Truth & Tech

I just did a post about my experience with the GRC Masterclass that Dr. Gerald Auger created. It was a great class and I highly recommend taking the class. With this post though, I wanted to highlight some of the major frameworks and give a general overview (and honestly a nice set of links to each to get you started on digging into each for yourself). So, this is a general overview of what I’ve learned about the various frameworks available, though also more of just a general list of links to keep handy if you are interested in digging deeper into the GRC side of things.

The two that seem most popular in the United States for a comprehensive business security perspective are the SOC Framework and the NIST Cybersecurity Framework. SOC requires more resources, time, and effort by more parties than the NIST framework. Depending on the level of SOC one wants to implement (SOC 1-3) or the type (1 & 2), this process can require a year of just the review process (quarterly) to get certified by a third party auditor (a Certified Public Accountant). The NIST framework alternatively is free, comes with a great deal of support resources, cross references other frameworks for clarification, doesn’t require an independent auditor, and is considerably less resource heavy than the SOC framework. Additionally, the SOC isn’t a certification, only an attestation.

Alternatives include the ISO 27001/ISO27002 framework which is prominent in Europe and is similar in the resource requirements found in the SOC framework. The CIS Controls (v.8) which is produced by the SANS Institute. HIPAA which is more for healthcare. NIST-800-53 with over 900 control requirements. GDPR that is aimed at European companies. And the Payment Card Industry Data Security Standards (PCI-DSS).

One might try to include the MITRE ATT&CK Framework but this is more of a framework designed to help understand malicious attacks and subsequently doesn’t include other threats such as environmental. This may be useful in combination with another framework that is more comprehensive but not suggested as the primary framework for a comprehensive cybersecurity framework. It is, however, important to know this framework if you intend to be in the Information Security field at all.

Many of the frameworks listed above come with an initial upfront cost to purchase the framework’s controls. Additional costs can be added for any additional training required to fully understand the framework or how to implement them, having a third party auditor test the controls and report on compliance, or for additional testing. The NIST CS Framework then becomes the least expensive and easiest to implement framework that still retains enough credibility and effectiveness at helping secure an environment to be worth implementing.