Cybersecurity Frameworks: A Simplified Guide to Compliance

Cybersecurity frameworks provide a systematic way for IT teams to address security risks, implement proven safeguards against specific forms of attack, and demonstrate compliance with regulations required for government organizations and in industries such as retail and healthcare.

In today’s growing threat landscape, where attacks are more subtle and sophisticated than ever, these frameworks are essential (and some mandatory) for ensuring the safety and integrity of an organization’s information systems.
 
In this blog post, we’ll outline cybersecurity frameworks in general and provide an overview of ten popular cybersecurity standards.
 
We’ll also discuss how to determine which standards to include in your security strategy, and what you can do to effectively protect against evolving cyber threats by streamlining compliance efforts.
 

• What are cybersecurity frameworks?
• What are the different types of IT security frameworks?
  • 1. Control Objectives for Information and Related Technology (COBIT)
  • 2. Cybersecurity Maturity Model Certification (CMMC)
  • 3. Federal Information Security Modernization Act (FISMA)
  • 4. General Data Protection Regulation (GDPR)
  • 5. Health Information Trust Alliance (HITRUST CSF)
  • 6. Health Insurance Portability and Accountability Act (HIPAA)
  • 7. International Organization for Standardization (ISO) 27001, ISO 27002
  • 8. National Institute of Standards and Technology (NIST)
  • 9. Payment Card Industry Data Security Standard (PCI DSS)
  • 10. Service Organization Control Type 2 (SOC2)
• Which framework is best for cybersecurity?
• How do cybersecurity frameworks improve organizational security posture?

What are cybersecurity frameworks?

A cybersecurity framework is a set of guidelines, best practices, and standards designed to help organizations manage and reduce their cybersecurity risks. It provides a structured approach for identifying, protecting, detecting, responding to, and recovering from cyber threats.

While these benefits can come with challenges due to frequent updates, increasing complexity, resource demands, and the need for strategic alignment with existing data security and risk management practices to maintain compliance, adhering to cybersecurity frameworks enhances an organization’s security posture and also brings a structured approach to managing cyber risks.

Understanding the significance of these frameworks is crucial, as they provide a strategic roadmap to safeguarding valuable information and maintaining resilience against cyber threats, underscoring the importance of embracing these frameworks for improving an organization’s overall security efforts.

What are the different types of IT security frameworks?

Let’s explore ten common cybersecurity standards to understand which frameworks may benefit your organization and why.

10 popular cybersecurity standards explained

Control Objectives for Information and Related Technology (COBIT)

ISACA, a global professional organization for IT practitioners, developed the Control Objectives for Information and Related Technology, known as the COBIT standard. The COBIT framework is designed to help organizations govern and manage enterprise information and technology. It does not prescribe the use of specific technologies.

Instead, it sets out standards for how organizations should implement IT governance and management processes, taking into account the needs of all stakeholders and working from an agreed-upon list of priorities. The standard sets forth components for proper governance, including organization structures, information flows, and so on.

By adopting COBIT, enterprises can ensure their IT and security decision-making aligns with overall business goals and organizational best practices. COBIT is not an alternative to other cybersecurity standards. In fact, it’s possible to follow COBIT to help implement other standards, such as NIST.

Cybersecurity Maturity Model Certification (CMMC)

The Cybersecurity Maturity Model Certification, or CMMC framework, is a U.S. federal security standard designed to protect the Defense Industrial Base (DIB) sector — the global consortium of companies that develop military weapons systems and other technology for the U.S. military — from cyber threats.

Specifically, the CMMC framework is designed to ensure companies developing systems to support U.S. warfighters meet Department of Defense (DoD) cybersecurity requirements that apply to acquisition programs and systems that process controlled unclassified information (CUI).

The latest version of the CMMC, the CMMC 2.0 program, consists of these three features:

1. A tiered model for cybersecurity standards: Companies entrusted with national security information must implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information handled. The program also defines processes for protecting sensitive information flowing to subcontractors.

2. Assessment requirements: CMMC assessments allow the DoD to verify the implementation of clear cybersecurity standards through periodic assessments.

3. Implementation through contracts: Once CMMC is fully implemented, certain DoD contractors who handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of being awarded a contract.

CMMC 2.0 also establishes three levels of cybersecurity standards:

1. Level 1 features 15 cybersecurity requirements. DIB companies operating at this level are allowed to perform an annual self-assessment and affirmation.

2. Level 2 features 110 cybersecurity requirements aligned with NIST Special Publication (SP) 800-171, a federal standard for protecting CUI in nonfederal systems and organizations. This level requires triennial third-party assessments and an annual affirmation.

3. Level 3 features over 110 cybersecurity requirements aligned with NIST SP 800-171 and NIST SP 800-172, a federal standard with enhanced security requirements for protecting CUI.

To note: The Center for Internet Security, a U.S. nonprofit organization founded in 2000 to “help people, businesses, and governments protect themselves against pervasive cyber threats,” offers a set of controls to help organizations meet CMMC 2.0 requirements. CIS guides mappings of its CIS Critical Security Controls v8 to CMMC 2.0. These CIS controls help DIB companies implement the security controls and processes they need for CMMC 2.0 compliance.

[Read also: What does the Cybersecurity Maturity Model Certification (CMMC) mean for my business?]

Federal Information Security Modernization Act (FISMA)

The original Federal Information Security Modernization Act, referred to as FISMA, was passed in 2002 and requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and systems that support the agency’s operations and assets, including those provided or managed by another agency, contractor, or other sources. An updated version of the law was passed in 2014.

FISMA defines a compliance framework that includes:

• Creating an inventory of information systems

• Categorizing information and information systems according to risk level

• Implementing security controls as described in NIST SP 800-53 and in the supplementary standard FIPS-200, “Minimal Security Requirements for Federal Information and Information Systems”

Overall, FISMA takes a risk-based approach to protecting information systems. It requires federal agencies to provide “…information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of information collected/maintained by or on behalf of an agency, information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency.”

General Data Protection Regulation (GDPR)

The General Data Protection Regulation, called GDPR, took effect on May 25, 2018. GDPR is European Union (E.U.) legislation mandating that organizations handling the personal identifiable information (PII) of E.U. residents have data privacy and security controls in place to ensure protection. It also mandates that residents be able to request copies of that data, submit corrections, and even request for deletion.

Large organizations must appoint a Data Protection Officer (DPO) to oversee the management of consumer data, ensuring that security controls are in place and organizations can respond to consumer requests in a timely manner. The law also sets forth rules about what data can be collected and how it can be used.

And violating GDPR can be costly. GDPR fines can reach as high as 4% of the organization’s previous year’s revenue or 20 million euros, whichever amount is more.

GDPR was the first sweeping data privacy law in the internet age. It has served as the model for data protection laws and regulations in other regions. For example, the California Consumer Privacy Act, which also passed in 2018, shares many features with GDPR.

[Read also: 10 ways Tanium improves data risk and privacy]

Any organization doing business with E.U. residents must comply with the GDPR. Because so many companies do business with E.U. residents, GDPR has become a general requirement for doing business online.

Since the law is being used as a model for legislation in other regions, it deserves the attention of companies worldwide. If a company has a cybersecurity program with data management and data security controls in place to comply with GDPR, it’s probably in good shape to comply with other data privacy regulations in other regions or specific industries.

Health Information Trust Alliance (HITRUST CSF)

HITRUST is a privately held, for-profit company based in Frisco, Texas. It has created a cybersecurity standard, originally called the HITRUST Common Security Framework, now called HITRUST CSF. This standard aims to streamline compliance with other cybersecurity frameworks, such as HIPAA and ISO/IEC 27000 standards, including ISO/IEC 27001.

Despite HITRUST CSF being widely adopted, some cybersecurity professionals consider the framework cumbersome and outdated. However, many healthcare organizations choose to use HITRUST CSF compliance not only to achieve HIPAA compliance but also to implement security controls to minimize vulnerabilities and improve protection against cyber threats, such as malware, phishing, and business email compromise (BEC).

Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act of 1996, also known as HIPAA, is an essential cybersecurity standard for the U.S. healthcare industry. It requires that healthcare providers and payers (organizations that pay for healthcare, such as health plan providers, Medicare, and Medicaid) protect the privacy of patients’ personal health information (PHI). PHI is any personal identifiable information, or PII, that may be used to identify an individual, including health information.

The “portability” referred to in the act’s title is the ability for patients to move healthcare records from one provider to another in situations such as changing jobs. To ensure that the privacy of those records isn’t intentionally or accidentally disclosed while being stored or transferred, HIPAA establishes strict requirements for data privacy and security. It prescribes certain general technologies, such as encryption and access controls, but doesn’t specify software tools or processes for security PII. HIPAA’s recommendations aim to promote cybersecurity best practices and minimize the risk of data breaches affecting PII.

Companies that fail to comply with HIPAA can face hefty fines, potentially reaching several million dollars. They might also suffer lasting reputational damage. But in addition to organizational penalties, HIPAA also mandates penalties for individuals. Wrongfully disclosing patient health information (PII involving health records) might result in a fine of up to $250,000 and a criminal conviction with sentences as long as ten years in prison.

Learn how your organization can manage HIPAA compliance with Tanium

International Organization for Standardization (ISO) 27001, ISO 27002

International Organization for Standardization (ISO) standards 27001 and 27002 are international standards that take a holistic approach to cybersecurity, emphasizing people, policies, and technology.

ISO 27001 describes the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). ISO 27002 goes into more specifics, offering best practices and control objectives related to access control, cryptography, human resource security, and incident response.

Both standards promote cyber readiness and protect data confidentiality, integrity, and availability. They help companies reduce cyber risks and lower IT costs.

All companies, regardless of their industries or geo-locations, can benefit from applying these standards.

National Institute of Standards and Technology (NIST)

The National Institute of Standards and Technology is, as its name suggests, the U.S. federal government’s primary agency for issuing standards, including cybersecurity standards, such as:

• NIST Special Publication (SP) 800-53 provides a catalog of security and privacy controls for information systems and organizations, providing fundamental controls for almost any organization’s security program.

• NIST SP 800-171 sets forth security requirements for nonfederal organizations that need to produce controlled unclassified information.

• NIST SP 800-172 complements NIST SP 800-171 with additional requirements for protecting CUI.

• NIST CSF is a security framework intended to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security.

The breadth of NIST cybersecurity frameworks (CSF) is impressive. The agency has published standards for securing everything from federal IT systems to genomic data. Other cybersecurity frameworks, such as CMMC 2.0, use NIST cybersecurity frameworks as baselines for establishing security controls.

Download a free NIST framework checklist to see how Tanium can help

Attacks against critical infrastructure — which includes organizations that provide essential services such as energy, healthcare, and financial services — have increased in recent years. Critical infrastructure organizations should consider adopting the NIST CSF to help improve their cybersecurity postures and defend against these attacks.

Every business can benefit from following NIST guidelines for cybersecurity. One benefit of adopting NIST frameworks is that the agency continues to review and update its standards, taking into account new technologies, security threats, and suggestions from security practitioners.

Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Security Standards Council (PCI SSC), a global forum dedicated to promoting the security of account data, developed the Payment Card Industry Data Security Standard, or PCI DSS, to encourage and enhance payment card account data security and facilitate the broad adoption of consistent data security measures globally.

Security is vital to the credit card industry, and PCI DSS is a foundational security policy benchmark for credit card (payment card) processors. PCI DSS provides a baseline of technical and operational requirements designed to protect payment account data by organizing its security controls into six groups:

1. Build and maintain a secure network and systems

2. Protect cardholder data

3. Maintain a vulnerability management program

4. Implement strong access-control measures

5. Regularly monitor and test networks

6. Maintain an information security policy

Before PCI DSS was adopted, the five major credit card brands — American Express, Discover, JBC, MasterCard, and VISA — each had their own security standards for protecting account data and combating fraud. By adopting a common standard, the credit card industry made it easier for retailers and others to comply with best-practice security measures. The industry also avoided passing laws that mandated controls like PCI DSS. Using this cybersecurity standard, the industry more or less policies itself.

Merchants who accept credit card transactions must meet the compliance requirements of PCI DSS. How they report their compliance varies based on the volume of credit card transactions they process annually. Merchants who process only a few thousand transactions have different requirements than those who process many millions. Compliance with PCI DSS is validated annually, either by self-assessment or third-party audits.

See how Tanium can help organizations meet PCI DSS requirements

Service Organization Control Type 2 (SOC2)

Service Organization Control Type 2, or SOC2, is a voluntary cybersecurity framework implemented by the American Institute of Certified Public Accountants (AICPA) to ensure service organizations properly store, manage, and secure customer data.

SOC2’s set of guidelines is organized around these five principles:

1. Availability

2. Confidentiality

3. Privacy

4. Processing integrity

5. Security

When a services organization, such as a commercial company accepting and processing customer data through a website, wants to demonstrate its responsible handling of that data, it can choose to undergo a SOC2 audit. If it passes the audit, it can assure customers, investors, and others that it is SOC2-compliant, proving that it has implemented sufficient cybersecurity risk management controls to minimize the risk of data breaches and other cybersecurity incidents.

Which framework is best for cybersecurity?

There’s no single answer to what cybersecurity framework is best. Some of these standards, such as HIPAA and HITRUST CSF, are specific to a particular industry, such as healthcare. Others are focused on certain types of data. For example, PCI DSS provides guidelines and best practices for protecting payment card account data but doesn’t address other types of risks. Standards such as NIST SP 800-53 provide a foundational cybersecurity controls framework that most organizations may consider adopting.

The answer to which frameworks to adopt depend on an organization’s cybersecurity goals, industry-specific requirements, and capacity for investing in compliance with multiple, possibly overlapping frameworks.

How do cybersecurity frameworks improve organizational security posture?

Cybersecurity frameworks provide guidelines that have been developed, refined, tested, and proven over time. They can provide clear directions and benchmarks that organizations can use to direct their cybersecurity efforts and measure the success of those efforts periodically. They can also help an organization meet essential regulatory requirements and demonstrate to customers, investors, regulators, and others that they take cybersecurity seriously.

Cybersecurity frameworks are a top-down approach to cybersecurity. They provide blueprints based on principles such as security and availability and then work out the details of how to support those principles in practice.

A complementary approach to cybersecurity is strengthening security controls from the bottom up, beginning with the endpoints and data employees work with daily. Having real-time visibility, control, security, and management into all endpoint devices — including desktops, laptops, tablets, servers, and more — in your enterprise can help lay the foundation for complying with whatever cybersecurity framework or combination of frameworks you choose to implement. You can support quick threat mitigation and improve your posture by continuously monitoring endpoints across your enterprise for risks.

---

Applying AI and automation further strengthens the practice of endpoint management. Our vision for Autonomous Endpoint Management (AEM) streamlines security workflows, accelerates the time to investigate and mitigate threats, and reduces IT and security workloads.

In addition, AEM will provide detailed visibility and reporting that helps demonstrate to auditors and others how the organization meets the specific cybersecurity standards. Learn more about our framework for AEM, including the future of Tanium Converged Endpoint Management (XEM) and our Risk & Compliance solution.