.png)
What Is A Security Framework?
A security framework is a collection of documents and policies that define how your organization manages information, systems, and services and the security measures taken to protect data. A security framework looks at regulations and laws, as well as the internal policies to ensure everything is clearly stated regarding cybersecurity tactics and strategies for your company.
One of the keys to developing a cybersecurity program to protect your organization is the adoption of a security framework. Using a security framework enables organizations to gain a systemic understanding of their capabilities and weaknesses.This approach also provides the basis for an orderly methodology in the planning and tracking of improvements over time. The use of a public security framework allows organizations to benchmark their performance against other companies to assist company leadership in planning levels of investment in their security program.
The use of a security framework is not just a pass/fail, or check-the-box exercise. It is unlikely that most organizations will have optimized their security framework to fully understand all their capabilities. The purpose of the security framework is to provide a basis for evaluating key capabilities across a full breadth of the cybersecurity function. This assessment “score” can be measured and tracked over time, and provide the basis for developing a cybersecurity roadmap and investment plan to improve capabilities to a level acceptable with the risk tolerance of the business.
What Are The Top 3 Security Frameworks?
There are many security frameworks your organization can choose from, but there are 3 that stand out as the top options.
1. NIST Cybersecurity Framework (NIST CSF). The NIST security framework was originally intended for use by critical infrastructure sectors like healthcare, utilities, and manufacturers. That's why its official title is the Framework for Improving Critical Infrastructure Cybersecurity. But organizations of all sizes all around the world have recognized its value and adopted the framework.
The NIST CSF is made up of 108 sub-categories, 23 categories, and 5 core functions. The five core functions in this framework are:
Identify
Protect
Detect
Respond
Recover
These five core functions provide a basis for communicating the framework. Within the framework, you can evaluate capability maturity across the 23 categories on a 1 to 5 scale, and then utilize this as a basis for communicating both current capabilities, as well as building a roadmap and investment plan to target specific categories and therefore to improve the overall capability “score” of the organization.
2. The Cybersecurity Maturity Model Certification (CMMC) program is a new set of cybersecurity standards developed by the Department of Defense (DoD) to protect defense contractors from cyber attacks. The CMMC program requires certification for all contractors doing business or who want to do business with DoD. This group of impacted contractors includes companies indirectly doing business with DoD through subcontracts, as well as companies that sell commercial products or services to DoD. By 2026, all new DoD contracts will require an appropriate level of CMMC certification.
The 17 Domains of the CMMC standard will mostly overlap with core elements of the NIST CSF.
CMMC Domains with Approximate NIST CSF Mapping
Access Control (AC) - PR.AC
Incident Response (IR) - RS
Risk Management (RM) - ID.RM
Asset Management (AM) - ID.AM
Maintenance (MA) - PR.MA
Security Assessment (CA) - ID.RA
Awareness and Training (AT) - PR.AT
Media Protection (MP) - PR.DS
Situational Awareness (SA) - DE
Audit and Accountability (AU) - ID.GV
Personnel Security (PS)
System and Communications Protection (SC) - PR.PT
Configuration Management (CM) - PR.IP-1
Physical Protection (PE) - PR.AC-2
System and Information Integrity (SI) - PR/DE
Identification and Authentication (IA) - PR.AC
Recovery (RE) - RC
3. Center for Internet Security (CIS). Top 20 Critical Security Controls is another security framework often used by small to medium sized businesses (SMBs). While not as comprehensive as the NIST CSF or CMMC, the CIS Top 20 does provide an excellent starting point for building a cybersecurity program, focused on some of the most critical elements.
Basic CIS Controls
Control 1: Inventory and Control of Hardware Assets
Control 2: Inventory and Control of Software Assets
Control 3: Continuous Vulnerability Management
Control 4: Control and Use of Administrative Privileges
Control 5: Secure configuration for hardware and software on mobile devices, laptops, workstations, and servers
Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
Fundamental CIS Controls
Control 7: Email and Web Browser Protections
Control 8: Malware Defense
Control 9: Limitation and Control of Network Ports, Protocols and Services
Control 10: Data Recovery Capability
Control 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
Control 12: Boundary Defense
Control 13: Data Protection
Control 14: Controlled Access Based on the Need to Know
Control 15: Wireless Access Control
Control 16: Account Monitoring and Control
Organizational CIS Controls
Control 17: Security Skills Assessment
Control 18: Application Software Security
Control 19: Incident Response and Management
Control 20: Pen Testing and Red Team Exercises
Security frameworks are designed to help your organization carefully document and display policies and procedures. These security frameworks help you be more protected and develop a better comprehensive cybersecurity plan that will ultimately keep your organization safe and secure. Check out the Emagined Pentest Framework to see how we can help you with your next pentest.
Learn more about security fundamentals:
We’re committed to helping you learn all about security systems you can implement to improve security at your organization. Our articles are devoted to ensuring your organization can reduce risk in a way that is manageable and affordable.