Cybersecurity is an essential part of business management and legal compliance but the details get complicated.
To help organize this process, cybersecurity frameworks have been developed.
What is a cybersecurity framework?
A cybersecurity framework is basically voluntary guidance for organizations, to help them manage their cybersecurity program and measures. It is a “best practice”.
There are many cybersecurity frameworks, from different organizations, with different layout, focus, and language. The organizations developing them may have different business models.
Here is a quick list of some well-known cybersecurity frameworks. Read this, and then you can nod knowingly when you hear someone talk about them in the future.
- The National Institute of Standards and Technology (NIST) has created many standards documents, paid for by tax dollars, and they are excellent and free. The NIST Cybersecurity Framework is best known, and they have other security frameworks plus standards in many areas. NIST can be your early research resource.
- The Center for Internet Security (CIS) has a framework called the 18 CIS Critical Security Controls. This too is freely available and excellent.
- The International Organization for Standardization (ISO) puts out the 27000 series standard for information security management systems.
- Other frameworks exist from a variety of organizations, non-profit and for-profit. Some may be proprietary and subject to fees and licensing agreements.
Most frameworks are complex, require some technical background, and hours to read and properly understand. None provide magic answers nor eliminate decision-making. Many are too detailed for most small and mid-sized organizations.
The Four Pillars of Cybersecurity
My Four Pillars of Cybersecurity is freely available and designed for smaller organizations to bring a comprehensible basic framework to those without a technology background. The four pillars are:
- Improve knowledge and awareness
- Improve computer device security
- Improve data security
- Improve security of networks and internet use.
These four pillars are part of a continuous cycle of improvement. The principles are understandable without specialized training in information technology or information security.
Knowledge is first because this promotes good decision making to manage and secure information assets and systems. Knowledge helps when faced with a suspicious email to transfer funds or click a link.
Adopting a framework does not magically create security
Adopting a framework does not ensure security, efficiency, nor compliance. Some organizations may say they are following a framework, but the truth may be less rosy. An organization doing their honest best can use a framework to guide their policies and practices.
A framework can be a healthy part of good management of information assets. Consider its role within my Five Components for Policy Work which involves evaluating:
- Guidance (including frameworks)
- Mission and business needs
- Laws and regulations
- Internal rules and policies
- Practices.
The legal tie-in for this legal column
Built into almost every area of law is the concept of judging conduct by its reasonableness under the circumstances. These non-binding cybersecurity frameworks help outline what factors might be considered reasonable and acceptable when assessing cybersecurity.
There is a feedback loop between frameworks and legal requirements. Frameworks usually have provisions about organization legal compliance. And then some legal rules may point to frameworks explicitly, and some may implicate them through references to reasonableness.
Should a cyber incident proceed to litigation, each side will highlight certain facts and interpret them to try prove their own case: either that the security was reasonable or deficient.
You can imagine closing arguments in a personal injury trial following an automobile collision. There are facts each lawyer might rely on to prove either negligent or reasonable driving. The complexities of cybersecurity and cybercrime means exponentially more facts and inferences. Frameworks will play a role.
Conclusion
Improved cybersecurity is not just for compliance, it is good for business and to achieve the mission.