Relationship between frameworks and controls

In this article, we'll go over security frameworks, controls, and design principles in greater depth, as well as how they can be used in security audits to help protect organizations and people.

The relationship between frameworks and controls. Before we get there, let's define frameworks and controls.

Plans are put in place in an organization to protect against a wide range of threats, risks, and vulnerabilities. However, the requirements for protecting organizations and people frequently overlap. As a result, organizations use security frameworks as a starting point for developing their own security policies and procedures.

Let us begin by quickly defining frameworks. Security frameworks are guidelines for developing plans to reduce risk and threats to data and privacy. Frameworks aid organizations in adhering to compliance laws and regulations. For example, the healthcare industry uses frameworks to comply with the Health Insurance Portability and Accountability Act (HIPAA) of the United States, which requires medical professionals to keep patient information secure. 

Security controls are safeguards that are intended to mitigate specific security risks. Organizations use security controls to reduce risk and threats to data and privacy. For example, requiring patients to use multi-factor authentication (MFA) to access their medical records is a control that can be used in conjunction with frameworks to ensure a hospital's HIPAA compliance. It is unethical to use a measure like MFA to validate someone's identity is one way to help mitigate potential risks and threats to private data.



Specific Framework and control which helps to understand the relationship between Framework and control.


Organizations can use a variety of frameworks and controls to stay compliant with regulations and achieve their security objectives. The Cyber Threat Framework (CTF) and the International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001 are two frameworks covered in this reading. Several common security controls that are used in conjunction with these types of frameworks are also discussed. 


CTF stands for Cyber Threat Framework.

According to the Office of the Director of National Intelligence, the CTF was created by the United States government to provide "a common language for describing and communicating information about cyber threat activity." The CTF assists cybersecurity professionals in more efficiently analyzing and sharing information by providing a common language for communicating information about threat activity. This enables businesses to improve their response to the constantly evolving cybersecurity landscape and threat actors' many tactics and techniques.

International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001


ISO/IEC 27001 is a globally recognized and widely used framework. The ISO 27000 family of standards enables organizations of all sizes and sectors to manage the security of assets such as financial information, intellectual property, employee data, and third-party information. This framework defines the requirements for an information security management system, as well as best practices and controls that help an organization manage risks. Although the ISO/IEC 27001 framework does not mandate the implementation of specific controls, it does provide a set of controls that organizations can use to improve their security posture.

Controls


Controls are used alongside frameworks to reduce the possibility and impact of a security threat, risk, or vulnerability. Controls can be physical, technical, and administrative and are typically used to prevent, detect, or correct security issues.


Examples of physical controls/safeguards:

  • Gates, fences, and locks
  • Security guards
  • Closed-circuit television (CCTV), surveillance cameras, and motion detectors
  • Access cards or badges to enter office spaces.

Examples of technical controls/safeguards:

  • Firewalls
  • MFA
  • Antivirus software


Examples of administrative controls/safeguards:

  • Separation of duties
  • Authorization
  • Asset classification

To learn more about controls, particularly those used to protect health-related assets from a variety of threat types, review the U.S. Department of Health and Human Services’ -Physical Access Control Presentation.


Final Thoughts:


Cybersecurity frameworks and controls are used in tandem to determine a company's security posture. They also help an organization meet security objectives and comply with laws and regulations. Despite the fact that these frameworks and controls are typically voluntary, organizations are strongly encouraged to implement and use them to help ensure the safety of critical assets.


Comments

Post a Comment

Popular posts from this blog

What are 8 CISSP Domains and How to Crack the Exam Like a Boss?

Image
Certified Information Systems Security Professional (CISSP) and it's 8 domains. The Certified Information Systems Security Professional (CISSP) certification is the gold standard and most sought-after information security certification for demonstrating knowledge in Cybersecurity. This validates the professionals' knowledge and experience in developing and managing security architects for the organization. The International Information System Security Certification Consortium (ISC)2 is a non-profit organization that develops and maintains the CISSP Domains and administers examinations to professionals worldwide. The CISSP Common Body of Knowledge (CBK) is an 8-domain collection that covers all aspects of information security and CISSP domains explained. To obtain the certification, an applicant must demonstrate expertise in each of the domains. The 8 security domains are explained in detail.  CISSP-8 Security Domains 1: Security and risk management All organizations must develo...
Read more

Security Controls: Types with Examples and Best Practices

Security controls are parameters that are put in place to protect various types of data and infrastructure that are important to an organization. A security control is any safeguard or countermeasure used to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. Data security controls are more crucial now than ever due to the rising number of cyberattacks. According to research from the Clark School at the University of Maryland, one in three Americans are now subject to cybersecurity attacks in the United States, which happen on average every 39 seconds and target small businesses 43% of the time. In the United States, a data breach cost an average of USD 9.44 million between March 2021 and March 2022. Businesses must strengthen their data protection policies or risk facing fines as a result of the expansion of data privacy regulations. Last year, the General Data Protection Regulation (GDPR) regulations of the Europ...
Read more

Cybersecurity, Common Key Security Terminologies and Key Roles and Responsibilities

Image
You've been informed that a lockdown is imminent due to a pandemic attack. You get ready by gathering the supplies and necessities you'll need for survival. You check your security. A first aid kit, tools, food, and necessities are put together. You are ready. You are forced to remain at home when the lockdown occurs. Unluckily, one of your family members has been infected with the widespread disease. You will utilize your first aid supplies to reduce any risks. use the prescribed medication to reduce the infection and seek online medical advice from your doctor for prescriptions. You check to see if the prescribed medication is in your first aid kit. If so, use it; otherwise, check the options that are available to get them. Dealing with a security incident is the same. Organizations must equip themselves with the tools necessary to quickly respond to threats from the outside or from within in order to be prepared for the lockdown. The goal is to reduce risk and potential harm...
Read more