Cybersecurity Frameworks

1. NIST Cyber Security Framework: - 

                              The National Institute of Standards and Technology (NIST) is a non-regulatory US government agency dedicated to promoting American industrial competitiveness and innovation. NIST provides various resources and standards, including a framework for “Improving Critical Infrastructure cyber security,” also known as the NIST cyber security framework. 

The NIST cybersecurity framework was designed to help protect critical infrastructure, such as dams and power plants, against cyber attacks, but you can apply these principles to any organization. offers an organized mechanism to help you identify risks and locate the assets that require protection. It also does methods that can help protect these assets. 

The framework is highly extensive. Its most basic document consists of 41 pages. Implementing the framework may require thousands of work hours and hundreds of procedures, controls, and documentation pages. However, the core principles are easy to understand. The framework offers a basic pattern for cyber defense ,including: 

Identification,

Protection,

Detection,

Response,

Recovery

2. ISO/IEC 27001 and 27002 :- 

1.  The International Standards Organization (ISO) 27001/27002 framework (also known as ISO 27K) is an internationally recognized standard for cyber security. This framework requires organizations adopting the ISO 27001 standard to adopt the following practices: 
2. Use an information security management system (ISMS).
   

1. Assign management roles to systematically manage the organization’s security risks while accounting for cyber threats and vulnerabilities. 
2. Design and implement coherent and comprehensive information security controls to mitigate identified risks. 
3. Adopt an ongoing risk management process.
   

3. Center for Internet Security (CIS) : -

The Center for Internet Security (CIS) is a non profit organization created by Eastern Europe and Asia countries. It focuses on improving cyber security readiness and response across the public and private sectors. The CIS includes the following four program divisions: 

1. The Integrated Intelligence Center—facilitates relationships between private-sector and government entities to help create comprehensive coordinated security intelligence. 
2. The Multi-State Information Sharing and Analysis Center—aims to improve overall cyber security for local, territorial, tribal, and state governments. It achieves this objective by promoting collaboration and information sharing between members, the United States Department of Homeland Security, and private-sector partners. 
3. The Security Benchmarks—creates and promotes consensus-based standards to improve the security and privacy of Internet-connected systems and ensure the integrity of private and public Internet-based transactions and functions. 
4. The Trusted Purchasing Alliance—helps private and public sectors procure cyber security policies and tools cost-effectively. 
   

The CIS provides its members with various resources, including emails detailing cyber safety tips, online papers and guides, instructional videos, and informative podcasts. Additionally, the CIS offers cyber security policy development advice at all levels, including national and international parties.

4. SOC2 Framework: -

The Service Organization Control (SOC) Type 2 was developed by the American Institute of Cefirteid Public Accountants (AICPA) to provide a trust-based cyber security framework and auditing standard. It helps verify that partners and vendors manage client data securely. 

The SOC2 framework defines over 60 compliance requirements and extensive auditing processes for third-party controls and systems. A SOC2 audit may take a year to complete, and at the end of the process, auditors issue a report that attests to the vendors’ cyber security posture. 

Since SOC2 is highly comprehensive, it is also one of the most difficult cult frameworks to implement. Organizations in the banking or finance sector may especially struggle to implement SOC2 because they are required to meet a higher standard for compliance. Still, this framework is highly important and should serve as a central tool in third-party risk management programs.

5. NERC-CIP : -

The North American Electric Reliability Corporation—Critical Infrastructure Protection (NERC CIP) provides a set of cyber security standards for the utility and power sectors. NERC CIP was created in response to the rise in attacks on critical US infrastructure and increasing third-party risks. It aims to help reduce cyber risk and maintain the reliability of bulk electric systems. The NERC CIP framework requires organizations to identify and mitigate risks in their supply chain. It speficeis various controls to help identify and mitigate supply chain risks, including :

1. Categorize systems and critical assets
   
2. Train personnel
   
3. Create and plan incident response programs
   
4. Design effective recovery plans for critical cyber assets
   
5. Perform ongoing vulnerability assessments.
   

6. Cloud Security Alliance (CSA) : -

The Cloud Security Alliance (CSA) is a nonprofit organization that promotes research into security best practices for cloud computing and using cloud technologies to secure other forms of computing. CSA  offers membership to any interested parties with the relevant expertise to contribute to cloud computing security. 

CSA employs the expertise of its global members, which include industry practitioners, governments, associations, and corporations, to provide cloud security resources, such as research, certification, education, products, and events. 

The organization facilitates activities and knowledge to benefit the entire cloud community. For example, it provides a forum that enables various parties to collaboratively create and maintain a trusted cloud ecosystem.

7. Cybersecurity and Infrastructure Security Agency (CISA) : -

The Cyber Security and Infrastructure Security Agency (CISA) is a division of the Department of Homeland Security (DHS) responsible for defending the Internet’s infrastructure and improving its security and resilience. It helps protect against infrastructure threats originating from natural disasters, terrorist attacks, cyber warfare, etc. 

CISA constantly identifies and assesses threats to Internet infrastructure, consulting with the government as well as the private sector. It provides many resources, including threat analysis, cyber security tools, and incident response across .gov websites. CISA delivers tools for technical coordination country-wide to facilitate emergency communications between partners.

• Related Articles

• Types of Security Frameworks

  There are mainly three types of frameworks. Each of the types has its different functions. Those three types are − Control Frameworks − This framework is known to develop an essential strategy for the cyber security department of an organization. ...

• Why do we need Cyber Security Frameworks?

  Cyber Security networks are needed in every organization because setting up one secures many data from cyberattacks. It also removes some guesswork when it comes to securing assets. Frameworks provide a plan to the cyber security managers and give ...

• What is the best Cyber Security Framework out there?

  When we must pick one framework for the organization, it can be very tough. There are many frameworks out there, and it’s a tough job to test each one out and figure out the best one. So, we have put together the names of some of the best frameworks. ...

• What is a Cyber Security Framework?

  These documents describe guidelines, standards, and best practices for cyber security risk management. These frameworks reduce an organization’s exposure to weaknesses and vulnerabilities that cybercriminals can exploit. The word ‘Framework’ may seem ...