service Organization Controls, the SOC2 framework was developed by AICPA to enhance an organization's security by focusing on the following principles:
SOC2, along with being a security framework, is also an auditing standard. It provides tough procedures to audit systems and controls to ensure that partners and vendors securely manage client data. It applies to most organizations but is one of the hardest to implement, considering its extensive auditing processes and compliance requirements.
Post-audit, auditors generate a SOC2 report that's specific to an organization, proving the organization's compliance with the standards. The SOC2 framework and audit are mostly applicable to organizations providing services and systems to other organizations, as it focuses on improving the trust between providers and clients.
SOC2 compliance is mostly required for SaaS providers that store, process, or transmit sensitive customer data. It's also typically required for companies looking to work with SaaS vendors.
The practice of online payment is more common than ever. And card payments are among the most common modes of payment. The Payment Card Industry Data Security Standard (PCI DSS) framework, as the name suggests, specifically focuses on keeping users' card data secure and preventing unauthorized access to their data. There are twelve requirements for an organization to be PCI DSS compliant which are further broken down into 277 sub-requirements:
This framework applies to any organization providing, storing, transporting, or using payment card data. Organizations can get PCI DSS certified by meeting the requirements.
(Explore the zero trust concept.)
The Health Insurance Portability and Accountability Act (HIPAA) is the guideline for the healthcare industry, as it focuses on the privacy of medical records and health data. HIPAA provides best practices to secure healthcare information along with guidelines to train individuals and conduct risk assessments.
One major challenge organizations face is keeping up with the shifting guidelines as technology changes. Because HIPAA is not specific to any technology, any organization can implement HIPAA practices. Of course, for any healthcare or related industry, HIPAA is likely mandatory.
Organizations can get HIPAA certification by meeting the standards set for these major rules:
HIPAA is essential for healthcare providers and insurers.
The MITRE ATT&CK Framework is one of the most detailed cybersecurity frameworks, covering a variety of tactics, techniques, and procedures. It includes guidelines for detecting and preventing cybersecurity threads based on the known adversarial behaviors of criminals and outlines tactics that these criminals use at each stage of a cyberattack.
In addition, it provides mitigation instructions you can use to defend yourself from attacks. This framework is beneficial for security operations centers (SOCs), especially when it comes to detecting malicious and suspicious activity and evaluating the current state of an organization's security.
The framework is categorized into three matrices: Enterprise, Mobile, and Industrial Control Systems (ICS). The framework covers these tactics:
MITRE doesn't provide certification for organizations, but all organizations can benefit from this framework.
(Compare the MITRE ATT&CK framework with common cyber kill chain models.)
This framework, announced at 2022 Black Hat, is a new player in town. Open Cybersecurity Schema Framework (OCSF) is an open-source project that covers various domains and events.
This framework is a result of several major players in the security industry — Splunk, AWS, Cloudflare, among others — coming together to create a common ground for logs and alerts as well as a common format and data model.
OSCF aims to make the detection, investigation, and handling of attacks more efficient. Data and intelligence play a major role in security. Various tools and systems generate humungous amounts of data. It might slow down things for an organization to deal with this amount of data, extract value from it, and act upon it.
OSCF mainly focuses on improving this aspect of security to reduce the time taken by the process so that organizations can act faster. This framework benefits almost all organizations.
We've covered some of the most popular cybersecurity frameworks that organizations can benefit from. Some of these frameworks are applicable to specific industries or use cases, while others are applicable to organizations generally.
You'll also find some best practices overlapping. For example, encryption is a practice that every framework recommends: it's a go-to cyber best practice.
See an error or have a suggestion? Please let us know by emailing [email protected].
This posting does not necessarily represent Splunk's position, strategies or opinion.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.