Question

List the names AND titles of 5 (five) frameworks (or approaches) that are implemented by enterprises for cyber risk management compliance

Answer 1

It is a series of documentation, agreed and understood policies, procedures, and processes that define how information is managed in business, to lower risk and vulnerability, and increase confidence in an ever-connected world.

There are around 250 different types of security frameworks used globally, which is developed to suit a wide variety of businesses and sectors.

Here are the most common 5 frameworks that are implemented by enterprises for cyber risk management compliance:

1. International Standards Organisation (ISO)

2. Protective Security Requirements (PSR)

3. Australian Signals Directorate (ASD)

4. Control Objectives for Information and Related Technology (COBIT)

5. National Institute of Standards and Technology (NIST)

6. Industry-Specific Standards

1. International Standards Organisation (ISO):- One of the most widely known security standards, this is a mature framework focused on information security. It's very comprehensive and broad, and also can be used across a wide range of types and sizes of businesses. It is developed by the International Standards Organisation (ISO), it is the security equivalent of the ISO 9000 quality standards for manufacturers and operational excellence.

As it is tried and tested, countries often use it as a basis on which to create a manual about security and what to do.

However, like many of the ISO standards, it can be a bit daunting and many smaller organizations are put off by the effort required to gain accreditation and the perception that it can be difficult to implement.

2. Protective Security Requirements (PSR):- It describes baseline and minimum mandatory security standards for government departments and agencies. It forms an important part of the New Zealand Security Intelligence Service’s Protective Security Requirements (PSR) framework, which sets out the Government's expectations for managing personnel, information and physical security.

As it’s a New Zealand document, it’s a popular starting point for Kiwi companies, and it has been made publicly available to allow greater access, increase awareness, improve transparency, and to share good practice.

3. Australian Signals Directorate (ASD):- Not a standard as such, the Australian Signals Directorate (ASD) is a set of controls or strategies that, if implemented correctly, could mitigate up to 85% of the most common information security attack techniques.

The Essential 8 are part of a larger set of strategies that make up the ASD Strategies to Mitigate Cyber Security Incidents. These are based on the ASD’s experience in responding to real-world attacks and in performing vulnerability assessments and penetration testing of Australian Government agencies. The ASD state that the Essential 8 are so effective, they consider them to be the cyber-security baseline for all organizations.

4. Control Objectives for Information and Related Technology (COBIT):- COBIT is a high-level framework focused on identifying and mitigating risk. It was developed for IT governance professionals to reduce technical risk, but it’s evolved into a standard to align IT with business goals. What it lacks is informative practical advice. While it’s not as widely followed as others, COBIT is mostly used within the finance industry to comply with standards such as Sarbanes-Oxley, but if your business wants to adopt a formal risk management framework, it’s also worth considering.

5. NAtional Institute of Standards and Technology (NIST):- The NIST framework has evolved over 20 years and could be seen as the father figure for others. It contains a wide-ranging collection of information security standards and best practices. It is mature and very comprehensive and is very good for large enterprises, as well as those with a US connection. It can be aligned to the ISO standards, such as ISO 9000 quality management. Because NIST contains a lot of practical guidance, it can also be adapted relatively easily to smaller and non-US organizations.

6. Industry-Specific Standards:- In addition to the common frameworks above, there are also a number of industry-specific standards such as PCI DSS (for credit card handling), HIPAA (US legislation to safeguard health/medical information) and HISO (the NZ health information security framework) as well as any number of local regulations such as the European GDPR and the NZ Privacy Act. Adopting one of the more general security frameworks above may not make you fully compliant with these specific standards or regulations, but they will go a long way to helping you achieve compliance.

Security frameworks are vital for future success, and the decision about which to adopt should not be left to your IT team; boards and senior management need to be fully involved and responsible. That’s because information security is a business risk issue, not an ‘IT problem’, and should be addressed at the executive level of your organisation.