cyber Adventura

” Rule books tell people what to do. Frameworks guide people how to act. Rule books insist on discipline. Frameworks allow for creativity.”

Simon Sinek

The Dictionary meaning of the work Frameworks means a basic/ foundational structure underlying a system and/or a concept.In practical terms it can be a conceptual structure with the intent to support or guide for the building of something that expands the structure into something tangible and/or tangible.

Now let’s imagine a framework as a book of recipes. Instead of starting from the scratch and figuring out all the ingredients and methods of cooking, one can use the book of recipes (framework) which provides guidance to go through the process, what ingredients to use and how to combine them in special needs.

Similarly in Cybersecurity one needs a cook book ! A recipe in the form of a Framework to understand the threats, the vulnerabilities within and how to address them, how to secure your information assets, how to design a secure system, even how to secure a self driving car !

Now let’s talk about some of the important Frameworks in Cybersecurity.

ISO 27001/27002

ISO 27001 and ISO 27002 are two related standards that focus on information security management within organizations. They are part of the ISO/IEC 27000 family of standards, which provide a comprehensive framework for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS) but also provides guidelines and best practices for implementing the security controls.

But there is a difference between ISO 27001 and ISO 27002. While ISO 27001 specifies the requirements for an ISMS, ISO 27002 offers detailed guidance on how to implement specific security controls to address various information security risks.

NIST Cybersecurity Framework

The NIST Cybersecurity Framework (CSF) provides a policy framework of computer security guidance for how private sector organizations in critical infrastructure sectors can assess and improve their ability to prevent, detect, and respond to cyber attacks. Lets look at some of NIST Special publications.

NIST SP 800-53 provides a catalog of security and privacy controls for federal information systems and organizations. It covers a wide range of security controls and provides a comprehensive set of safeguards for federal information systems and organizations to protect against various threats.

NIST SP 800-30 provides guidance on conducting risk assessments. It outlines a structured approach to identifying, assessing, and mitigating risks to information systems and data.

NIST SP 800-207, titled “Zero Trust Architecture,” provides guidelines for implementing zero trust principles within organizations to enhance cybersecurity and protect critical assets. The document outlines key concepts, components, and considerations for designing and implementing a zero trust architecture.

Centre for Internet Security

The CIS (Center for Internet Security) Controls, formerly known as the SANS Top 20 Critical Security Controls, is a set of cybersecurity best practices and guidelines designed to help organizations strengthen their security posture and mitigate common cyber threats. The CIS Controls are widely recognized and adopted as a framework for implementing effective cybersecurity measures across various industries and sectors.

Organizations can use the CIS Controls framework to assess their current security posture, identify gaps and weaknesses, and prioritize security investments and initiatives.

Cloud Security Alliance

The Cloud Controls Matrix (CCM) is a cybersecurity control framework developed by the Cloud Security Alliance (CSA) to provide a structured set of security controls and guidelines for cloud computing environments. The CCM helps organizations assess the security posture of cloud service providers (CSPs) and establish security requirements for cloud deployments.

Organizations can use the Cloud Controls Matrix (CCM) to:

• Assess the security capabilities of cloud service providers (CSPs) by evaluating their adherence to CCM controls and criteria.
• Establish security requirements and expectations when procuring cloud services or negotiating service level agreements (SLAs) with CSPs.
• Enhance their own cloud security posture by implementing CCM controls and guidelines within their cloud deployments.
• Facilitate compliance efforts by aligning with industry standards and regulatory requirements referenced in the CCM.

IEC62443

IEC 62443 is an international standard developed by the International Electrotechnical Commission (IEC) that focuses on cybersecurity for industrial automation and control systems (IACS). It provides a comprehensive framework of security requirements and guidelines specifically tailored to address the unique challenges and risks associated with industrial environments, including manufacturing plants, critical infrastructure, and process control systems.

ISO 21434

ISO/SAE 21434 is an international standard developed jointly by the International Organization for Standardization (ISO) and the Society of Automotive Engineers (SAE) to address cybersecurity in road vehicles. This standard provides guidelines and requirements for automakers, suppliers, and other stakeholders in the automotive industry to enhance cybersecurity throughout the vehicle’s lifecycle, from design and development to operation and decommissioning.

PCI-DSS

PCI DSS stands for Payment Card Industry Data Security Standard. It is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. The PCI DSS framework was developed to protect cardholder data from theft and fraud.

The PCI DSS framework consists of specific requirements within predefined categories, and compliance is typically validated annually through self-assessment questionnaires or on-site audits conducted by qualified security assessors (QSAs).

Non-compliance with PCI DSS can result in fines, increased transaction fees, or even suspension of the ability to process credit card payments. Therefore, businesses that handle credit card information must adhere to the PCI DSS framework to protect cardholder data and maintain trust with customers.

In conclusion, with digitalisation, every industry, every organization requires its cookbook, as to how it must keep itself resilient against emerging threats.