An information security framework, when implemented properly, allows any security leader to manage their organization’s cyber risk more intelligently.
A cybersecurity framework is a set of documented policies, procedures, and processes by which an organization abides. It effectively explains to all parties (internal, tangential, and external) how information, systems and services are managed within your organization. The main point of having an information security framework in place is to reduce risk levels and your exposure to risk.
There are hundreds of information security framework possibilities in existence today however the NIST Cybersecurity Framework is quickly becoming an industry standard. Learn more about the NIST Cybersecurity Framework and how it compares to a few other cybersecurity frameworks used around the world.
Framework #1: NIST Cybersecurity Framework (CSF)
The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), was created through a collaboration between industry and NIST, a federal agency within the United States Department of Commerce whose mission is to develop and promote measurement, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life.
The NIST CSF is based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. The core of the framework is a set of cybersecurity activities, desired outcomes, and applicable references that are common across many different sectors consisting of five concurrent and continuous functions—Identify, Protect, Detect, Respond, and Recover.
The NIST Cybersecurity Framework helps an organization better understand, manage, and reduce its cybersecurity risks. It assists in determining which activities are most important to assure critical operations and service delivery. In turn, it helps prioritize investments and maximize the impact of each dollar spent on cybersecurity. By providing a common language to address cybersecurity risk management, it is especially helpful in communicating inside and outside the organization, including improving communications, awareness, and understanding between and among IT, planning, and operating units, as well as senior executives of organizations. Organizations also readily use the framework to communicate current or desired cybersecurity posture between buyers or suppliers.
Framework #2: United Kingdom’s Cyber Essentials
The government of the United Kingdom worked with the Information Assurance for Small and Medium Enterprises (IASME) consortium and the Information Security Forum (ISF) to develop Cyber Essentials, a set of basic technical controls to help organizations protect themselves against common online security threats. The full scheme, launched in 2014, enables organizations to gain one of two Cyber Essentials badges. It is backed by industry groups, including the Federation of Small Businesses, the Confederation of British Industry (CBI), and several insurance organizations which offer incentives for businesses to become badged.
Cyber Essentials is suitable for all organizations, of any size, in any sector and consists of five technical controls that organizations can put in place today:
- Use a firewall to secure your internet connection
- Choose the most secure settings for your devices and software
- Control who has access to your data and services
- Protect yourself from viruses and other malware
- Keep your devices and software up to date
Once you have taken the time to investigate and put the controls in place, these five controls will put you and your organization on the path to better cybersecurity.
NIST CSF vs. Cyber Essentials
The primary difference between these two frameworks is that Cyber Essentials is a security compliance measurement, while NIST Cybersecurity Framework is a framework for structuring your approach to cybersecurity risk management.
They will have overlapping activities, but the coverage of the NIST CSF will always be larger due to its focus on not only the network nodes and access but also the people, processes, and procedures. Note also, the NIST CSF functions related to detection, response, and recovery are not activities that Cyber Essentials considers. How your organization responds to and manages an event is as much if not more important than just trying to protect it from attack.
Framework #3: Australia’s Essential Eight
The Australian Cybersecurity Centre compiled a list of mitigation strategies that organizations can use as starting points to improve their cyber resilience and technical details of these strategies. While no single mitigation strategy is guaranteed to prevent cybersecurity incidents, they identified eight essential mitigation strategies that should be implemented as a baseline where practicable.
This baseline, known as the Essential Eight, makes it much harder for adversaries to compromise systems. Proactively implementing the Essential Eight can be more cost-effective in terms of time, money, and effort than having to respond to a large-scale cybersecurity incident.
The Essential Eight mitigation strategies reside under three overarching mitigation strategies:
- Prevent malware delivery and execution
- Limit the extent of cybersecurity incidents
- Recover data and system availability
There is a suggested implementation order to assist organizations in building a strong cybersecurity posture for their systems. Once an initial level of mitigation has been achieved, the organization can focus on increasing the maturity of its implementation of the Essential Eight mitigation strategies.
NIST CSF vs. Essential Eight
These two approaches are very different from each other. One is a list of eight suggested minimum activities that an organization should start doing. The other is a full framework for developing, testing, and communicating policies and procedures around network access and management, end-user education, and many other critical cybersecurity functions.
The primary difference between them is that Essential Eight is focused on the day-to-day use of most office workers. It doesn’t really offer significant guidance to a security team for implementing policies, procedures, testing plans, communication strategies, event management processes, event mitigation, end-user training, identity management and access control (beyond administrative privilege restriction), physical environment, detecting events, logging, and a large number of other activities that a security team should be implementing, reviewing, and communicating.
While it is meant to be a starting point, hence “Essential” Eight, it is not holistic enough to be considered a firm basis for a cybersecurity policy or practice.
Is One Better Than the Other?
There is no such thing as a one-size-fits-all approach to security, and each framework has its pros and cons. However it’s not necessarily an all or nothing approach. We recommend evaluating the purpose of the framework you're using and whether it would be beneficial to layer on frameworks based on your customers’ needs – some customers security needs are compliance driven whereas others are more flexible and take a guidelines approach. Regardless of industry or regulation the NIST CSF is generally applicable.
Why ConnectWise Identify Maps to NIST Cyber Security Framework
More than 3,000 individuals from diverse parts of the private sector, academia, and government participated in the initial five workshops around the country. NIST received hundreds of detailed suggestions and comments in response to the initial request for information (RFI) and feedback. The framework can be used by organizations that already have extensive cybersecurity programs, as well as by those just beginning to think about putting cybersecurity management programs in place.
ConnectWise Identify is based on the NIST Cybersecurity Framework because NIST has a long-standing and on-going effort supporting small business cybersecurity. This is accomplished by providing guidance through publications, meetings, and events.
We are using our knowledge and resources, as well as those provided by NIST to ensure successful cybersecurity. Not sure where to start? Check out our cybersecurity starter kit today.
John Ford is CISO at ConnectWise. Read more ConnectWise blogs here.