Security Frameworks

The following is a reasonably comprehensive list of each major global security framework. Their presence here is not an endorsement, just a resource if you are looking for references.

Links are provided but may become broken over time if source sites modify page addresses. Where this is the case the frameworks may be easily found via a web search.

ANSI

The American National Standards Institute (ANSI) is a private non-profit organization that oversees the development of voluntary consensus standards for products, services, processes, systems, and personnel in the United States.

Australian Government Protective Security Policy Framework (PSPF)

The Protective Security Policy Framework (PSPF) is a security framework that assists Australian Government entities to protect their people, information and assets, both at home and overseas.

It sets out government protective security policy and supports entities to effectively implement the policy across the following outcomes:

• security governance
• information security
• personnel security
• physical security

In 2018, the Attorney-General reissued the Directive on the Security of Government Business to reflect the updated PSPF. The directive establishes the PSPF as an Australian Government policy, and sets out the requirements for protective security to ensure the secure and continuous delivery of government business. It details the mandatory core and supporting requirements for protective security and provides guidance to support effective implementation.

As a Government policy, non-corporate Commonwealth entities must apply the PSPF as it relates to their risk environment. It represents better practice for corporate Commonwealth entities and wholly-owned Commonwealth companies. The PSPF is also considered better practice for state and territory agencies.

The PSPF is applied through a security risk management approach with a focus on fostering a positive culture of security within an entity and across the government.

CIS v7 Security Framework

The CIS Controls are a prioritized set of actions any organization can follow to improve their cybersecurity posture. The CIS Controls best practices are developed using a consensus approach involving discussion groups, forums, and community feedback.

CISQ Security Framework

The Consortium for IT Software Quality (CISQ) is an IT industry group comprising IT executives from the Global 2000, systems integrators, outsourced service providers, and software technology vendors committed to making improvements in the quality of IT application software.

Control Objectives for Information and Related Technologies

Control Objectives for Information and Related Technology (COBIT) is a security framework created by ISACA for information technology management and governance. It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.

COSO Security Framework

The Committee of Sponsoring Organizations (COSO) of the Treadway Commission is a joint initiative of five private sector organizations dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence.

FedRAMP Security Framework

The FedRAMP Program Management Office (PMO) mission is to promote the adoption of secure cloud services across the Federal Government by providing a standardized approach to security and risk assessment.

FISMA Security Framework

Title III of the E-Government Act, entitled the Federal Information Security Management Act (FISMA) requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other sources.

The Federal Information Security Modernization Act of 2014 amends the Federal Information Security Management Act of 2002 (FISMA) provides several modifications that modernize Federal security practices to address evolving security concerns. These changes result in less overall reporting, strengthens the use of continuous monitoring in systems, increased focus on the agencies for compliance, and reporting that is more focused on the issues caused by security incidents.

GDPR

The General Data Protection Regulation (GDPR) is the toughest privacy and security framework in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU.

HB167 Security Handbook

The aim of the Handbook is to generate an improved understanding of how security risk management can be used for a range of activities from developing a system for a ‘greenfield site’ to enhancing existing well established security programs.

HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information.

HITRUST CSF

The HITRUST CSF (created to stand for “Common Security Framework”, since rebranded as simply the HITRUST CSF) is a prescriptive security framework that meets the requirements of multiple regulations and standards. The framework provides a way to comply with standards such as ISO/IEC 27000-series and HIPAA.

How to mitigate cyber security incidents (Australian Cyber Security Centre; Australian Signals Directorate)

The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) has developed prioritised mitigation strategies to help cyber security professionals in all organisations mitigate cyber security incidents caused by various cyber threats. This guidance addresses targeted cyber intrusions (i.e. those executed by advanced persistent threats such as foreign intelligence services), ransomware and external adversaries with destructive intent, malicious insiders, business email compromise, and industrial control systems.

IASME Governance

The IASME Governance standard was developed over several years during a government funded project to create a cyber security standard which would be an affordable and achievable alternative to the international standard, ISO 27001.

The IASME Governance standard allows the small companies in a supply chain to demonstrate their level of cyber security for a realistic cost and indicates that they are taking good steps to properly protect their customers’ information. The IASME Governance assessment includes a Cyber Essentials assessment and GDPR requirements and is available either as a self assessment or on-site audit.

IRAP Security Framework

The Information Security Registered Assessors Program (IRAP) is an Australian Signals Directorate (ASD) initiative to provide high-quality information and communications technology (ICT) security assessment services to government.

NERC CIP

Critical Infrastructure Protection (CIP) is just one of 14 mandatory North American Electric Reliability Corporation (NERC) security frameworks that are subject to enforcement in the U.S.

NIST SP 800-53

Draft SP 800-53B provides three security control baselines for low-impact, moderate-impact, and high-impact federal systems, as well as a privacy control baseline for systems irrespective of impact level. The security and privacy control baselines have been updated with the controls described in SP 800-53, Revision 5; the content of control baselines reflects the results of a comprehensive interagency review conducted in 2017 and continuing input and analysis of threat and empirical cyber-attack data collected since the update to SP 800-53.

In addition to the control baselines, this publication provides tailoring guidance and a set of working assumptions to help guide and inform the control selection process for organizations. Finally, this publication provides guidance on the development of overlays to facilitate control baseline customization for specific communities of interest, technologies, and environments of operation. The control baselines were previously published in NIST SP 800-53, but moved so that SP 800-53 could serve as a consolidated catalogue of security and privacy controls that can be used by different communities of interest.

NIST Cybersecurity Framework

Created through collaboration between industry and government, the voluntary security framework consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk.

NIST SP 800-12

Organizations rely heavily on the use of information technology (IT) products and services to run their day-to-day activities. Ensuring the security of these products and services is of the utmost importance for the success of the organization. This publication introduces the information security principles that organizations may leverage to understand the information security needs of their respective systems.

NIST SP 800-16

This security framework publication presents a new conceptual framework for providing information technology (IT) security training. This framework includes the IT security training requirements appropriate for today’s distributed computing environment and provides flexibility for extension to accommodate future technologies and the related risk management decisions.

NY DFS

Effective March 1, 2017, the Superintendent of Financial Services promulgated 23 NYCRR Part 500, a regulation establishing cybersecurity requirements for financial services companies.

SCAP

The Security Content Automation Protocol (SCAP) is a synthesis of interoperable specifications derived from community ideas.

NIST’s security automation agenda is broader than the vulnerability management application of modern day SCAP. Many different security activities and disciplines can benefit from standardized expression and reporting.

SOC 2 Security Framework

SOC 2 security framework is an auditing procedure that ensures your service providers securely manage your data to protect the interests of your organization and the privacy of its clients. For security-conscious businesses, SOC 2 compliance is a minimal requirement when considering a SaaS provider.

TC CYBER

The rapid evolution and growth in the complexity of new systems and networks, coupled with the sophistication of changing threats, present demanding challenges for maintaining the security of Information and Communications Technologies (ICT) systems and networks.

Security solutions must include a reliable and secure network infrastructure, but they must also protect the privacy of individuals and organizations. Security standardization, sometimes in support of legislative actions, has a key role to play in protecting the Internet and the communications and business it carries.

The TC Cyber Roadmap provides a strategy for standardisation.

Ten Steps to Cybersecurity (UK National Cyber Security Centre, GCHQ)

This security framework guidance is designed to help organisations protect themselves in cyberspace. It breaks down the task of defending your networks, systems and information into its essential components, providing advice on how to achieve the best possible security in each of these areas.

The 10 steps to cyber security was originally published in 2012 and is now used by a majority of the FTSE350.

UK HMG Security Policy Framework

The security framework describes the standards, best-practice guidelines and approaches that are required to protect UK government assets (people, information and infrastructure).

It focuses on the outcomes that are required to achieve a proportionate and risk-managed approach to security that enables government business to function effectively, safely and securely.

Written by

Julian Talbot

Julian is a SECTARA and Industry Risk Advisory Board Member and, among many other things, the author of the Security Risk Management Body of Knowledge (SRMBoK).

In recent times Julian contemplated how to take SRMBoK further, and in doing so publish a contemporary account of associated security models, principles and practices. The result is the Security Risk Management Aide Memoire (SRMAM), a book that is free to all SECTARA subscribers (yes, even on the free plan).

This article is adapted from the SRMAM web site with permission.