Table of Contents
Cybersecurity compliance frameworks exist to assist organizations in constructing robust cybersecurity strategies that will keep them ahead of threats. The frameworks are often ambiguous, making it challenging to ensure the outlined controls are met. Each framework is worded differently, even when pointing to the same technology needed, which only adds to the complexity of interpreting their requirements.
Highlighted Compliance Frameworks
NIST SP 800-171
Is a set of approximately 110 practices that set standards for handling Controlled Unclassified Information (CUI). The guidelines outlined by NIST SP 800-171 help businesses protect sensitive federal data and information from cyber threats. Any US federal supply chain organization providing products or services may be subject to NIST 800-171 compliance requirements.
NIST Cybersecurity Framework (CSF)
Is a set of guidelines and practices to assist organizations in managing and communicating cybersecurity risk and security events with internal and external stakeholders. The CSF pays particular attention to the organization's role in the supply chain and critical infrastructure. The US Executive Order 13800[GR6] mandated US federal government agencies adopt the CSF. Other state and foreign governments and insurance organizations have also required using the CSF for specific purposes.
The Center for Internet Security (CIS) Critical Security Controls (CSC)
Are a set of safeguards designed to mitigate the most observed cyberattacks. The most current version, Version 8, has been designed to keep up with today's environment of cloud-based computing, mobility, and evolving criminal tactics. It outlines detailed logging that must be captured for specific environmental events. The CIS Controls are made up of safeguards, each consisting of a single action, making this framework easy to implement. Organizations across every industry utilize the CIS Controls, and they often provide a gateway to attain other compliance such as NIST, HIPAA, and PCI DSS.
The Essential Eight Maturity Model
Was developed by the Australian Cyber Security Centre (ACSC) to protect against cyber threats. It is divided into eight strategies with three maturity levels. The Essential Eight outlines specific steps that must be taken to achieve each of the three progressive maturity levels. It primarily applies to Microsoft Windows-based networks connected to the internet. It outlines specific MS Office macros and PDF software controls to reduce the attack surface. Essential Eight compliance is mandated for 98 non-corporate Commonwealth entities (NCCEs) as of June 2022. These organizations must undergo an audit every five years and are expected to be compliant across all eight strategies.
Cyber Essentials
Is a list of baseline technical controls authored by the UK Government in 2014. Two certifications can be obtained: Cyber Essentials and Cyber Essentials Plus. The difference between the two is that Cyber Essentials requires an organization to submit a self-assessment, and Cyber Essentials Plus requires an organization to be audited by an external certification body. These certifications are recognized throughout the EU. Organizations that work with the UK government handling sensitive and personal information must have Cyber Essentials Certification. Any other organization can obtain certification to help grow their business as it reassures potential clients and partners that they take cybersecurity seriously and have appropriate measures to protect data.
The Health Insurance Portability and Accountability Act (HIPAA)
Was passed in 1996 by the US federal government. Although not a compliance framework, healthcare organizations are legally mandated to be HIPAA compliant. HIPAA focuses on protecting personally identifiable information (PII) and personal health information (PHI), including ensuring adequate encryption is applied to data in transit and data at rest. Most healthcare providers, health plans, clearinghouses, and the subcontractors of these organizations are legally required to adhere to the HIPAA framework.
Cybersecurity Controls covered in the eBook include:
- Access Controls
- Antivirus/ Antimalware
- Application Control
- Backup & Disaster Recovery
- Data Loss Prevention (DLP)
- Encryption
- Group Health Plans
- Incident Response
- Logging & Monitoring
- Network Security
- Physical Security Controls
- Remote Access Controls
- Securing Coding Practices
- Secure Configurations
- Secure Mobile Device Management (MDM)
- Training
- Vulnerability Management
- Written Policies
This eBook outlines an organization's steps to comply with various cybersecurity frameworks. As organizations move closer to compliance with a single framework, they will inevitably gain compliance across multiple frameworks. Implementing a single software or technology often satisfies multiple control areas in numerous compliance frameworks. Read “The IT Professional’s Blueprint for Compliance” to see which practices need to be implemented to build a successful blueprint for compliance.