Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/15/2021
10:00 AM
Lewis Huynh
Lewis Huynh
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

How to Choose the Right Cybersecurity Framework

Cybersecurity frameworks can help reduce your risk of supply chain attacks and increase your competitive advantage.

The dramatic rise in ransomware attacks and the SolarWinds Orion hack have thrust cybersecurity back into the spotlight. With everyone a target, it's time for organizations to implement cybersecurity frameworks like those provided by the National Institute of Standards and Technology (NIST), which can help you set a bar for measuring your cybersecurity effectiveness.

Taking Your First Steps
Start by setting goals for your cybersecurity program that align with the business's needs. Stakeholders from across the organization — from the C-suite and upper management to support teams and IT — should be involved in the initial risk-assessment process and setting a risk-tolerance level.

Related Content:

CVSS as a Framework, Not a Score

Special Report: How IT Security Organizations Are Attacking the Cybersecurity Problem

New From The Edge: Cybercrime 'Help Wanted': Job Hunting on the Dark Web

While deciding where to start your implementation can feel like trying to boil the ocean, one way to make it less intimidating is to run a pilot program focused on a single department. This can help uncover lessons about what does and doesn't work, what tools will help you succeed, and best practices for a wider rollout.

From there, identify the type of data the organization processes and map out its life cycle. A simple model will help lay a foundation for understanding the organization's cybersecurity risk and identify points along the supply chain to invest more time and resources. Business tools and software are often important sources and collectors of data, so ask vendors about their data privacy policies to ensure they reflect your goals.

With a basic understanding of the goals, project scope, and current data privacy and life-cycle processes, it will be much easier to select a cybersecurity framework.

Picking the Right Security Framework
A good cybersecurity framework will help you identify risks, protect company assets (including customer data), and put steps in place to detect, respond, and recover from a cybersecurity event. There are many frameworks, but the following three stand out as especially relevant to the types of attacks, like ransomware and supply chain attacks, that are accelerating in use.

NIST Cybersecurity Framework (CSF Rev 1.1)
The NIST Cybersecurity Framework (NIST CSF) was developed in 2014 for private sector critical infrastructure like utilities, water supply, telecommunications, financial services, and healthcare. As a voluntary set of guidelines that outlines a series of policies and controls, the framework guides cybersecurity activities through a lens of aligning risk management with business needs.

The NIST CSF consists of three parts: the Core, the Implementation Tiers, and the Framework Profiles, and it was designed so that any organization can apply the principles and best practices. The framework is widely recognized as a definitive set of security best practices.

The NIST CSF is not one-size-fits-all, and it offers versatility by dividing the Core into five functions: Identify, Protect, Detect, Respond, and Recover. With the NIST 800-171 framework as part of its structure, organizations can focus on implementing the NIST CSF controls that are critical to service delivery now and make plans for implementing other controls as requirements arise. Ultimately, even if an organization deploys a partial set of the NIST CSF's controls, it still reduces cybersecurity risk while increasing management efficacy.

NIST 800-53 (Rev. 5)
The NIST 800-53 framework originated in 2005 and applies to all federal information systems per the Federal Information Processing Standard 200 (FIPS 200) cybersecurity requirements. However, the framework does not apply to National Security Systems (NSS), which rely on an even higher standard for determining a high-water mark (HWM) on the potential impact of security incidents. Now in its fifth revision, the framework outlines a series of security and privacy controls that cover aspects of policy, oversight, manual processes, and automated mechanisms implemented by systems or individuals and applicable to both the federal and private sector.

The controls are organized into 20 families, with each family relating to a specific topic like awareness and training, identification and authentication, or supply chain risk management. As it was originally designed for federal information systems, NIST 800-53 offers an incredibly robust set of standard controls for the collection, processing, storage, transfer, and protection of sensitive information. From providing step-by-step guidelines for developing cybersecurity literacy and awareness training programs to combat phishing, to securing servers and Web services to prevent external hackers, NIST 800-53 offers many easy and effective ways to improve cybersecurity.

Cybersecurity Maturity Model Certification & NIST 800-171 (Rev. 2)
In December 2020, the Department of Defense (DoD) officially introduced a new cybersecurity certification requirement for its contractors and subcontractors. The new Cybersecurity Maturity Model Certification (CMMC) consists of five levels, with each providing specific controls and policies for the secure handling of federal data by private sector information systems. CMMC was purposefully designed to protect the DoD against supply chain attacks that could disrupt military and defense operations. By October 2025, all DoD contracts will require some level of CMMC accreditation.

As a guideline for private sector organizations handling federal information and data, the CMMC is a prescriptive cybersecurity framework with step-by-step instructions for implementation with the aim of increasing security, reducing risks, and furthering security management. Using this framework can also be a competitive advantage for businesses. Similar frameworks are likely to be implemented across other federal departments and raise new requirements for contractors and subcontractors. As enterprise customers increase their specific data protection and privacy requirements, a CMMC certification can open many new doors.

Cybersecurity Is a Business Decision
Whether a business is just starting on its security journey or looking to improve the policies and procedures it has in place, investing in security is a long-term business decision. With security becoming an ever-growing focus for consumers and end users, cybersecurity frameworks can help simplify the transformation and set the organization up for success.

Lewis Huynh is a seasoned cybersecurity professional and technologist with decades of hands-on experience. From hacking PCs and learning machine learning languages at a young age to pioneering DevOps and cloud networks, Huynh has extensive knowledge of some of the most ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31755
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31756
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
CVE-2021-31757
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31758
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31458
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...