Security framework: which one to choose?
NIST 800-53, CIS V7, MITRE D3FEND… Security and risk management professionals are faced with a wide range of security frameworks, making it difficult to choose the most appropriate one for their context. This is all the more important as security teams face a heavy workload in a complex ecosystem and need to focus everyone’s efforts in the same direction to ensure their effectiveness.
A security framework is a comprehensive, structured set of processes and standards for managing an organisation’s security and risks. It provides a structure for organising security measures to ensure they are complete and consistent. In this way, organisations can better identify, assess and manage the cyber risks they face. This proactive approach helps to strengthen overall security. What’s more, certain frameworks are well known in the cybersecurity community, which can give certain companies credibility or even a competitive edge, or simply be a requirement for working with a customer or responding to a tender.
Depending on the organisation behind it, the security framework may be called a policy, a standard, a norm, a repository, etc. In this article, we have grouped all these elements under a single name: security framework.
They do not all have the same purpose. Some are more operational: the aim is to put in place measures to build the organisation’s cybersecurity strategy, to certify a level in this area, to comply with a country’s legislation, etc. Some serve a governance purpose, as they are based on the implementation of policies within the organisation to increase the level of resilience.
Finally, some frameworks are optional for companies, while others are mandatory at national level (this will be the case with NIS2, which is a European directive setting out mandatory measures to be applied at national level by the entities concerned) or CMMC (mandatory for companies and organisations in the US defence industry). How do you choose the cybersecurity framework that best suits your context?
This article is dedicated to the security frameworks supported by the Citalid platform, listed in alphabetical order:
- CIS v7
- CIS v8
- CMMC
- Guide d’hygiène informatique (ANSSI)
- IEC 62443
- ISO/IEC 2013
- ISO/IEC 2022
- Microsoft Secure Score
- MITRE D3fend
- NESA
- NIST CSF
- NIST 800-53
CIS v7 & v8
What is it ?
The CIS Critical Security Controls frameworks have been developed since 2008 by the Center for Internet Security, a not-for-profit organisation that provides studies for IT professionals. They are designed to be a starting point for an organisation’s approach to cyber security. To this end, they propose three levels of a series of measures, known as ‘implementation groups‘, adapted to the size and maturity of the organisation:
- Implementation Group 1 (IG1): this is for small organisations with no cyber security expertise and a low level of sensitivity;
- Implementation Group 2 (IG2, in conjunction with IG1): this corresponds to organisations with an IT team whose data may be sensitive, which are subject to compliance requirements, and where an attack is likely to cause business interruption and public relations problems;
- Implementation Group 3 (IG3, in combination with IG1 and IG2): this is for organisations with cyber security professionals from a variety of disciplines, whose data is a concern in terms of sensitivity and criticality, who are concerned about regulatory compliance, and where a cyber attack is likely to affect part of the supply chain.
What are the pros?
The CIS frameworks can be combined with a NIST framework to improve risk management and are globally recognised. In fact, these frameworks are widely used because they can be applied by organisations in all sectors and of all sizes. The guidelines in these frameworks are more about defending against and mitigating cyber risks than about compliance. Nevertheless, the CIS Group has carried out a large number of mappings of its frameworks to other reference systems, which greatly help organisations to know their level of security, whether to other frameworks or to legal obligations (GDPR, PCI DSS).
What are the cons?
Complying with this security framework requires a great deal of time, effort and financial investment, especially for small organisations with limited resources. It can sometimes be seen as too complex (153 controls to apply) and not sector specific enough, meaning that not all of the security controls included may be relevant to your organisation’s business. Finally, achieving and maintaining compliance with a security framework can be costly in terms of training, technology updates and possibly third-party audits.
For more information, click here
CMMC
What is it?
CMMC, which stands for Cybersecurity Maturity Model Certification, is a security framework used to assess an organisation’s level of maturity in protecting unclassified information. It is particularly suitable for DITB organisations (Defense Industrial Technological Base).
Depending on the sensitivity of the information handled and the characteristics of the data transmission processes, the organisation is required to implement a certain number of more or less advanced cybersecurity standards. This framework allows the US Department of Defense to verify their implementation and certain subcontractors working with them may be required to achieve a specific level once the CMMC framework is fully implemented, which is sometimes one of the conditions for validating a commercial contract.
What are the pros?
This security framework is becoming a standard requirement for defence contractors and subcontractors in the United States. If you do business with this sector, this framework can be an asset, giving you both credibility and a competitive edge.
What are the cons?
However, this framework contains a relatively large number of measures that can potentially impact on the day-to-day operations of your business. Like many frameworks, it requires ongoing monitoring to maintain a good level of cyber security. Finally, it is not recommended for small businesses, as the number of measures and their rigidity may act as a brake on their ability to collaborate or win contracts with other entities, which may be felt by partners.
Is there a more recent version?
A version 2.0 of this framework is now available, with three levels of application depending on the organisation’s level of cybersecurity progress: basic, advanced and expert. Each level is aligned with the standards proposed by the NIST framework and, depending on the organisation’s profile, it may be required to apply 17 to 110 cybersecurity best practices, or even to adopt the NIST SP 800-172 framework for those concerned by the expert level.
For more information, click here
ANSSI hygiene guide
The ANSSI hygiene guide contains 42 measures that can be implemented to launch a company’s cybersecurity strategy. It constitutes a common minimum base for the protection of information in French organisations. Once all the measures have been implemented, the organisation can be considered capable of interacting with its partners and serving its customers while respecting the integrity and confidentiality of the information that concerns them.
Particularly recommended for young companies wishing to take their first step towards a security strategy, it is relatively easy to set up and is suitable for most business sectors. Two levels of security are available to suit the maturity of the business, enabling some companies to go further than the ANSSI requirements. It can, of course, be combined with other security frameworks as part of an organisation’s progress towards resilience.
For more information, click here
IEC 62443
What is it?
IEC 62443 was developed by the International Society of Automation (ISA) and approved by the International Electrotechnical Commission (IEC). It is an international series of standards on “Industrial communication networks – IT security of networks and systems” created in the early 2000s.
This security framework consists of 4 levels:
- General;
- Organisation: policies and procedures;
- Systems;
- Products.
What are the pros?
IEC 62443 is suitable for industrial environments where safety measures and controls are particularly important. It is globally recognised, giving a degree of credibility to companies that implement it. Using a risk-based approach, it allows security measures to be prioritised and covers different aspects of industrial cyber security, i.e. policies, processes and technical measures.
What are the cons?
However, it requires a good understanding of cybersecurity principles and industrial processes, as the IT and OT teams will need to work together to implement the measures recommended by the framework and carry out the controls.
For more information, click here
ISO/IEC 27001
What is it?
ISO/IEC 27001 is the best known and most widely used security framework. First published in 2005, it is used to certify organisations in their approach to cyber security. It is part of the ISO 27000 suite, a list of recommendations for best practice in information security management.
What are the pros and cons of ISO-27001 2013?
ISO-27001 2013 is the most widely used version by organisations internationally. It contains more detailed and specific measures that can provide greater guidance and assurance on information security. However, it is also more complex and rigid, which can make it more difficult to adapt to changes in the business and technological environment. It is also less aligned with other ISO management standards, which can lead to problems of integration and consistency.
What are the pros and cons of ISO-27001 2022?
As for ISO-27001 2022, it is a more modern and flexible version, making it easier to adapt and implement for different organisations and scenarios. It has fewer and simpler controls, reducing the burden and cost of cyber security. It is also more closely aligned with other ISO management standards, making it easier to integrate and maintain consistency. However, it is also less mature and less tested.
For more information, click here
Microsoft Secure Score
What is it?
Microsoft Secure Score is a security framework designed to meet the needs of Microsoft 365 services.
What are the pros?
It is very easy to set up, generates quantifiable security metrics that make it easier to monitor the application of measures, and provides customised recommendations that allow it to be adapted to the organisation’s information system. It prioritises security audits. On top of that, it is based on a scoring system, which makes it easier to implement the framework.
What are the cons?
However, it is only partial, as it is only adapted to Microsoft 365 services, on which it depends, and does not cover all aspects of cybersecurity.
For more information, click here
MITRE D3FEND
What is it?
MITRE D3FEND is a framework created by the MITRE Corporation, a private, non-profit organisation whose mission is to advise the US Air Force on engineering and technical matters in general. The NSA’s Cyber Security Division helped create MITRE D3FEND (Detection, Denial and Disruption Framework Empowering Network Defense), which will be launched in 2021. It is still in the experimental phase.
MITRE D3FEND is a knowledge base, mainly in the form of a graph, designed to improve a company’s cyber defence strategy. It is intended to be a kind of catalogue of defensive cybersecurity techniques and their relationships with offensive/countermeasures techniques. It consists of three elements: a knowledge graph summarising defensive methods, a set of user interfaces for accessing this data, and a way to map these defensive measures to the MITRE ATT&CK, which focuses on the techniques of cyber attackers.
The main aim of D3FEND is to help standardise the vocabulary used to describe cyber adversary techniques. But it has two main uses recognised by MITRE: to analyse the functionality of security products and, thanks to a gateway with ATT&CK, to determine how these products apply their functionality.
What are the pros and cons of MITRE D3FEND?
MITRE D3FEND can be used in conjunction with ATT&CK, which is both an advantage and a disadvantage, as it requires a thorough knowledge of both frameworks. It does, however, enable a proactive approach as it provides practical advice to organisations and encourages collaboration between users who are encouraged to share their ideas, experiences and best practices to improve their defence strategy. Nevertheless, this security framework may not be sufficient as it does not cover all attack scenarios and does not take sufficient account of emerging threats, which can weaken an organisation’s ability to anticipate.
For more information, click here
NESA
NESA is a framework recognised by the authorities in the United Arab Emirates. It covers risk management, incident response and security controls, and is largely consistent with the security standards expected of critical infrastructure. We recommend this security framework if you are doing business with this country, as it is particularly aligned with national standards.
For more information, click here
NIST CSF & NIST 800-53
What is it?
The NIST CSF and NIST 800-53 security frameworks are published by the National Institute of Standards and Technology, an agency of the US Department of Commerce. They are based on the Cybersecurity Enhancement Act passed by the US Congress in 2014.
What are the pros and cons of NIST CSF?
The NIST CSF is an internationally recognised security framework that establishes a common language within an organisation for implementing cyber security measures. It consists of 48 pages of measures to be implemented, and is very focused on reducing cyber risk within the organisation. It is easy to combine with other security standards, which optimises protection, as it is less prescriptive than other frameworks and highly adaptable.
Its main drawback is that it is difficult for smaller companies or organisations to integrate, due to its complexity, but also because it relies heavily on risk assessment, which is a particularly complex process.
What are the pros and cons of NIST 800-53?
NIST 800-53 is considered to be an adaptable and comprehensive framework. In the United States, it is recognised and used at government level and in various industries, which can give credibility to organisations that choose to adopt it. However, it was designed for the US federal information system, which means that not all measures are appropriate for organisations that choose to use it. The degree of customisation of this framework is also difficult to estimate, and some degree of customisation is required if it is to remain effective. Finally, it cannot be said to be very easy to integrate, as it consists of a very large number of measures.
For more information, click here
You now have all the information you need to choose the framework or frameworks that best suit your organisation and resources. How about improving your defensive maturity with a cyber risk quantification solution ?
