Security is Everyone's Job
Cybersecurity frameworks are defined structures that contain processes, practices, and technologies that can help organizations achieve their cybersecurity goals and comply with various regulations and standards.
NIST Cybersecurity Framework: The NIST Cybersecurity Framework was developed by the National Institute of Standards and Technology (NIST) in response to the presidential Executive Order 13636. The framework aims to enhance the security of the country’s critical infrastructure, such as energy, transportation, health care, and finance. The framework consists of five core functions: Identify, Protect, Detect, Respond, and Recover. Each function has a set of categories, subcategories, and informative references that provide guidance on how to implement the framework
ISO 27001 and ISO 27002: The ISO 27001 and ISO 27002 are international standards that specify the requirements and best practices for managing information security management systems (ISMS). The ISO 27001 defines the requirements for establishing, implementing, maintaining, and improving an ISMS. The ISO 27002 provides a code of practice for information security controls that can help organizations comply with the ISO 27001 requirements. The standards cover various aspects of information security, such as policies, organization, human resources, asset management, access control, operations security, communications security, system acquisition, incident management, business continuity, and compliance
SOC2: The SOC2 is a framework for auditing and reporting on the security, availability, processing integrity, confidentiality, and privacy of service organizations that provide cloud-based services to their customers. The SOC2 is based on the Trust Services Criteria (TSC) developed by the American Institute of Certified Public Accountants (AICPA). The SOC2 provides assurance to customers that the service organization has implemented effective controls to protect their data and meet their service level agreements
NERC-CIP: The NERC-CIP is a framework for securing the bulk electric system (BES) in North America. The framework was developed by the North American Electric Reliability Corporation (NERC) and enforced by the Federal Energy Regulatory Commission (FERC). The framework consists of 13 standards that address various aspects of cybersecurity for BES assets, such as identification and classification, access control, physical security, cyber incident response and recovery, configuration management, vulnerability assessment, information protection, supply chain risk management
HIPAA: The HIPAA is a framework for protecting the privacy and security of health information in the United States. The framework was enacted by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and enforced by the Department of Health and Human Services (HHS). The framework consists of two main rules: the Privacy Rule and the Security Rule. The Privacy Rule establishes the standards for how covered entities (such as health care providers, health plans, and health care clearinghouses) and their business associates must use and disclose protected health information (PHI). The Security Rule establishes the standards for how covered entities and their business associates must safeguard the confidentiality, integrity, and availability of electronic PHI (ePHI)
GDPR: The GDPR is a framework for protecting the personal data of individuals in the European Union (EU) and the European Economic Area (EEA). The framework was enacted by the General Data Protection Regulation (GDPR) in 2016 and became effective in 2018. The framework applies to any organization that collects, processes, or transfers personal data of individuals in the EU or EEA, regardless of their location or size. The framework grants individuals various rights over their personal data, such as the right to access, rectify, erase, restrict, object, portability, and consent. The framework also imposes various obligations on organizations that handle personal data, such as data protection by design and by default, data protection impact assessment, data breach notification, data protection officer, and data transfer mechanisms
FISMA: The FISMA is a framework for securing federal information systems in the United States. The framework was enacted by the Federal Information Security Management Act of 2002 (FISMA) and amended by the Federal Information Security Modernization Act of 2014 (FISMA). The framework requires federal agencies to develop, implement, and maintain an information security program that follows the standards and guidelines issued by NIST. The framework also requires federal agencies to conduct periodic assessments, audits, and reports on their information security status
MITRE ATT&CK: The MITRE ATT&CK framework is a knowledge base of adversary tactics and techniques based on real-world observations. The framework can help organizations understand the behavior and methods of cyber attackers, as well as improve their detection, prevention, and response capabilities. The framework covers various aspects of the cyber attack lifecycle, such as initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, exfiltration, and impact. The framework also provides matrices that map the tactics and techniques to different platforms, such as Windows, Linux, macOS, cloud, mobile, and more. The framework is constantly updated and expanded with new information and insights from the cybersecurity community