Which framework is right for you? Are there regulations in your industry that outline a specific framework your security program has to follow? We’ve highlighted three of the most popular primary cybersecurity models that organizations globally follow to reach a maturity program level. We also laid out three of the more common secondary, industry-specific cybersecurity models.
What is cybersecurity program maturity?
A mature cybersecurity program is one where the processes, tools, and people are all aligned and working together so that the program is successful at mitigating risk. A mature program has buy-in from executive leadership, but also has goals that are felt across the entire organization. There will always be risks and vulnerabilities that plague mature cybersecurity programs, but there are actionable and agreed upon plans in place that partners and vendors agree to when working with a mature cybersecurity program.
The specifics of program maturity boil down to the cybersecurity model chosen and what is counted as mature for each model. Cybersecurity models also can outline the order in which different steps should happen to reach program maturity.
3 Primary Frameworks
NIST Cyber Security Framework
National Institute of Standards and Technology (NIST) is a cybersecurity model commonly used by organizations in the US. Establishing and communicating your organization’s tolerance for risk is key to increase program maturity, in accordance to this model. The NIST framework also accounts for the rapidly changing nature of cybersecurity threats, and advises its followers to continuously adjust their monitoring techniques and remediation strategies to match the ongoing threat environment.
The NIST cybersecurity model follows five key phases to reaching a mature security management program:
- Identify - In the first phase, organizations establish a business-wide approach to cybersecurity management, including an understanding of the current risks to the network, what sensitive information lives throughout the organization, and what critical business operations exist that need to be protected from cybersecurity threats
- Protect - The next step in building program maturity according to NIST’s cybersecurity model is to organize and define the defenses necessary to protect the identified critical pieces of your security program.
- Detect - This phase is probably what most organizations dive right into when it comes to cybersecurity program management, including establishing the most effective and encompassing monitoring tools to identify risks efficiently and effectively.
- Respond - The fourth step to increase program maturity according to NISTs cybersecurity model is to tackle the threats to your organization. This is more than just patching your network, but means proper containment of the impact of malicious activity.
- Recover - Just as detection and remediation are important to program maturity, having it in your management process to schedule time to recover and reflect on damages will allow for real program improvements and better protection of your network in the future.
The NIST cybersecurity model acknowledges the current practices most organizations use to protect their network. Instead of starting new, it guides organizations to better use what they’re already doing and add in the right steps to reach program maturity.
ISO 27000
ISO 27000 is an international standard, created by the Internal Organization for Standardization (ISO) to highlight best practices for information security management systems. This cybersecurity model is more popular among organizations in the European Union, and focuses attention on the three main areas of a mature cybersecurity management program: people, processes, and technology. The recommendations of the ISO 27000 cybersecurity model is broken down into the following areas for security managers to use best practices to reach program maturity:
- Security risk assessment
- Security policy
- Asset management
- Human resources security
- Physical and environmental security
- Communications and operations management
- Access control
- Information systems acquisition, development, and maintenance
- Information security incident management
- Business continuity management
Similarly to the NIST framework, ISO 27000 guides organizations beyond the typical cybersecurity management practices to include greater security standards and protections. ISO 27000 includes management of critical physical and operational security measures, and is broken down into ISO 27000 Series to get more specific into the actual implementation and design of this cybersecurity model.
Image from tcdi.com
CIS 20
The final cybersecurity model many organizations follow to reach program maturity is the CIS 20. Designed by the Center for Internet Security after the US defense industry experienced a data breach in 2008, the CIS 20 is a series of 20 controls deemed critical to protect an organization’s network from expansive cyber attacks.
The CIS 20 is broken down into 3 main categories of controls:
- Basic Controls (like inventory control, continuous vulnerability management, and controlled employee privileges)
- Foundational Controls (like malware defenses, data protection, or wireless access controls)
- Organizational Controls (like training programs and creation of incident response teams)
The CIS 20 cybersecurity model is designed to be all-encompassing, and require extreme attention and care to an organization’s cybersecurity management process.
3 Secondary Frameworks
Besides the three most popular cybersecurity models listed above, there are also industry-specific secondary frameworks organizations may be required to, or choose to follow.
HIPAA - Specific to the healthcare sector, the Health Insurance Portability and Accountability Act (HIPAA) was created to require healthcare organizations to protect the privacy and highly sensitive information of patients. HIPAA extends to organizations beyond healthcare when it comes to employee health information collected for insurance or medical leave purposes, but the cybersecurity model mainly applies to healthcare organizations that need to follow three key components:
- Administrative requirements
- Physical security requirements
- Technical security requirements
Handling Specific Vendor Risk Management Challenges in Healthcare
PCI DSS - The Payment Card Industry (PCI) Data Security Standard (DSS) regulations focus on the protection of consumer payment information stored by card processing transactions. There are 12 requirements for an organization to be deemed PCI DSS compliant, which is required by all companies that process or transmit cardholder information as part of their business.
GDPR - The European Union’s General Data Protection Regulation (GDPR) focuses on the requirements of organizations in the EU to protect consumer data. The cybersecurity model also includes data protection for information transferred from an EU-based organization to somewhere else geographically. The GDPR requirements include:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
In Conclusion
There are many cybersecurity models for organizations to both choose from, or to be required to follow. It’s also important for a lot of businesses to become certified for following a specific framework to best represent themselves compared to their competition.
BitSight customers use their access to BitSight Security Ratings and expansive cybersecurity monitoring technology to comply with cybersecurity models and maturity frameworks. To get started complying with regulations or maturity frameworks in your industry, request a BitSight demo today.
