Which Top-rated Cybersecurity Framework is Best for your Business?

by

Ready to review the latest cyber-security frameworks?

With businesses managing increasing volumes of data, robust cybersecurity has never been more foundational to all IT systems.

According to Cybersecurity Ventures, “Worldwide cybercrime costs will hit six trillion annually by 2021.”

And the growing work from home trend isn’t making things easier.

“In 2020, we saw an exponential increase in cybersecurity attacks and specifically, coronavirus-themed scams. Both large and small organizations alike were not prepared for the 273% increase of events over 2019. Now with the debate on doing more with less and companies choosing not to return to the workplace, we find an increasing trend of cyber-attacks will hit astronomical proportions and catch many off guard.”

– Disaster Recovery Journal

The goal of this updated article from July 2020 (with new citations) is to help you select the proper cybersecurity framework, one which matches your business needs, risk tolerance, and industry-specific compliance requirements.

We’ll also be sharing some frameworks that don’t apply directly to you. However, it’s essential to understand what’s going on with IT systems that could affect you. (Because everyone is interconnected.)

A breach in one organization can easily ignite a wildfire across millions of others.

CIS v7

The Center for Information Security (CIS) developed CIS v7, which lists twenty actionable security requirements all organizations can use to serve as a baseline for their cybersecurity program. In this framework, the twenty items appear in basic, easy-to-understand recommendations.

CIS is an optimal match for your first framework when building a cybersecurity program. CIS control systems are monitored and adjusted by cybersecurity experts around the world.

State institutions, public facilities, academic universities, and governmental agencies utilize these controls for an effective technical security system.

Learn More: CIS v7 Overview

ISO 27001

The International Standardization Organization (ISO) created ISO 27001 with the International Electrotechnical Commission (IEC) to provide an international standard to manage information security properly.

Commonly used as an industry best practice, this cybersecurity framework is easy to adopt by any organization. Many companies choose to become ISO certified and typically add other security frameworks to supplement this baseline.

Through the ISO 27001 framework, ISO compliance is a great place to start when looking to revamp your company’s cybersecurity.

Organizations managing financial information, intellectual assets, employee information, or housing third-party information follow ISO 27001 guidelines to ensure their data is securely protected.

Learn More: ISO 27001 Guidelines

SEC

The US Securities and Exchange Commission (SEC) created an outline to guide firms registered with the SEC on specific security measures and recommendations called the “Investigative Report on Cybersecurity.”

In recent years, the SEC has transitioned its focus on cybersecurity and, in 2017, officially established its first Cyber Unit. If your organization would like to register with the SEC, you should start by complying with the firm’s cybersecurity framework.

Learn More: SEC Cybersecurity

SOC 2

Designed specifically for service organizations and created by the AICPA (American Institute of Certified Public Accountants), SOC 2 applies to companies that store customer information in the cloud.

This framework protects customer data with policies and procedures addressing security, processing, availability, confidentiality, and integrity.

SOC 2 compliance is an excellent fit for the following scenarios:

  • A Software as a Service (SaaS) organization that stores customer data in the cloud
  • A cloud-computing provider
  • An organization you partner with that owns infrastructure hosting other companies’ customer data

Learn More: SOC 2

GDPR

While CIS v7 is a great starting point, the GDPR, on the other hand, is a bit more complicated. One of the most recent and comprehensive security regulations available, the General Data Protection Regulation (GDPR), was created by the European Union (EU) to protect citizens from security breaches.

GDPR applies to organizations in the US that serve or have data of clients in the EU.

It contains almost 100 articles and eleven chapters outlining various topics on requirements for privacy and security. Companies could potentially face fines due to non-compliance.

Learn More: The Biggest GDPR Fines

If you’re looking to follow the GDPR, you will need controllers and processors of data established both inside and outside the EU when offering products or services located in the EU.

HIPAA

HIPAA, the Health Information Portability and Accountability Act, was signed into law in the US in 1996. It outlines how PHI (Protected Health Information) can be handled and used in healthcare and medical organizations.

This framework has five main areas covering policies and procedures for administrative, general, physical, organizational, and technical purposes.

To meet HIPAA compliance, doctors, dentists, health insurance providers, and more must monitor and securely discard patient health information.

Learn More: Ten Biggest Healthcare Breaches of 2020

NYDFS 500

Designed by the New York Department of Financial Services (NYDFS), the NYDFS 500 addresses the influx of security breaches in the financial services industry.

Learn More: The Largest Financial Services Breaches

Financial institutions such as private bankers, state-chartered banks, mortgage and insurance companies, and other organizations, including foreign banks licensed to do business in New York, can use this framework as a guide to enforce security requirements.

PCI DSS

The Payment Card Industry Security Standards Council (PCI SSC) created PCI DSS to limit credit card fraud.

Its framework offers a list of comprehensive security requirements. Organizations that follow PCI DSS compliance are often companies that transmit, process, or store credit card data.

If you’re a merchant or service provider, you must comply with PCI and have specific requirements you should meet annually and quarterly to receive certification.

Learn More: Five Biggest PCI Breaches

NIST (CSF) 1.1

The National Institute of Standards and Technology (NIST) has developed many cybersecurity frameworks that serve the diverse needs of various federal governments and industries.

Designed in response to the Cybersecurity Enhancement Act (CEA) of 2014, the NIST Cybersecurity Framework (CSF) Version 1.1 was released in 2018. The update includes additional requirements for supply chain security and identity management.

CSF is an established framework for best practices. It’s frequently a requirement for contractors of the US federal government.

It’s also an excellent framework for businesses. Microsoft makes it very easy.

Learn More: NIST + Microsoft 365

NIST 800-53

The NIST 800-53 includes a set of federal information systems guidelines to help organizations meet the Federal Information Security Management Act (FISMA) compliance.

This framework contains over 900 requirements and is the “heaviest” or largest cybersecurity framework a company can implement.

The NIST 800-53 is popular in federal agencies and organizations that operate or maintain federal information systems, in addition to those seeking to comply with FISMA.

Learn More: New Government Targeted Threats

NIST 800-171

The NIST 800-171 framework applies to solutions for the DoD and its contractors who store, process, or transmit Controlled Unclassified Information (CUI).

This framework’s security guidelines meet requirements assigned by the Defense Federal Acquisition Regulation Supplement (DFARS).

What’s Next?

I can’t imagine you aren’t following some basic cybersecurity framework right now. Warning, if you’re taking a wait-and-see approach, there’s mounting pressure to suggest this is a high-risk proposition.

More and more states are demanding the adoption of cybersecurity frameworks. And this will only pave the way for other states to jump on board. (Legislation is funny that way.)

Learn More: Cybersecurity Legislation & Safe Harbor Trends

Jed is a Solution Advisor at Integris who has specialized in MSP solution development, sales, and marketing communications since 2003.

Keep reading

How to Run Governance on Your Security Awareness Training Program

How to Run Governance on Your Security Awareness Training Program

Has your company decided to take the plunge, and start a regular schedule of monthly online security awareness trainings for your employees? Great! You’ve just taken a big step toward hardening your cybersecurity defenses. Now what? Chances are, you’ve purchased a...

What Can Cybersecurity Awareness Training Do for My Company?

What Can Cybersecurity Awareness Training Do for My Company?

Global spending on employee cybersecurity awareness training is predicted to exceed $10 billion USD by 2027, up from around $5.6 billion USD in 2023, according to the latest estimates from Cybersecurity Ventures. Why? Because more companies than ever are realizing...

Third Party Vendor Risk Management: A Guide for Law Firms

Third Party Vendor Risk Management: A Guide for Law Firms

You've bought the cybersecurity tools your MSP recommended to manage your cybersecurity. You use a permission-based platform to transfer client files back and forth. Your firm should be covered for data breaches, especially third-party vendor risk, right? Tell that to...