Risk frameworks provide systematic guidelines to organisations regarding risk management principles that should be applied in order to meet certain levels or types of information security compliance. These include industry-specific standards such as the PCI DSS (Payment Card Industry Data Security Standard) which applies (at some level) to “ANY organisation, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data” and, in the US, the second section of the HIPAA (Health Insurance Portability and Accountability Act) which companies such as health insurers and medical service providers must comply with. There are also a growing number of data privacy laws and regulations such as GDPR. Compliance and certification with all these frameworks, that are concerned with sensitive and personal information, is generally mandatory.
The US NIST Cybersecurity Framework and SOC2, and the internationally recognised ISMS (Information Security Management System) ISO 27001 are industry best practices frameworks, and cover information security at a more general level. Indeed, ISO 27001 recognises that a truly comprehensive treatment of information security will cover low-tech aspects such as noting the location of personal information that is physically stored in filing cabinets, and the requirement to do background checks on employees that handle data. Cyber Essentials is a UK government scheme aimed at SMEs, that provides ‘a set of basic technical controls to help organisations protect themselves against common online security threats’.
There are normally three main stages involved in the complete application of a risk framework. In the case of ISO27001, the organisation needs to investigate its relevant infrastructure and processes, with a view to assessing and treating the various risks and then making the modifications and additions needed to comply with the framework requirements or ‘control objectives’. These actions are then carried out in an implementation phase that renders the organisation compliant with the framework. Finally, at the certification stage, an accredited certification body audits the organisation to verify that it meets compliance requirements. The certification is renewed on an annual basis by follow-up audits.
Implementation of a respected general risk framework such as ISO 27001 is an effective way to demonstrate – externally and internally – that your organisation has a robust and well-organised approach to information security. Although it is not a legal requirement to comply with this type of framework, an increasing number of organisations (including the British government ‘HMG’ and companies involved in critical infrastructure such as utilities) are now insisting that their suppliers do so. This is because application of an information security framework to your business significantly reduces supply chain/third party risk of the type that has caused a number of high profile data breaches in recent years, along with other security problems. ISO27001 also indicates that the organisation’s information security complies with the requirements of GDPR.
Cybersecurity frameworks such as MITRE ATT&CK® and the OWASP Top Ten focus specifically on digital information security. MITRE ATT&CK® is a continually updated resource that shows tactics and techniques currently in use by cybercriminals, advanced persistent threat (APT) groups and other hackers, and recommended mitigations that can be used to prevent or disrupt attacks. The OWASP Top Ten is an online document that lists out the ten most relevant current threats to websites and web applications. Some regulatory frameworks such as PCI DSS (for organisations that take electronic credit and debit card payments) require organisations to be able to show that they are able to manage the OWASP Top Ten risks and vulnerabilities. OWASP also produces a document about automated threats or ‘bad bots’.