BLOG
Cyber Threat Report
CASE STUDY

Cybersecurity Frameworks and Compliance Based on Industry

A cybersecurity framework, or CSF, is an organized set of rules, regulations, and procedures designed to protect against cyber threats. The main objective of a cybersecurity framework is to secure an organization's digital assets.

For organizations, cybersecurity compliance is specifically designed so that security professionals can reliably identify and mitigate all risks, regardless of complexity. For many, an established CSF is required (or heavily encouraged) in order to comply with state and industry standards or international regulations.

Cybersecurity Framework and Compliance

Taking an in-depth look at a few different industries below, we will explore the cybersecurity frameworks an organization should follow to comply.

Commercial Industries

Cybersecurity is essential for all businesses that manage their daily infrastructure online. Many of these businesses are prone to data breaches or security risks.

To better support, these organizations, the U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency passed a number of acts that can help commercial businesses identify and mitigate potential risks. 

ISO 27001/2, NIST, and PCI DSS are all frameworks that help companies comply with cybersecurity regulations. These frameworks allow companies to evaluate the overall security of their systems and infrastructure. ISO 27001/2, NIST, and PCI DSS are commonly used throughout the commercial industry.

ISO 27001/2

ISO 27001/2 is an information security management system standard. It can be used by any commercial organization. It was developed by the International Organization for Standardization (ISO) and is officially recognized by the EU.

NIST

NIST, or National Institute of Standards and Technology, is a U.S. government agency, as well as a standards model, put in place to protect organizations and their essential data. The NIST framework has five common mechanisms for organizations to follow:

  1. Identifying your organization’s current cybersecurity environment and what is in place.
  2. Acknowledging your organization’s goals for overall cybersecurity protection and compliance.
  3. Identifying and prioritizing areas for improvement.
  4. Assessing the progress made toward the organization’s goals.
  5. Communicating with internal team members to ensure awareness is made.

PCI DSS

PCI DSS, or Payment Card Industry Data Security Standard, is a set of requirements for all organizations that process credit and debit card transactions. 

Financial Services and Banking

The financial services and banking industry is one of the most regulated industries in the nation. This results in financial organizations closely monitoring and tracking their infrastructure’s data and assets along with their customer’s data and assets.

Any changes to existing cybersecurity regulations as well as new information security standards are significant for the finance industry to monitor. Since there are so many security standards for the industry, it can be difficult for organizations to follow.

Compliance frameworks such as NIST, SAS70/SSAE16, FFEIC, and FISMA, to name a few, may be applicable to a financial organization’s operations. In addition, SOX, and GLBA  compliance may also be required for specific financial industry organizations. Below is more information on each:

ISO/IEC 27001

ISO/IEC 27001 is a set standard and framework that provides international organizations a guideline on how to properly protect their information system while making sure that security risks are reduced. This includes requirements for risk assessment, and business continuity management processes. These sets of policies include e-commerce standards, software development practices, and information security.

SOX 

SOX stands for the Sarbanes-Oxley Act of 2002. This act was passed by Congress after the scandal and subsequent collapse of the energy company Enron Corporation. It is designed to protect investors from fraudulent accounting practices. The law requires that publicly traded companies maintain accurate records and that their financial statements can be justified if questioned by regulators. SOX also requires these organizations to implement internal control in order to prevent fraud or misconduct by an employee.

GLBA

GLBA or Gramm-Leach-Bliley Act was passed in 1999. This act requires financial institutions to be 100% transparent with their customers when it comes to disclosing any of their personal information with outside parties and safeguarding sensitive data. This act is mandatory for all financial institutions that reside in the US and failure to comply can result in high penalties, including jail time.

Government

Even the government must follow a standard of rules and regulations when it comes to cybersecurity compliance. Federal agencies hold valuable information that can leave the nation and individual communities vulnerable: from personal identification to financial and economic data, and national security information. 

  • NIST is a national standard that many US organizations tend to follow. NIST ensures that an organization’s cybersecurity is being discussed and monitored.
  • FISMA (Federal Information Security Management Act) is a law that requires federal agencies to implement security practices. It also mandates annual risk assessments
  • NERC (North American Electric Reliability Corporation) is a nonprofit organization. It sets standards for the electric grid.

Healthcare

With healthcare industries relying heavily on technology to help perform their duties, a growing number of cyber attackers have been infiltrating these sensitive organizations. Tasked with not only keeping individual personal information confidential, these organizations must ensure that their systems are safe and well-protected.

Along with HIPPA, the following frameworks, standards, and certifications are important for healthcare entities to be aware of:

  • HITRUST CSF The Health Information Trust Alliance Cyber Security Framework is a voluntary information security management framework. It applies the NIST Cybersecurity Framework to the healthcare industry. It provides a roadmap for organizations to manage their cybersecurity risk and also keeps their sensitive data secure.
  • CMS (Centers for Medicare) also provides security guidance for healthcare companies and organizations. This includes guidelines on how to protect patient data. It also contains best practices for conducting vulnerability assessments and penetration testing.
  • ISO helps organizations develop a culture of information security by addressing information risk management, confidentiality, integrity, availability, and accountability. They also guide identifying risks such as human error or intentional misconduct (e.g., fraud).

Manufacturing & Critical Infrastructure

The manufacturing industry is becoming increasingly targeted by hackers and cyber criminals as organizations continue to advance their technology. From AI to cloud computing and robotics, manufacturing businesses are at a risk more than ever before to fall victim to an attack.

  • NIST Cybersecurity Framework is the most popular cybersecurity framework for manufacturers. It offers four levels of security, from "not yet effective" to "highly effective."
  • ISO 27001/2 compliance is an international standard for information security management systems (ISMS). It covers all aspects of ISMS including risk management and incident response.
  • FERC is the Federal Energy Regulatory Commission. They regulate the electric power grid in the United States.
  • NERC Critical Infrastructure Protection is a regulation that requires critical infrastructure companies to be certified against FERC regulations and standards.

The Importance of Developing a Cybersecurity Framework

Cybersecurity frameworks offer a basic outline for organizations to follow when it comes to their online infrastructure. With a CSF, organizations benefit by maximizing their security protection and minimizing their risk footprint.

Though security frameworks can help identify what measures organizations should take to safeguard their data, compliance can still be complex to navigate. Working with a firm like JANUS, organizations can gain vital insight into where their highest cyber security risks reside and create a strategy to reach a higher level of security.


Contact JANUS Associates Today

At JANUS Associates, our mission is to improve the information security of our clients, and society at large. In business since 1988, JANUS offers a full range of high-quality cyber security, privacy, and regulatory compliance services at affordable costs.

We understand the challenges that organizations of all sizes face. We can help you achieve your information security goals regardless of your size.

To learn more about how a team of affordable professionals can help you secure your organization, contact our Corporate Director, Chris Kniffin.

New call-to-action
New call-to-action

Subscribe to Cyber Threat Report