Security Policy Frameworks: Organizational Security Policies
This lesson provides an introduction to five major information security policy frameworks that are commonly used by organizations to guide their cybersecurity strategies. These frameworks, developed by professional associations and standard organizations, help organizations create robust security policies and optimize the management of cybersecurity risks.
1. COBIT (Control Objectives for Information and Related Technologies):
• Developed by: ISACA (Information Systems Audit and Control Association).
• Purpose: COBIT is a best practice framework that focuses on the governance and management of enterprise IT. It helps enterprises create optimal value from their information and communication technology (ICT) systems.
• Applications: COBIT is broad and not limited to cybersecurity. It is highly useful for CEOs and CIOs in ensuring compliance with information security laws and managing ICT in a way that aligns with business objectives.
2. ISO/IEC 27000 Series:
• Developed by: ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission).
• Purpose: This series provides best practice recommendations for the management of information security risks through security controls.
• Key Standards:
• ISO 27001: Specifies requirements for establishing, implementing, maintaining, and continuously improving an information security management system (ISMS).
• ISO 27002: Provides guidelines on best practices for information security controls.
• Accessibility: These standards are commercially available and are typically used by large organizations and governments.
3. CIS (Center for Internet Security) Controls:
• Developed by: Center for Internet Security (CIS).
• Purpose: CIS provides a set of 20 foundational and advanced cybersecurity controls aimed at eliminating the most common attacks.
• Offerings: The CIS also offers over 100 benchmarks to safeguard specific operating systems, software, and networks. These benchmarks are publicly available for free download, with additional tools offered to paying members.
• Relevance: CIS controls are widely used and are considered an essential guide for securing IT systems.
4. ISA (International Society of Automation) Standards:
• Developed by: International Society of Automation (ISA).
• Purpose: ISA standards focus on cybersecurity for automation and control systems, particularly in critical infrastructure sectors such as energy.
• Key Standard: ISA 62443 is particularly relevant to cybersecurity for industrial control systems and cyber-physical systems.
• Target Audience: These standards are of great importance for professionals working in industries with cyber-physical systems like energy, manufacturing, and transportation.
5. NIST Cybersecurity Framework:
• Developed by: National Institute of Standards and Technology (NIST).
• Purpose: The NIST Framework consolidates several other cybersecurity standards and frameworks to create a comprehensive guide for managing cybersecurity risks. It helps organizations prioritize their cybersecurity resources, make risk-based decisions, and take actions to reduce risks.
• Target Audience: Initially designed for industries critical to national security, such as energy and finance, the NIST Framework has since been adopted by organizations of all sizes and across various sectors.
• Voluntary Nature: The NIST Framework is voluntary and not mandated by law, but it is widely respected and adopted due to its structured approach and adaptability.
Key Takeaways:
• These five cybersecurity frameworks offer a wide range of tools and best practices that help organizations manage their cybersecurity risks and align their IT practices with broader business objectives.
• Each framework has its own focus and applicability, with some (like COBIT and ISO 27000) having a broad scope, while others (like ISA 62443 and CIS Controls) focus on specific areas of cybersecurity.
• NIST’s Cybersecurity Framework stands out as a consolidated tool that can be adapted for various industries and organizational sizes, and while it’s voluntary, it has become a widely adopted standard.
The lesson emphasizes that, when developing cybersecurity policies, organizations do not need to “reinvent the wheel.” These established frameworks can be tailored to the specific needs of each organization, ensuring they meet both operational and regulatory requirements. In the next lesson, the course dives deeper into the details of the NIST Cybersecurity Framework.
