Lesson 5: Frameworks, Standards & the Managerial Approach
The National Cyber Directorate's organizational cyber-defense doctrine carries a central message: cyber security is not a technology project for the IT department, but a business risk-management process. In this lesson we meet the main frameworks and standards (NIST, ISO 27001, SOC, PCI DSS, GDPR, a
Standards are agreed 'rules of the game' for security. And the big message: cyber is a managerial-business decision, not just buying technology.
- Security Framework
- A structured set of guidelines and controls for managing information security and cyber risk (e.g. NIST CSF, CIS Controls, COBIT).
- NIST CSF (Cybersecurity Framework)
- A flexible (guiding, not mandatory) methodology for managing cyber risk, built from five functions: Identify, Protect, Detect, Respond, Recover.
- ISO/IEC 27001
- An international standard for establishing, implementing, and maintaining an Information Security Management System (ISMS).
- SOC 2
- An AICPA reporting standard assessing how a service provider manages customer data per the Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy.
- PCI DSS
- A mandatory global standard for protecting credit-card data and preventing fraud in payment transactions.
- HIPAA
- A U.S. regulation setting standards for protecting sensitive patient health information (PHI).
- Cyber Defense Doctrine (v2.0)
- A National Cyber Directorate document that translates cyber defense into the managerial language of business risk management.
- CISO (Chief Information Security Officer)
- The executive responsible for the information-security strategy; per the doctrine the role shifts from a technical gatekeeper to a strategic planner in management.
- SOC 1
- An AICPA report assessing a service provider's controls that may affect its clients' financial reporting (ICFR) — unlike SOC 2, which focuses on security and operations.