Cybersecurity compliance has become something of a hot topic in recent times thanks to the sudden spike in digitization that swept the world in the wake of the pandemic.
Cybersecurity compliance has been steadily gaining a place in mainstream discourse due to the overwhelming impact that technology has on our lives. Facebook's admission to mishandling the data of over 50 million users in the infamous Facebook-Cambridge Analytics data scandal turned the spotlight on customer privacy and the flippant attitude with which major tech companies handled sensitive information.
The implementation of the General Data Protection Regulation (GDPR) by the European Parliament ushered in a new era for cybersecurity compliance as technology companies scrambled to win the confidence of their customers and regulators. Cybersecurity compliance is now seen as a strategic imperative for companies that are serious about doing business.
What Is A Cybersecurity Compliance Framework?
Despite all the fanfare surrounding it, cybersecurity compliance is still an area of confusion for many business leaders simply due to the sheer diversity in business conditions and data types that companies end up processing. Different industries and different regions impose sets of controls on their business entities that collectively represent a fully functional cybersecurity program which can exacerbate this confusion. These controls constitute a cybersecurity compliance framework.
There is no one-size-fits-all solution when it comes to cybersecurity compliance frameworks. Each industry is unique and handles customer data differently.
For this reason alone, there are multiple frameworks, and most businesses end up using more than one framework depending on the kind of industries and regions they operate in.
To understand the different kinds of compliance frameworks that bind operations for companies that handle customer data, one must first understand the data subject to these frameworks. Critical data can be grouped under three major buckets: Personally Identifiable Information (PII), Protected Health Information (PHI), and Financial Information.
It must also be noted that the compliance landscape is starting to shift from implementing control-based requirements to risk-based requirements, which has triggered a worldwide metamorphosis in the kind of compliance frameworks that exist.
What Are The Different Cyber Security Frameworks?
NIST Cybersecurity Framework
The National Institutes of Standards and Technology (NIST), a non-regulatory agency of the United States Department of Commerce, introduced the eponymously named NIST Cybersecurity framework in 2014. Initially designed for the benefit of private sector organizations in the United States, the NIST Cybersecurity framework is centered around five essential functions, namely:
- Identify
- Protect
- Detect
- Respond
- Recover
The NIST Cybersecurity Framework is one of the broadest frameworks provided by the NIST and applies to almost any organization seeking to build a cybersecurity program.
IASME Governance
Envisioned by the Information Assurance for Small and Medium Enterprises (IASME) Consortium, the IASME Governance standard was meant to be an affordable and accessible alternative to the ISO/IEC 27001 standard.
IASME is unique because it originated as a partnership between British academics and Small/Medium Enterprises (SMEs) and is best suited for small businesses' cybersecurity needs.
Apart from covering Data protection (through GDPR), it also covers risk management, cloud services, malware protection, vulnerability scanning, incident management, firewalls, security policy, business continuity, amongst other crucial topics.
COBIT
COBIT (Control Objectives for Information and Related Technologies) is a framework created by the ISACA for IT management and governance. A highly process-oriented framework, COBIT's approach links business and IT goals together to delineate IT and Business teams' responsibilities.
COBIT identifies and advocates five processes: Evaluate, Direct and Monitor (EDM), Align, Plan and Organise (APO), Build, Acquire and Implement (BAI), Deliver, Service, and Support (DSS); Monitor, Evaluate and Assess (MEA).
COBIT was designed to cater to three objectives: legal compliance, increased agility, increased earning potential.
COSO
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is different from other cybersecurity frameworks because it is more holistic and targeted towards eliminating corporate fraud. Since COSO comprises mainly auditing and accounting bodies, the COSO framework is built upon the process of 'Internal control,' a broad concept in accounting that relates to organizational risk management.
The COSO Internal Control framework contains five interrelated components, which are self-explanatory: Control Environment, Risk assessment, Control activities, Information and Communication, Monitoring.
TC CYBER
TC Cyber is the Technical Committee (TC) Cyber Division, one of many technical groups operating under ETSI (European Telecommunications Standards Institute). ETSI's activities are geared towards supporting the development and testing of standards for ICT-enabled systems.
ETSI TC Cyber's focus on security has led the organization to work on multiple security aspects, each with a set of standards. Their work is split across nine areas: Protection of personal data and communication, enterprise/individual cybersecurity, cybersecurity tools, EU legislative support, forensics, and quantum-safe cryptography.
Cyber Security Frameworks
CISQ
Consortium for IT Software Quality (CISQ) is a joint endeavor between Carnegie Mellon University's Software Engineering Institute (SEI) and the Object Management Group (OMG), a standards consortium.
CISQ's international standards to automate software quality measurement and the proliferation of secure, reliable, and trustworthy software are built around three areas of the source code: software size, structural quality, and technical debt.
CISQ's software security standard comprises 74 critical coding and architectural weaknesses to avoid in source code.
FedRAMP
Federal Risk and Authorisation Management Program (FedRAMP) is a set of standardized approaches to security assessment, authorization, and continuous monitoring, specifically for cloud products and services. It was introduced by the U.S government and is now used across all of its executive departments and agencies.
FedRAMP utilizes the NIST SP-800, and cloud service providers (CSPs) must undertake an independent security assessment by a third-party organization mainly to ensure the Federal Information Security Management Act (FISMA).
FISMA
The Federal Information Security Management Act (FISMA) is a federal law implemented by the United States Congress and was one of the earliest proponents of identifying information security as a critical objective to be realized by all its federal agencies.
FISMA's compliance framework advocates that all information systems used by federal agencies ought to be subject to. These are:
- Information Systems Inventory
- Risk Level Categorization
- Security controls
- Risk Assessment
- System Security plan
- Certification and Accreditation
- Continuous Monitoring
SCAP
The Security Content Automation Protocol (SCAP) refers to a set of interoperable specifications used to enable automated vulnerability management, measurement, and the level of policy compliance of information systems deployed within organizations.
SCAP provides several open standards which are used to enumerate software flaws and configuration issues concerning security. These standards are used when measuring systems to find vulnerabilities and identify them to evaluate the possible impact.
