Cybersecurity Frameworks

The NIST Cybersecurity Framework (NIST CSF), produced by the Department of Commerce’s National Institute of Standards and Technology (NIST), provides a policy framework for private sector computer security.
Version 1.0 was published in 2014, originally aimed at specific operators of critical infrastructure. The next version is in the draft stage, with operators encouraged to comment on the proposed policy framework, which also addresses increased privacy and civil liberty concerns.
The upcoming NIST CSF 2.0 executive summary notes that cybersecurity threats to infrastructure systems can put the economy, public safety, and health at risk, and can affect “a company’s bottom line … [cybersecurity risk] can harm an organization’s ability to innovate and to gain and maintain customers” (NIST, 2017). The framework’s “core” provides guidance in the form of cybersecurity activities, outcomes, and it references “common across critical infrastructure sectors” (NIST, 2017). The 2.0 version continues to offer advice and guidance, based on the collaboration between the government and private sector.
ISO/IEC 27001:2013 is an information security standard by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). This information security standard is a specification for an information security management system (ISMS) with “requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization,” according to the ISO’s website. The standard also includes requirements for the assessment and treatment of information security risks (ISO, 2013). The goal is for organizations to meet this standard and securely pass a compliance “audit” by an independent accreditation body.
The standard places emphasis on organization “controls” to respond to security incidents. Such important controls include: information security policies; organization of information security; human resource security controls that are applied before, during, or after employment; asset management; access control; cryptography; physical and environmental security; operations security; communications security; system acquisition, development and maintenance; information security incident management; and compliance with internal requirements, such as policies, and with external requirements, such as laws (ISO, 2013).