An important aspect of a proactive and effective cybersecurity initiative is the inclusion of content and guidance from the many available domestic and international standards and guidance documents.  This article lists the most important and widely-used standards, frameworks and guidance on cybersecurity management.

Among the top five boardroom technology issues is cybersecurity – how to prevent cyberattacks, how to detect them and how to mitigate them.  Reports in the media regularly cite examples of how these attacks penetrate even the most formidable corporate network perimeters. And while professionals and perpetrators maintain a continuous cat-and-mouse game, the attacks still occur.

Many cybersecurity systems and applications are available to prevent attacks such as phishing, DDOS (distributed denial of service) attacks, viruses and other malware. The principal challenge, among others, is to keep these tools as up to date as possible.  Regular patching and software updates help users maintain an increasingly tenuous edge over attackers.

Aside from the obvious tactical approaches to cybersecurity above, from a strategic perspective several key domestic and global standards are essential ingredients in an overall cyber strategy. They provide prescriptive guidance and actionable advice on addressing risks, threats and vulnerabilities.  Standards and regulations provide important tools for preparing policies, procedures and programs.

This article will examine the most current standards, frameworks and guidance, and where they can be obtained.

Cybersecurity Standards and Guidance

Getting to know the various cybersecurity standards and guidance documents can be time-consuming, but worth it. Among the potential results are a more robust and resilient network perimeter and overall IT infrastructure. Teams assigned to develop (or expand and enhance) cybersecurity programs can use the documents as frameworks for program development, guidance on developing policies and procedures, testing programs and other activities. Compliance with standards is also an important activity, as it can demonstrate an organization’s commitment to cybersecurity management. It is also important from an audit perspective, as demonstrated compliance with standards and regulations are a very important audit controls.   The following is a brief listing of cybersecurity standards, regulations and frameworks:

ISO 27000 Series – Perhaps the most important global standard series addressing information security, the International Organization for Standardization (www.iso.org) 27000 Series covers the entire waterfront regarding information security.  Cybersecurity-focused standards are part of the series, as will be shown.

ISO 27007:2020 – Designated as Information Security, Cybersecurity and Privacy Protection – Guidelines or Information Security Management Systems Auditing, this standard provides guidance on preparing for audits, and specifies the key controls a cybersecurity program should possess.  A standard like this is often among the most important due to its audit focus.

ISO 27014:2020 – This is another foundation standard for cybersecurity from management, planning and strategic perspectives. Designated Information Security, Cybersecurity and Privacy Protection – Governance of Information Security is an excellent starting point for creating policies and procedures, and can also partner with the ISO standards noted in this article.

ISO 27032:2012 – Perhaps the starting point for launching a cybersecurity initiative, this standard, Information Technology – Security Techniques – Guidelines for Cybersecurity, provides an overview for cybersecurity management, why it is important, what needs to be in a cybersecurity program, and offers insights on how to address a wide range of cybersecurity risks and threats and to identify potential vulnerabilities

NIST SP 800-53 Rev 5 – Developed by the U.S. National Institute for Standards and Technology (www.nist.gov), this standard, Security and Privacy Controls for Information Systems and Organizations is among the most widely used information security standards by both government and business.  SP 800-53 content provides extensive guidance and data on establishing security controls frequently used in audits.

NIST Cybersecurity Framework (CSF) (2013) – Considering the importance of looking at cybersecurity from a risk perspective, the CSF presents a comprehensive framework that specifies controls addressing the key phases of risk management: identification, protection, detection, response and recovery

COBIT – Another widely-used risk-based framework is Control Objectives for Information and Related Technology (COBIT).  Developed by the Information Systems Audit and Control Association (ISACA (www.isaca.org), COBIT is easily adaptable to facilitate preparations for a cybersecurity audit

FFIEC Information Security Work Program and Examination – Developed largely for the banking and finance communities, the Federal Financial Institutions Examination Council (www.ffiec.org) work program and examination includes a detailed set of information security (and by extension, cybersecurity) criteria and guidance that can be used for developing and/or updating cybersecurity programs. It can be used in non-banking applications as well. The examination questions are invaluable as an easy-to-use checklist and to prepare for FFIEC audits.

FISMA – Among the many information security regulations is the Federal Information Security Management Act (FISMA, www.fisma.gov), which presents a detailed framework for cybersecurity and information management. It is equally effective in government and private sector applications.

HIPAA – Within the healthcare space, the Health Insurance Portability and Accountability Act of 1996 addresses the security of electronic protected health information (ePHI).  Within HIPAA, the Security Rule section provides guidelines for information security that are often found among audit controls.

Summary

This article has briefly examined the leading standards, frameworks and guidance documents addressing cybersecurity. Obtaining and reviewing the various standards listed can provide an excellent starting point for one’s education, as well as establishing cybersecurity programs and related activities. Documents listed are generally applicable to both public and private sector organizations.