Many organizations must comply with a mixture of state-mandated, industry-specific, and international cybersecurity regulations. The challenge for an organization trading nationally, or even globally, is considerable.
According to Tenable’s Trends in Security Framework Adoption Survey, 84% of organizations in the US tackle this issue with the help of a security framework, and 44% use more than one.
The most cyber secure sector
Of all the companies considered in the survey, those in the banking and finance sector most frequently adopted security frameworks (16%), followed closely by information technology (15%).
The health care and medical sector was the worst, with 27% not having any framework in place at all.
What are the most popular cybersecurity frameworks?
The most frequently adopted frameworks should come as no surprise to security practitioners. In this next section, we’ll run through them and explain why they are so popular.
- NIST Framework for Improving Critical Infrastructure Security
Used by 29% of organizations, the NIST (National Institute of Standards Technology) Cybersecurity Framework is a voluntary framework primarily intended for critical infrastructure organizations to manage and mitigate cybersecurity risk based on existing standards, guidelines, and practices.
However, the Cybersecurity Framework has proven to be flexible enough to also be implemented by non-US and non-critical infrastructure organizations. Indeed, the document is regularly being amended to adapt to changing industry needs.
- CIS Critical Security Controls
Used by 32% of organizations, the CIS Critical Security Controls are a set of 20 actions designed to mitigate the threat of the majority of common cyber attacks.
The controls were designed by a group of volunteer experts from a range of fields, including cyber analysts, consultants, academics, and auditors.
- ISO 27001
Used by 35% of organizations, ISO 27001 is the international standard that describes best practice for implementing an ISMS (information security management system).
Achieving accredited certification to ISO 27001 demonstrates that your company is following information security best practice, and delivers an independent, expert assessment of whether your data is adequately protected.
- 1. PCI DSS
Used by 47% of organizations, the PCI DSS (Payment Card Industry Data Security Standard) governs the way credit and debit card information is handled.
The Standard applies to any organization (regardless of size or number of transactions) that accepts, stores, transmits or processes cardholder data.
Organizations that comply with its requirements are in a better position to spot vulnerabilities that could be exposed by criminal hackers or lead to internal data breaches – thus protecting customers from stressful situations and organizations from embarrassing or costly security incidents.
Although not federally mandated in the United States, PCI DSS is mandated by the Payment Card Industry Security Standard council. The council is comprised of major credit card bands and is an industry standard. Some states have even incorporated the standard into their laws.
Does company size matter?
Companies with more than 10,000 employees are slightly more likely to have adopted a security framework (90%) but even smaller companies with fewer than 1,000 employees report significant rates of adoption (77%).
Complying with multiple cybersecurity regulations
As the number of cyber attacks continues to rise, businesses are under increasing pressure to protect their systems from cyber attacks and data misuse. But the challenge of complying with multiple cybersecurity regulations is considerable.
The ISO 27001 Cybersecurity Documentation Toolkit will help you fulfill your cybersecurity obligations, build a robust cybersecurity management system, and comply with:
- NIST SP 800-53
- New York Department of Financial Services Cybersecurity Requirements for Financial Services Companies
- Massachusetts 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth
- ISO 27001, the internationally recognized cybersecurity framework
Containing customizable templates developed by industry experts, this toolkit provides a framework for you to build a robust management system that complies with multiple regulations.
Lead your ISO 27001 project with Lead Implementer training
This three-day live online course will help you implement an ISMS, allowing your business to achieve and demonstrate compliance with key legislation where data security is essential, including the New York DFS Cybersecurity Requirements (23 NYCRR 500), NIST SP 800-53, FedRAMP, and the Sarbanes–Oxley Act.
A version of this blog was originally published on 17 January 2019.