Cybersecurity frameworks are set of rules, guidelines, and standards for security leaders and organizations to understand their cybersecurity postures and their internal and external stakeholders. With a cybersecurity framework, it becomes easier for organizations to develop and implement information security or cybersecurity-related policies, procedures, and controls to assess, mitigate and manage cybersecurity risks and vulnerabilities.
Cybersecurity frameworks include the following:
Overview of NIST Cybersecurity Frameworks
NIST Cybersecurity Framework provides a set of guidelines for mitigating cybersecurity risks. It was published by the US NIST based on existing standards, guidelines, and practices. The NIST cybersecurity framework serves as a guide to organize and improve the cybersecurity program. It provides a set of guidelines and best practices that help build and make the cybersecurity posture stronger and more robust.
The NIST framework suggests a set of recommendations and standards to enable preparedness in identifying and detecting cybersecurity incidents and hacker attacks. The framework also provides guidelines to respond to, prevent, and recover from cyber incidents or attacks.
The framework emphasizes on following with respect to cybersecurity risks management:
- Identification of processes and information assets to be protected
- Protection of the information assets through the implementation of appropriate controls
- Detection of the occurrence of cybersecurity incidents
- Responding to the impact of cybersecurity incidents, through the development of appropriate techniques, for the minimization of incident impact
- Recovering services after cybersecurity incidents through the implementation of appropriate processes
Overview of ISO 27005 “Information Technology Security Risk Management”
ISO 27005 – Information Technology Security Risk Management provides guidelines and approaches for information security risk management activities.
ISO 27005 provides a continual approach to the information risk management process. It is divided into key components, including context establishment, risk assessment, risk treatment, risk acceptance, risk acceptance, and risk monitoring and review.
ISO 27005 sets the risk management approach to identify risks, assign risk ownership, and assess how risks impact the confidentiality, integrity, and availability of data and information. It also requires calculating risk impact and likelihood.
An asset-based risk assessment process may be adopted by the bank, including the compilation of information assets, identification of threats and vulnerabilities, assigning impact and likelihood scores, evaluating of risks against acceptability levels, and prioritizing risks for their treatments.
There are different ways to treat risk, including the following:
- Avoiding the risk by eliminating it entirely
- Application of controls to modify the risk
- Sharing of risk with a third party
- Retention of the risk, if acceptable
Effective and continuous risk communication is required to ensure that employees in the bank understand the basis on which risk-based decisions are made and why certain actions are needed. Risk management practices must monitor new information assets, asset values that require modification, new security risks to be assessed, and information security incidents occurring in the bank.
Cybersecurity is the practice of protecting information systems and data sources. Governance plays a significant role in developing and implementing a cybersecurity GRC program. The Board of Directors is primarily responsible for providing oversight to management and employees to manage cybersecurity risks and threats.
Suitable cybersecurity frameworks provide direction and operational preparedness to the organization. Frameworks are developed based on the industry and internal organizational requirements, considering the applicability of laws, rules, and regulations issued and prescribed by the regulatory authorities or bodies.
Cybersecurity frameworks emphasize cybersecurity risk assessment and management, including the identification of processes and information assets that need protection and protection of information assets through implementing appropriate safeguards and controls.