The diversity and complexity of Information Technology (IT) system components have increased significantly in recent years. Consequently, in order for businesses to adequately secure these systems, several standards and frameworks have been developed [2]. Such frameworks need to be applicable to all manner of business sectors, be they government or private, enterprise or small-business. Tables 2 and 3 provide a summary of useful examples of how both NIST SP 800-53 and ISO/IEC 27001:2013 frameworks have been applied in practice.
Since NIST CSF can be considered as a high-level abstraction of related frameworks, it provides references to other related frameworks for specific implementation guidelines. These referenced frameworks include:
These are further described below.
NIST SP 800-53 Rev. 4
NIST SP 800-53 [27] revisions are made according to changes in responsibilities under the Federal Information Security Management Act (FISMA), Public Law (P.L.) 107-347. The latest version of this framework consists of five functions (Identify, Protect, Detect, Respond, and Recover), 22 categories, and 98 subcategories. This framework utilises a four-tier security model (Partial, Risk Informed, Repeatable, and Adaptive) and a seven-step process (Prioritise and Scope, Orient, Create a Current Profile, Conduct a Risk Assessment, Create a Target Profile, Determine, Analyse and Prioritise Gaps, and Implement Action Plan). It focuses on assessing the current situation by determining how to assess security, how to consider risk, and how to resolve the security threats.
Control Objectives for Information and Related Technologies (COBIT5)
COBIT5 [17] is a business CSF designed for the governance and maintenance of enterprise IT systems. It consists of five domains and 37 processes in line with the responsibility areas of plan, build, run, and monitor. COBIT5 is aligned and coordinated with other recognised IT standards and good practices, such as NIST, ISO 27000, COSO, ITIL, BiSL, CMMI, TOGAF and PMBOK. It is built around the following considerations:
-
The need to meet stakeholder expectations.
-
The end-to-end process control of the enterprise.
-
To work as a single integrated framework.
-
Recognising that “Management” and “Governance” are two different things.
ISO/IEC 27001:2013
ISO/IEC 27001:2013 [23] is an international information security standard published by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC), which originated from the British Standard, BS 7799. This framework consists of 114 controls in 14 groups describing the requirements needed to design and implement an Information Security Management Systems (ISMS). Version 2 released in 2013 replaces the 2005 version 1 edition. It is a standard that should be instigated by all businesses where information security is a critical factor, but in particular, applies to software development, managed service providers/hosting services providers, IT, banking and insurance, information management, government agencies and their service providers, and E-commerce merchants [23].
ISA 62443-2-1:2009
ISA 62443-2-1:2009 [21] is an International Standards on Auditing (ISA) standard covering the elements required to develop an Industrial Automation Control System Security Management System (IACS-SMS). It consists of three categories, three element groups, and 22 elements. The framework is the first of four ISA policy and procedure products that identifies the essentials necessary to establish an effective cyber security management system (CSMS). However, the step-by-step approach as to how this is achieved is company-specific and according to their own business culture. These essentials are:
ISA 62443-3-3:2013
ISA 62443-3-3:2013 [22] is an International Standards on Auditing (ISA) standard covering the elements required for cyber security controls of industrial control systems (ICS). It consists of seven Foundation Requirements and 51 System Requirements.
ISA 62443-3-3:2013 is the third of three ISA systems products, that outlines system security requirements and security levels [22].
Other frameworks
In addition to the above, other frameworks used in the industry include:
-
Committee of Sponsoring Organizations of the Treadway Commission (COSO) is an enterprise risk management standard, designed jointly by five leading associations, with the aim of integrating strategy and performance [13].
-
Council on CyberSecurity Top 20 Critical Security Controls (CCS CSC) consists of a prioritised set of actions, originally developed by the SANS Institute, to protect assets from cyber attack [12].
-
ISF Standard of Good Practice (SoGP) is a standard aimed at providing controls and guidance on all aspects of information security [20].
-
ETSI Cyber Security Technical Committee (TC Cyber) was developed to improve standards within the European telecommunications sector [15].
-
Sherwood Applied Business Security Architecture (SABSA) Enhanced NIST Cybersecurity (SENC) project enhances the five core levels of the NIST CSF into a SABSA model consisting of a six-level security architecture [30].
-
IASME Consortium (IASME) is an information assurance standard based on ISO 27000, but aimed at small businesses [18].
-
RFC 2196 - Site Security Handbook (SSH) represents a guide on how to develop computer security policies and procedures [19].
-
Health Information Trust Alliance (HITRUST) is the first IT security CSF designed specifically for the healthcare sector. It is based on existing NIST standards and is aimed at healthcare and information security professionals [16].
-
North American Electric Reliability Corporation Critical Infrastructure Protection (NERC-CIP) version 5 is a set of requirements needed to secure the assets of the North American bulk electric system [14].
-
Open Security Architecture (OSA) is a free community-owned resource of advice on the selection, design, and integration of devices required to provide security and control of an IT network [29].
-
Good Practice Guide 13 (GPG13) is a UK government CSF related to Code of Connection (CoCo) compliance for businesses to secure IT systems [10].