Which framework is right for you? Are there regulations in your industry that outline a specific framework your security program has to follow? We’ve highlighted three of the most popular primary cybersecurity models that organizations globally follow to reach a maturity program level. We also laid out three of the more common secondary, industry-specific cybersecurity models.
A mature cybersecurity program is one where the processes, tools, and people are all aligned and working together so that the program is successful at mitigating risk. A mature program has buy-in from executive leadership, but also has goals that are felt across the entire organization. There will always be risks and vulnerabilities that plague mature cybersecurity programs, but there are actionable and agreed upon plans in place that partners and vendors agree to when working with a mature cybersecurity program.
The specifics of program maturity boil down to the cybersecurity model chosen and what is counted as mature for each model. Cybersecurity models also can outline the order in which different steps should happen to reach program maturity.
National Institute of Standards and Technology (NIST) is a cybersecurity model commonly used by organizations in the US. Establishing and communicating your organization’s tolerance for risk is key to increase program maturity, in accordance to this model. The NIST framework also accounts for the rapidly changing nature of cybersecurity threats, and advises its followers to continuously adjust their monitoring techniques and remediation strategies to match the ongoing threat environment.
The NIST cybersecurity model follows five key phases to reaching a mature security management program:
The NIST cybersecurity model acknowledges the current practices most organizations use to protect their network. Instead of starting new, it guides organizations to better use what they’re already doing and add in the right steps to reach program maturity.
ISO 27000 is an international standard, created by the Internal Organization for Standardization (ISO) to highlight best practices for information security management systems. This cybersecurity model is more popular among organizations in the European Union, and focuses attention on the three main areas of a mature cybersecurity management program: people, processes, and technology. The recommendations of the ISO 27000 cybersecurity model is broken down into the following areas for security managers to use best practices to reach program maturity:
Similarly to the NIST framework, ISO 27000 guides organizations beyond the typical cybersecurity management practices to include greater security standards and protections. ISO 27000 includes management of critical physical and operational security measures, and is broken down into ISO 27000 Series to get more specific into the actual implementation and design of this cybersecurity model.
Image from tcdi.com
The final cybersecurity model many organizations follow to reach program maturity is the CIS 20. Designed by the Center for Internet Security after the US defense industry experienced a data breach in 2008, the CIS 20 is a series of 20 controls deemed critical to protect an organization’s network from expansive cyber attacks.
The CIS 20 is broken down into 3 main categories of controls:
The CIS 20 cybersecurity model is designed to be all-encompassing, and require extreme attention and care to an organization’s cybersecurity management process.
Besides the three most popular cybersecurity models listed above, there are also industry-specific secondary frameworks organizations may be required to, or choose to follow.
HIPAA - Specific to the healthcare sector, the Health Insurance Portability and Accountability Act (HIPAA) was created to require healthcare organizations to protect the privacy and highly sensitive information of patients. HIPAA extends to organizations beyond healthcare when it comes to employee health information collected for insurance or medical leave purposes, but the cybersecurity model mainly applies to healthcare organizations that need to follow three key components:
PCI DSS - The Payment Card Industry (PCI) Data Security Standard (DSS) regulations focus on the protection of consumer payment information stored by card processing transactions. There are 12 requirements for an organization to be deemed PCI DSS compliant, which is required by all companies that process or transmit cardholder information as part of their business.
GDPR - The European Union’s General Data Protection Regulation (GDPR) focuses on the requirements of organizations in the EU to protect consumer data. The cybersecurity model also includes data protection for information transferred from an EU-based organization to somewhere else geographically. The GDPR requirements include:
There are many cybersecurity models for organizations to both choose from, or to be required to follow. It’s also important for a lot of businesses to become certified for following a specific framework to best represent themselves compared to their competition.
BitSight customers use their access to BitSight Security Ratings and expansive cybersecurity monitoring technology to comply with cybersecurity models and maturity frameworks. To get started complying with regulations or maturity frameworks in your industry, request a BitSight demo today.
While security ratings are a great way to demonstrate that you’re paying attention to the cyber health of the organization you also need to show that you’re adhering to industry and regulatory best practices for IT security and making...
In November 2019, the Federal Financial Institutions Examination Council (FFIEC) released an update to the Information Technology Examination Handbook (IT Handbook). This handbook is a guide for examiners at its member agencies, which...