Cyber Security Governance
Governance Frameworks:
In cybersecurity, governance frameworks are critical in managing risk and ensuring compliance. These frameworks provide a structured approach for organizations to implement security controls tailored to their needs and industry requirements. According to Walid Al-Ahmad and Bassil Mohammad, governance frameworks provide distinct advantages over one-time cyber security implementations, such as tailoring controls for specific industries, tunning controls, and the standardization of risk [1]. While most governance frameworks attempt to perform similar functions, organizations often must choose a framework based on compliance requirements, organizational needs, and general purpose. Choosing the appropriate framework requires understanding the key differences within relevant frameworks and sometimes requires choosing more than one. The most common frameworks include the following.
· ISO 27001:2022
· Controls Objectives for information and related technologies (COBIT)
· Information Technology Infrastructure Library (ITIL)
· Payment Card Industry Data Security Standard (PCI DSS)
· NIST Cyber Security Framework (CSF)
Cyber security or risk-based governance frameworks are smaller components of an overarching management system. Frameworks attempt to address specific or generalized risk governance. An example of a governance framework addressing specific risk is PCI DSS. PCI DSS is a framework for the governance of “processing,” “storing,” and “transmitting” credit card data [4]. PCI DSS acts as a scalpel rather than a hammer and addresses specific risks to credit cards. Something to keep in mind is that most frameworks are not mandatory. Rather than a mandate, governments and commercial companies will incentivize framework use. Certain credit card companies, including Visa, MasterCard, American Express, and Discover, often require compliance to process their cards. An example of a governance framework addressing generalized risk is ISO 27001:2022 or NIST CSF. These two frameworks aim to address the implementation of an information security management system or cyber security program. For the remainder of this article, we will address choosing a framework for generalized risk.
What are ISMS?
Organizations implementing a cyber security program often seek to create what ISO calls an ISMS. According to the ISO, an ISMS is management system component definings an organization's approach to securing its information system [1]. The primary objective of an ISMS is to align technical, administrative, and physical controls to an organization’s business objectives. The alignment of controls often consists of ensuring that information systems, vulnerabilities, and compliance requirements are considered. Regardless of the framework chosen, most ISMS typically contain a cycle of stages to define risk, identify vulnerabilities, and mitigate threats. The cycle provides a structured method for continuously improving an organization’s security while prioritizing risk based on threats to the overall business.
An ISMS attempts to perform essential functions related to securing an information system by managing risk, enforcing compliance, auditing controls, and aligning company culture with perceived threats. The National Institute of Standards and Technology (NIST), which replaces the terminology ISMS with an information security program, states that information security will outline the posture of an organization, identify gaps, and progress toward mitigating threats [2]. In conclusion, an ISMS is a foundational framework for managing and improving an organization’s information security efforts.
What is ISO 27001:2022?
The International Organizations for Standardization (ISO)/ International Electrotechnical Commission 27001 is an industry-standard framework for introducing information security into medium to large organizations. ISO 27001 is considered an information security management system (ISMS) framework that provides an overarching structure for integrating security in a systematic, repeatable, and sustainable manner. A tried-and-true framework used by many organizations, implementing ISO 27001:2022 provides governance to organizations seeking to create, augment or revitalize their cybersecurity needs that is attuned to their needs.
ISO 27001 is a standard that attempts to manage risk and legal compliance by implementing the Plan-Do-Check-Act (PDCA) model. The standard attempts to create and implement an ISMS, monitor the progress of the ISMS, and maintain or improve the ISMS.
A key component to the success of ISO 27001 implementation is understanding the organization’s characteristics, threats, vulnerabilities, and culture. When developing a plan for the ISMS, the goal is to orient the organization’s culture and systems to a security-based one. Additionally, understanding the organization’s characteristics allows for better prioritization of threats. Each component of the PDCA model has a generalized structure for achieving the creation, implementation, and maintenance of an ISMS.
ISO 27001 versus NIST CSF
The primary reason ISO 27001 is not implemented in the DoD is the Federal Information Security Modernization Act (FISMA) mandate for compliance with NIST CSF. In Section 303 of the FISMA Act, NIST was designated as the federal entity that would create standards to be followed by federal agencies and departments (U.S. Congress, 2002). While the primary reason for not implementing ISO 27001 is the FISMA Act, the NIST CSF provides the U.S. government flexibility and control of the framework to align it with governmental interests best. Unlike ISO 27001, which is made by a litany of countries and organizations, the NIST CSF is meant to be integrated with other standards created by NIST and best aligns with federal government requirements. Historically, the NIST CSF has emphasized data protection as its primary objective. The protections and mandates for the protection may drastically differ compared to a business or commercial entity due to misaligning priorities. As stated by Chidukwani et al., a significant benefit of using the NIST CSF is the standardization of a language used among entities that adopt the framework (Chidukwani et al., 2022). The common language is very beneficial as organizations such as the National Security Agency, the Federal Bureau of Investigations, and other entities frequently assist with the response to significant incidents.
ISO 27001 and NIST CSF provide a structure for organizations to implement the integration of an ISMS or cybersecurity program but have key differences in purpose. The NIST CSF, born out of the FIMSA Act, is a standardized framework tailored to meet U.S. federal government needs. ISO 27001 was designed to meet the needs of the common commercial entity. Additionally, the mandate for federal departments to implement NIST standardizations makes implementing ISO 27001 unnecessary. It needs to speak the same language as other departments for easier integration of new policies and more efficient auditing.
Conclusion
In conclusion, selecting the right cybersecurity governance framework is vital for ensuring that organizations can effectively manage risks, achieve compliance, and build robust information security programs. Frameworks like ISO 27001:2022 and NIST CSF offer structured approaches to cybersecurity, yet their implementation depends on organizational needs, regulatory requirements, and industry focus. While ISO 27001 provides a globally recognized standard for commercial enterprises, NIST CSF offers a flexible, U.S. government-focused framework tailored to federal entities. Both frameworks, however, emphasize the importance of continuously monitoring, improving, and aligning security efforts with business objectives. By understanding these frameworks and their unique benefits, organizations can better navigate the complex cybersecurity landscape, improve their defenses, and contribute to a culture of security and risk management.
S