top of page

Information Security Frameworks



What is Information Security Framework?

The development of an Information security framework offers corporate and government security professionals a basic terminology and a set of standards that can be used to assess, enhance, and monitor their security infrastructure. It is easy to specify the procedures and actions that businesses should take to evaluate, track, and reduce cyber security threats when using a framework.


What is Information Technology Governance framework?

Information Technology Governance Framework or IT Governance Framework is a type of framework that defines the ways and methods through which an organization can implement, manage and monitor IT governance within an organization. It provides guidelines and measures to effectively utilize IT resources and processes within an organization.


Types of Information Security Frameworks:

It helps to first sort security frameworks into similar categories, which will help you compare them to select the best fit for your organization. First, you need to realize there are three main categories of security frameworks.




Control Frameworks

  • Develops a basic strategy for the organization’s cyber security department 

  • Provides a baseline group of security controls 

  • Assesses the present state of the infrastructure and technology

  • Prioritizes implementation of security controls

Program Frameworks

  • Assesses the current state of the organization’s security program

  • Constructs a complete cybersecurity program

  • Measures the program’s security and competitive analysis

  • Facilitates and simplifies communications between the cyber security team and the managers/executives

Risk Frameworks

  • Defines the necessary processes for risk assessment and management

  • Structures a security program for risk management

  • Identifies, measures, and quantifies the organization’s security risks

  • Prioritizes appropriate security measures and activities

The most widely used information security frameworks and standards include:


i. The National Institute of Standards and Technology (NIST)

NIST was established to strengthen cyber security on federal networks, but it can be used by any institution of any size.

  • Special Publication 800-53 – Security and Privacy Controls for Federal Information Systems and Organization


ii. The International Organization for Standardization (ISO) standard

It gives a set of rules and regulations that helps manage information inside an organization. It covers employees, third parties, customers, clients, peers, and all asset data inside an organization. It is suitable for companies of all sizes and types.

  • ISO 14000 series of standards is to promote effective environmental management systems in organizations

  • ISO 9000 family of quality management systems (QMS) is a set of standards that helps organizations ensure they meet customer and other stakeholder needs within statutory and regulatory requirements related to a product or service

  • ISO 27000 Family of Standards, it’s a series of information security standards that provide a global framework for information security management practices.


iii. The Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS is the Data Security Standard for the Payment Card Industry. This means that this certification is required for all companies that process, store and transmit card data over the internet and is required to ensure the security of this data. It is an extremely important certification for anyone who wants to sell through an online payment.


iv. The Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the main federal law that protects health information. The HIPAA Privacy and Security Rules protect the privacy and security of individually identifiable health information. HIPAA Rules have detailed requirements regarding both privacy and security.


v. The non-profit Centre for Internet Security (CIS)

The CIS Critical Security Controls are a set of regulations and specific actions that helps safeguard against the most cyber-attacks. There were 20 Critical Security Controls (CSC) for Effective Cyber Defence. CIS Controls gives an effective framework for systems management. CIS controls were not designed to replace any regulatory framework that already exists inside the organization. It was designed as a complementary set of regulations that will help structure the controls granting better cyber security.


vi. General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union (EU). Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.

328 views1 comment

Recent Posts

See All

1 Comment


Guest
Jul 07, 2022


Like
bottom of page