How to select a cybersecurity framework to protect your greatest assets: People, property and data

This is a US-centric view of security frameworks. Having said that, most organisation I’ve worked with apply a combination of CSF for the list of controls and ISO27k for the Infosec program management. What this article also points out is that you should start with a threat and risk assessment before choosing a framework…:

[…] NIST is a U.S. government agency that has developed several useful cybersecurity frameworks that represent the basis for most other frameworks. Detailed in special publications (SPs), these frameworks offer specific controls—best practices—that organizations in both the public and private sectors can follow to achieve the stated objective of the special publication.

NIST SP 800-37, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy  (known as RMF) is built around seven steps: prepare, categorize, select, implement, assess, authorize, and monitor. This process helps organizations prioritize their risk management efforts by measuring, tracking, and identifying risks.

NIST SP 800-53, Security Privacy Controls for Information Systems and Organizations is a tried-and-true framework that focuses on privacy controls in recognition that privacy is a critical concern in the cybersecurity realm.

NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, focuses on assisting organizations that store, transfer, or transmit controlled unclassified information, referred to as CUI.[1] NIST 800-171’s controls are aimed at helping nonfederal organizations that do business with the federal government protect CUI confidentiality. These are good guidelines for any organization to follow to safeguard its own and its customers’ data.

The NIST Cybersecurity Framework, known as CSF, centers on basic cyber defense functions that are required to determine risks and protect assets: identify, protect, detect, respond, and recover. It is designed to be customizable so that organizations can create a cyber security program that suits their individual risks, situations, and requirements. They can then prioritize their investment and maximize their spending on the most effective cybersecurity risk management.


Original article