Cyber Security Frameworks
In present-day data is the most important asset for any organization and its security is important as well. So Data breaches are the biggest threat in the current era.
Cybersecurity framework is steps or we can say guidelines in a predefined format that need to be followed in order to maintain the security and privacy of data against cyber-attack. Mainly there are 4 cybersecurity frameworks which are adopted worldwide:
Types of Cybersecurity Frameworks
PCI DSS (47%) Payment Card Industry Data Security Standard:
It is a set of security controls required to implement to protect payment account security. It is designed to protect credit cards, debit cards, and cash card transactions. Every e-commerce website like Flipkart, Amazon, eBay who stores the information of credit card, debit card on their Own server needs to pass this test.
The PC I DSS contains the following set of 12 high-level requirements that are supported by a series of more detailed requirements:
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Use and regularly update antivirus software.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data based on the business’s need to know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security
ISO 27001/27002 (35%) International Organization for Standardization:
The most important asset of the company around its world is data. It will be an absolute disaster if any sensitive information is hacked by someone. ISO 27001 is the international standard that describes best practices for an information security management system.
It has 13 control sets :
- Information security policies on how policies are written and reviewed.
- Organization of information security: responsibilities for specific tasks.
- Human resource: To check whether the employee understands their roles and responsibilities.
- Asset Management: identifying information assets and defining appropriate protection.
- Access control: To make sure that employees can see information relevant to their job.
- Cryptography: encryption and decryption mechanism.
- Physical and environmental security: To secure organization premises.
- Operational security: The information which is being transferred is secure.
- Communication security: how to protect the network while communicating.
- System acquisition, development, and maintenance: To make sure that information security is a central part of the organization.
- Supplier relationships: The agreements between third parties.
- Information security incident management: How to report security breaches and who is a responsible person for that.
- Compliance: To identify the laws and regulations that are applied to the organization.
CIS Critical Security Controls : ( 32%)
A prescribed arrangement of activities for cyber protection that give particular and noteworthy approaches to stop the present most inescapable and perilous attacks.
To leverage the battle-tested expertise of the global it community against the cyber-attack.
Focus on security resources based on proven best practices rather than depending upon the vendor’s solutions.
NIST Framework: ( 29%) A Framework for improving critical infrastructure Cybersecurity with a goal to improve the organization’s readiness for managing cybersecurity risk by leveraging Standard methodologies and processes.
Health Insurance Portability and Accountability Act (HIPAA)
An excellent example of the requirements and application of individual privacy principles is in the area of health care. The protection from disclosure and misuse of a private individual’s medical information is a prime example of privacy law. Some of the common health care security issues are as follows:
- Access controls of most health care information systems do not provide sufficient granularity to implement the principle of least privilege among users.
- Most off-the-shelf applications do not incorporate adequate information security controls.
- Systems must be accessible to outside partners, members, and some vendors. Providing users with the necessary access to the Internet creates the potential for enabling violations of the privacy and integrity of information.
- Criminal and civil penalties can be imposed for the improper disclosure of medical information.
- A large organization’s misuse of medical information can cause the public to change its perception of the organization.
- Health care organizations should adhere to the following information privacy principles (based on European Union principles):
- An individual should have the means to monitor the database of stored information about them and should have the ability to change or correct that information.
- Information obtained for one purpose should not be used for another purpose.
- Organizations collecting information about individuals should ensure that the information is provided only for its intended use and should provide safeguards against the misuse of this information.
- The existence of databases containing personal information should not be kept secret.