The 12 most important IT security frameworks & standards explained

2

NIST SP 800-53

NIST has developed an extensive library of IT standards, many of which focus on information security. The NIST SP 800 series, first published in 1990, addresses almost all aspects of information security, with an increasing focus on cloud security.

NIST SP 800-53 is the information security benchmark for U.S. government agencies and is widely used in the private sector. SP 800-53 has helped drive the development of information security frameworks, including the NIST Cybersecurity Framework (NIST CSF)

3

NIST SP 800-171

NIST SP 800-171 has gained popularity due to the requirements established by the U.S. Department of Defense for contractor compliance with security frameworks. Due to their proximity to government information systems, government contractors are a frequent target of cyberattacks. Government manufacturers and subcontractors must have an IT security framework in place in order to bid on federal and state business opportunities.

The controls contained in the NIST SP 800-171 framework are directly related to NIST SP 800-53, but are less detailed and more general. It is possible to create a transition between the two standards when an organization needs to demonstrate compliance with NIST SP 800-53, using NIST SP 800-171 as the foundation. This creates flexibility for smaller organizations to demonstrate compliance as they grow using the additional controls included in NIST SP 800-53.

4

NIST CSF

The NIST Framework for Improving Critical Infrastructure Cybersecurity (NIST CSF) was developed as part of Executive Order 13636 published in February 2013. It was developed for U.S. critical infrastructure, including power generation, water supply, food supply, communications, healthcare, and transportation. These industries must maintain a high level of preparedness as they have all been targeted by nation-state actors due to their importance.

5

NIST SP 1800 series

The NIST SP 1800 series is a series of guides that complement the standards and frameworks in the NIST SP 800 series. The SP 1800 publication series provides information on the implementation and application of standards-based cybersecurity technologies in real-world applications.

The SP 1800 series releases offer the following:

• Examples of specific situations and skills.
• Experience-based how-to approaches with multiple products to achieve the desired result.
• Modular skills implementation guide for organizations of all sizes.
• Specifications of the required components as well as installation, configuration and integration information so that companies can easily replicate the process themselves.

6

COBIT

COBIT was developed in the mid-1990s by ISACA, an independent organization of IT governance experts. ISACA offers the well-known Certified Information Systems Auditor and Certified Information Security Manager certifications.

COBIT originally focused on the reduction of IT risks. COBIT 5 was released in 2012 and incorporated new technology and business trends to help organizations align IT and business objectives. The current version is COBIT 2019, which is the most widely used framework for achieving SOX compliance. Numerous publications and professional certifications address the COBIT requirements.

7

CIS controls

The Center for Internet Security (CIS) Critical Security Controls, Version 8 – formerly the SANS Top 20 – lists technical security and operational controls that can be applied to any environment. It is not concerned with risk analysis or risk management like NIST CSF; rather, it is solely concerned with reducing risk and increasing the resilience of technical infrastructures.

The 18 CIS controls include the following:

• Inventory and control of company assets
• Data protection
• Monitoring log management
• Malware defense
• Penetration tests

CIS Controls are linked to existing risk management frameworks to help address identified risks. They are useful resources for IT departments that lack experience in technical information security.

8

HITRUST Common Security Framework

The HITRUST Common Security Framework (CSF) includes risk analysis and risk management frameworks as well as operational requirements. The framework has 14 different control categories and can be applied to almost any organization, including healthcare.

HITRUST CSF is a massive undertaking for any organization because of the importance of documentation and processes. As a result, many organizations end up defining smaller focus areas for HITRUST. The cost of obtaining and maintaining HITRUST certification adds to the expense of implementing this framework. The certification is audited by a third party, which provides an additional level of validity.

9

GDPR

The GDPR is a framework of security requirements that global organizations must implement to protect the security and privacy of EU citizens’ personal data. GDPR requirements include controls to restrict unauthorized access to stored data and access control measures, such as least privilege, role-based access and multi-factor authentication.

10

COSO

COSO is a joint initiative of five professional associations. Its “Internal Control – Integrated Framework”, published in 1992 and updated in 2013, helps companies to achieve a risk-based approach to internal controls. It comprises the following five components:

• Control environment
• Risk assessment and management
• Monitoring activities
• Information and communication
• Monitoring

COSO published its Enterprise Risk Management (ERM) – Integrated Framework in 2004 and updated it in 2017. The framework, which is designed to help organizations improve their cyber risk management, comprises 20 principles in the following five components:

• Governance and culture
• Strategy and objectives
• Performance
• Review and revision
• Information, communication and reporting

A guidance paper published in 2019 entitled “Managing Cyber Risk in a Digital Age” provides advice on how to prepare for and respond to cyber threats to organizations. It aligns with the COSO ERM Framework.

11

FISMA

The Federal Information Security Modernization Act (FISMA), which is closely aligned with the NIST Risk Management Framework, provides a security framework to protect federal government data and systems. FISMA was introduced in 2002 and updated in 2014. An update has been proposed in 2023. Legislation is still pending.

FISMA requires federal agencies and their third parties, contractors, and vendors to develop, document, and implement security policies and practices, including monitoring their IT infrastructure and conducting periodic security reviews.

12

NERC CIP

The North American Electric Reliability Corporation’s Critical Infrastructure Protection is a framework of 14 ratified and proposed standards applicable to utilities on the bulk power grid. The standards describe recommended controls and guidelines for monitoring, regulating, managing and maintaining the security of critical infrastructure systems.

The CIP standards include the following:

• CIP-004-6 Cybersecurity – Personnel and training
• CIP-008-6 Cybersecurity – Incident reporting and response planning
• CIP-013-1 Cybersecurity – Risk management in the supply chain
• CIP-014-1 Physical security

Owners, operators and users of large power grids must comply with the NERC CIP framework.