Security Resource Hub
Compliance/Risk Management

Topic 1: Compliance Frameworks

Complete & Continue Next Lesson Learn More

Understanding the NIST Framework

NIST (National Institute of Standards & Technology) is a non-regulatory government agency. The framework focuses on improving critical cybersecurity infrastructure. It consists of five concurrent and continuous functions: Identify, Protect, Detect, Respond, & Recover. 

The Nist Framework focuses on

  • Prioritize and Scope out controls.

  • Orient and determine threats and vulnerabilities applicable to the system and assets.

  • Create an Updated profile by providing baseline data.

  • Conduct a Risk Assessment.

  • Determine, Analyze, and Prioritize Loopholes.

  • Implement a plan of action.

NIST Standards are based on best practices for security documents, organizations, and publications and are designed as a framework for federal agencies and programs requiring strict security measures. 

  • NIST SP 800-53 provides guidelines on security controls required for federal information systems. 

  • NIST SP 800-37 helps promote nearly real-time risk management by continuously monitoring the controls defined in NIST 800-53.

  • NIST 800-137 guides enterprise-wide reporting and monitoring using automation.

NIST Framework Benefits

  • Superior and unbiased cybersecurity.

  • Enable long-term cybersecurity and risk management.

  • Ripple effects across supply chains and vendor lists.

  • Bridge the gap between technical and business-side stakeholders.

  • Flexibility and Adaptability of the Framework.

  • It is built for future regulation and compliance requirements.

Understanding the SOC2 Framework

The System and Organization Controls 2 (SOC2) framework is a set of standards designed to help organizations ensure the security, availability, processing integrity, confidentiality, and privacy of their systems and data. It is particularly relevant for service providers that store customer data in the cloud or provide SaaS solutions. The SOC 2 certification is done by an external auditor who checks and reports on how well the organization implements the five principles listed above.

There are two main types of SOC2 reports:

SOC2 Type I: This report evaluates the design and implementation of security controls at a specific time. It provides an overview of whether the organization's systems and processes suit the requirements of the trust services criteria.

SOC2 Type II: This report further assesses controls' design and effectiveness over a specified period (usually a minimum of six months). It provides a more comprehensive understanding of how well the controls operate.

Adopting SOC2 principles is crucial for businesses to demonstrate their commitment to data security and privacy, assuring their customers and stakeholders.

Conducting Assessments and Evaluations

  • Assessments: The process of testing the subject against a checklist of requirements in a highly structured way for measurement against an absolute standard.

  • Evaluation: A less systematic process of testing aimed at examining outcomes or proving usefulness and used for comparative measurements.

  • Audit: A rigid process where an auditor compares the org against a pre-defined baseline to identify remediation areas. Audits are required in regulated industries such as payment card and data processing.

  • Scheduled Review: similar to lessons learned, except it occurs at regular intervals. It should be considered for significant incidents, trends & analysis, etc.

  • Continuous Improvement: Process of making small incremental gains to a product or service by identifying defects & inefficiencies for more refinement.

  • Continuous Monitoring: Always evaluate the environment for new risks and detect them faster. Improve situational awareness, Routine audits, and real-time analysis.

Understanding the ISO 27001 Framework

ISO 27001 is the international standard that specifies an information security management system (ISMS). The ISO 27001 is a systematic approach that involves people, processes, and technology that helps one organize and manage an organization through risk management. The ISO-27001 focuses on the core cybersecurity concepts, the CIA triad.

  • Confidentiality: Protecting data or information by preventing unauthorized access to people, entities, or processes. E.g., Encryption

  • Integrity: Ensuring that the accuracy of the data is 100%, preventing the data from being modified or misused, and protecting it from corruption. E.g., Hashing

  • Availability: Ensuring that the information is accessible and usable as and when authorized users require it. E.g., Backups

ISO 27001 Benefits 

The standard is designed so that organizations can manage their security best practices and be cost-effective. It is a technology and is vendor-neutral, irrespective of the organization's size, type, or nature. It helps an organization keep its information assets secure by offering a set of specifications, codes of conduct, and best practice guidelines to ensure vital information security management.

Benefits of an ISO 27001 standard: Secure an organization's information in all its forms (paper-based, digital, or cloud). Increase the resiliency of an organization to internal as well as external cyber-attacks. Whether it be technologically based risks or a common threat such as untrained and poorly informed staff, it protects what matters the most. Respond to the evolving threat landscape. Reduce cost (Be cost-effective) associated with information security. Make security and its best practices a part of business as usual and consider a holistic approach.

ISO 27001 Controls that organizations need to implement: 

  • Physical access control.

  • Firewall policies.

  • Security staff awareness programs.

  • Monitoring threats.

  • Incident management.

  • Encryption.

An ISO 27001 certification holds a distinct market value by providing precise and externally validated proof of an organization's willingness to abide by internationally accepted information security standards.

Other Frameworks

  • COBIT: Control Objectives for Information and Related Technologies is a framework for IT Management and IT governance. Its business focus is on generic processes for the management of IT. 

  • PCI-DSS: The contract requires the Payment Card Industry Data Security Standard for anyone handling cardholder data, irrespective of whether a small or large organization. This standard applies to credit/debit transactions, service providers, and merchants selling products and services. 

  • HIPAA: The Health Insurance Portability and Accountability Act safeguards PHI and provides data privacy for millions of people. HIPAA ensures that the CIA Identifies & protects against anticipated threats and secures data integrity. 

  • SOX: Sarbanes Oxley Act is an audit where public companies must provide proof of accuracy and data-secured financial reporting. It includes an Internal controls report. A 5% discrepancy is permitted. 

  • GDPR (General Data Protection Regulation): Personal Data cannot be collected, processed, or retained without the individual’s. GDPR breach needs to be informed within 72hrs.

  • FISMA (Federal Information Security Management Act): Sets requirements for federal organizations to adopt information assurance controls.

  • GLBA (Gramm-Leach-Bliley-Act): Sets the requirements that help protect the privacy of an individual’s financial information held by financial institutions and others.