INFORMATION SECURITY PORTAL
An information security framework is a series of documented, agreed and understood policies, procedures, and processes that define how information is managed in a business. The reason for implementing an information security framework is essentially to reduce risk, as it provides procedures for ensuring information security.
Below is links to different common frameworks to help ensure a high information security level.
The ISO 27000 series is published by International Organization for Standardization (ISO). It is the benchmark standard for information security frameworks and considered by many to be best practice. ISO contains several standards for different areas, most organizations focus on ISO 27001, which deals with threat and vulnerability assessments, developing a system customized for your organization, and recommending numerous controls in areas like cryptography, access management and environmental security. Certification to ISO 27001 is possible but not obligatory, some organizations choose to implement the standard in order to benefit from its best practice. The ISO series is not free.
The NIST Privacy Framework is a voluntary tool developed in collaboration with stakeholders intended to help organizations identify and manage privacy risk to build innovative products and services while protecting individuals’ privacy.
It is not a comprehensive information security framework, its focus is on privacy and it is rather a complement to a framework for information security.
The Cyber Security Framework (CSF) was created by NIST 2014 to better protect critical infrastructure from cyberattacks. The CSF provides a free guide to information security, divided in five categories: identify, protect, detect, respond, and recover.
It is not a comprehensive security framework, but a solid foundation for small organizations that cannot afford the time or investment in ISO or NIST 800-53. It could also be effective as an introduction for nontechnical executives who are responsible for information security decisions.
NIST first published its Special Publication 800-53 in 1990 in order to help non-military federal agencies adapt to Federal Information Processing Standards (FIPS). The framework contains several best practices for information security in government.
It is a free and very comprehensive framework and all needed documents are available through government websites.
MSB's (informationsecurity.se) method for systematic information security work is aimed at those who work with information security in an organization, regardless of the business area and size of the organization. The method should be used if your organization is in the starting pits to introduce the systematic working method, but also if your organization already has a lot in place.
The method is based on the standard ISO/IEC 27001 Information security management system and it is free.
COBIT (Control Objectives for Information and Related Technologies) is comparable to HITRUST but for the financial industry. Created by the Information Systems Audit and Control Association (IASCA), the controls and best practices were defined in the 1990s for financial auditors but were quickly expanded for all industries.
COBIT is a high-level system that integrates the overlapping elements of major CSFs. It divides the IT process into four domains: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate.
The Health Insurance Portability and Accountability Act (HIPAA), which passed in Congress in 1996, are a set of standards and regulations that are meant to protect sensitive information in the healthcare industry. HIPAA compliance involves protecting health information and making sure that only those medical professionals, vendors, and other need-to-know people have access to patient health information.
HITRUST Alliance is a private organization led by representatives from the healthcareindustry. HITRUST’s CSF was created in 2007 to give healthcare organizations clear, actionable guidelines for information security. It was made with HIPAA compliance and the healthcare industry in mind, but is available for all organizations in all industries. It is especially useful for any industry that deals with regulation and private data. Like other newer CSFs, it builds on the most common existing ones, with the claim that it unites and draws on elements of ISO, NIST, PCI, HIPAA, and state laws.
HITRUST is risk-based free for qualified organizations and certification is available.
Payment Card Industry Data Security Standard (PCI DSS) was created 2004 by the five major credit card companies (Visa, Mastercard, American Express, Discover, and JCB) to combat credit card fraud. It’s not really a framework, as its scope is too limited, and its best practices do not comprehensively cover an organization’s whole operations.
Compliance with PCI DSS is not government mandated but is required by the credit card companies for every single enterprise that processes credit or debit card transactions and/or data, regardless of size or volume. If your organization stores or processes card data, PCI DSS must be part of your security framework.
The Common Criteria for Information Technology Security Evaluation (referred to as Common Criteria or CC) is an international standard (ISO/IEC 15408) for computer security certification. Common Criteria is a framework in which computer system users can specify their security functional and assurance requirements in a Security Target, and may be taken from Protection Profiles. Vendors can then implement or make claims about the security attributes of their products, and testing laboratories can evaluate the products to determine if they actually meet the claims.