The potential benefits of a security framework As the volume and potential impact of cyber security risks continue to grow, today’s organizations face mounting challenges in their efforts to manage them. But in the race to develop effective risk management programs and policies, it’s become clear that one size does not fit all. While multiple organizations may be threatened by the same attacks, each organization’s size, complexity, risk tolerance and threat management policies and processes contribute to a unique environment—with its own requirements and best practices for protection. And in each organization, risk will ultimately be defined by a set of complex calculations that attempt to balance costs with potential losses.

Each of the four common types of security framework discussed here addresses a set of key digital risk-management components—such as technology products and services, IT skills and regulatory compliance—along with such issues as stakeholder input, security metrics and threat measurement.

An incident response—or process—framework focuses on incident prevention and response. The US National Institute of Standards and Technology (NIST) released its Framework for Improving Critical Infrastructure Cybersecurity, which provides a common language, set of activities, best practices and standards for managing cybersecurity risk. WaveStrong, along with many other industry stakeholders, contributed to the development of this NIST framework, demonstrating the importance of a public-private collaboration for improving cybersecurity. Intended for government and business organizations alike, the NIST Cybersecurity Framework currently describes five core functions:

• Identification: Developing the organizational understanding necessary to manage cybersecurity risk to systems, assets, data and capabilities, while creating an understanding of business context, resources and risks that will allow the organization to focus and prioritize its efforts.

• Protection: Developing and implementing safeguards to ensure the delivery of infrastructure services and to help limit or contain the impact of a cybersecurity event.

• Detection: Developing and implementing activities to identify the occurrence of a cybersecurity event.

• Response: Developing and implementing a specific set of activities following the detection of a cybersecurity event and providing the support necessary to contain its impact.

• Recovery: Developing and implementing activities to maintain resilience and restore any capabilities or services that may have been impaired as the result of a cybersecurity event, providing support for a timely recovery to normal operations.

WaveStrong's CyberSecuirty Assessment Service offer a comprehensive portfolio that can help you address all four security frameworks discussed here, including NIST framework core categories and subcategories, implementation tiers and framework profiles. In doing so, we can help you meet your risk management goals and objectives for enhancing cost efficiency and simplifying management by providing scalability and flexibility to help you avoid perceived gaps in coverage as threats evolve and change. For organizations with more mature security strategies and more complex and demanding protection needs, WaveStrong can provide comprehensive controls and integrated actions to support strict risk. A domain framework reflects the ways in which information technology is built out around the Control Objectives for Information and Related Technologies (COBIT) and International Organization for Standardization (ISO) standards for security risk management. It aligns a set of domains with an organization’s four key assets: protecting its infrastructure and networks, people, data and applications. And it provides situational awareness for senior management teams, offering them an understanding of how their organizations are meeting established requirements for cybersecurity.