Difference between revisions of "LII:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/What are the major regulations and standards dictating cybersecurity action?"

From LIMSWiki
Jump to navigationJump to search
(Updated to template)
(One intermediate revision by the same user not shown)
Line 3: Line 3:
<div align="center">-----Return to [[LII:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan|the beginning]] of this guide-----</div>
<div align="center">-----Return to [[LII:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan|the beginning]] of this guide-----</div>


 
{{Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/What are the major regulations and standards dictating cybersecurity action?}}
==2. What are the major regulations and standards dictating cybersecurity action?==
To be fair, the question of which regulations and standards affect how an organization implements cybersecurity is a most difficult one to answer. Not only do related regulations and standards vary by industry, they also vary by geography, complexity, and ease of implementation. Let's turn to the example of data retention requirements for businesses. Consider this software system requirements statement:
 
<blockquote>''The system shall have a mechanism to securely retain data in the system for a specific time period and enable protections that ensure the accurate and ready retrieval of that data throughout the records retention period.''</blockquote>
 
Through recent updates to LIMSpec, the following national and international regulations, standards, and guidance (Table 1) that tie into data retention and the protection of that retained data have been found (and that list will certainly continue to grow):
 
{|
| STYLE="vertical-align:top;"|
{| class="wikitable" border="1" cellpadding="5" cellspacing="0" width="100%"
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;" colspan="2"|'''Table 1.''' Regulations, standards, and guidance affecting data retention and the security of retained data
|-
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|
[https://www.law.cornell.edu/cfr/text/7/331.17 7 CFR Part 331.17 (c)]<br />
[https://www.law.cornell.edu/cfr/text/9/121.17 9 CFR Part 121.17 (c)]<br />
[https://www.law.cornell.edu/cfr/text/21/11.10 21 CFR Part 11.10 (c)]<br />
[https://www.law.cornell.edu/cfr/text/21/58.195 21 CFR Part 58.195]<br />
[https://www.law.cornell.edu/cfr/text/21/211.180 21 CFR Part 211.180]<br />
[https://www.law.cornell.edu/cfr/text/21/211.110 21 CFR Part 212.110 (c)]<br />
[https://www.law.cornell.edu/cfr/text/21/225.42 21 CFR Part 225.42 (b-8)]<br />
[https://www.law.cornell.edu/cfr/text/21/225.58 21 CFR Part 225.58 (c–d)]<br />
[https://www.law.cornell.edu/cfr/text/21/225.102 21 CFR Part 225.102]<br />
[https://www.law.cornell.edu/cfr/text/21/225.110 21 CFR Part 225.110]<br />
[https://www.law.cornell.edu/cfr/text/21/225.158 21 CFR Part 225.158]<br />
[https://www.law.cornell.edu/cfr/text/21/225.202 21 CFR Part 225.202]<br />
[https://www.law.cornell.edu/cfr/text/21/226.42 21 CFR Part 226.42 (a)]<br />
[https://www.law.cornell.edu/cfr/text/21/226.58 21 CFR Part 226.58 (f)]<br />
[https://www.law.cornell.edu/cfr/text/21/226.102 21 CFR Part 226.102]<br />
[https://www.law.cornell.edu/cfr/text/21/226.115 21 CFR Part 226.115]<br />
[https://www.law.cornell.edu/cfr/text/21/312.57 21 CFR Part 312.57]<br />
[https://www.law.cornell.edu/cfr/text/21/312.62 21 CFR Part 312.62]<br />
[https://www.law.cornell.edu/cfr/text/21/606.160 21 CFR Part 606.160 (d)]<br />
[https://www.law.cornell.edu/cfr/text/21/812.140 21 CFR Part 812.140 (d)]<br />
[https://www.law.cornell.edu/cfr/text/21/820.180 21 CFR Part 820.180 (b)]<br />
[https://www.law.cornell.edu/cfr/text/29/1910.1030 29 CFR Part 1910.1030 (h-2)]<br />
[https://www.law.cornell.edu/cfr/text/40/141.33 40 CFR Part 141.33]<br />
[https://www.law.cornell.edu/cfr/text/40/141.722 40 CFR Part 141.722]<br />
[https://www.law.cornell.edu/cfr/text/40/part-704/subpart-A 40 CFR Part 704 Subpart A]<br />
[https://www.law.cornell.edu/cfr/text/40/717.15 40 CFR Part 717.15 (d)]<br />
[https://www.law.cornell.edu/cfr/text/42/73.17 42 CFR Part 73.17 (c)]<br />
[https://www.law.cornell.edu/cfr/text/42/493.1105 42 CFR Part 493.1105]<br />
[https://www.law.cornell.edu/cfr/text/42/493.1283 42 CFR Part 493.1283]<br />
[https://www.law.cornell.edu/cfr/text/45/164.105 45 CFR Part 164.105]<br />
[https://www.law.cornell.edu/cfr/text/45/164.316 45 CFR Part 164.316]<br />
[https://www.law.cornell.edu/cfr/text/45/164.530 45 CFR Part 164.530]<br />
  | style="background-color:white; padding-left:10px; padding-right:10px;"|
[https://www.aafco.org/Publications/QA-QC-Guidelines-for-Feed-Laboratories AAFCO QA/QC Guidelines for Feed Laboratories Sec. 2.4.4 or 3.1]<br />
[https://www.aavld.org/accreditation-requirements-page AAVLD Requirements for an AVMDL Sec. 4.10.1.2]<br />
[https://www.aavld.org/accreditation-requirements-page AAVLD Requirements for an AVMDL Sec. 4.10.2.1]<br />
[https://www.aavld.org/accreditation-requirements-page AAVLD Requirements for an AVMDL Sec. 5.4.3.2]<br />
[http://www.abft.org/files/ABFT_LAP_Standards_May_31_2013.pdf ABFT Accreditation Manual Sec. E-33]<br />
[https://www.aihaaccreditedlabs.org/Policies/Pages/default.aspx AIHA-LAP Policies 2018 2A.7.5.1]<br />
[http://des.wa.gov/sites/default/files/public/documents/About/1063/RFP/Add7_Item4ASCLD.pdf ASCLD/LAB Supp. Reqs. for the Accreditation of Forensic Science Testing Laboratories 4.14.1.2 and 4.15.1.2]<br />
[http://des.wa.gov/sites/default/files/public/documents/About/1063/RFP/Add7_Item4ASCLD.pdf ASCLD/LAB Supp. Reqs. for the Accreditation of Forensic Science Testing Laboratories 5.9.3.6 and 5.9.7]<br />
[https://www.astm.org/Standards/E1578.htm ASTM E1578-18 E-17-4]<br />
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.3.4]<br />
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.4.6–7]<br />
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.5.2.1]<br />
[https://ec.europa.eu/health/sites/health/files/files/eudralex/vol-4/annex11_01-2011_en.pdf E.U. Annex 11-7.1]<br />
[https://ec.europa.eu/health/sites/health/files/files/eudralex/vol-1/dir_2003_94/dir_2003_94_en.pdf E.U. Commission Directive 2003/94/EC Article 9.1]<br />
[https://ec.europa.eu/health/sites/health/files/files/eudralex/vol-1/dir_2003_94/dir_2003_94_en.pdf E.U. Commission Directive 2003/94/EC Article 11.4]<br />
[https://nepis.epa.gov/Exe/ZyPDF.cgi?Dockey=30006MXP.PDF EPA 815-R-05-004 Chap. III, Sec. 15]<br />
[https://nepis.epa.gov/Exe/ZyPDF.cgi?Dockey=30006MXP.PDF EPA 815-R-05-004 Chap. IV, Sec. 8]<br />
[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.9.18]<br />
[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.11.17]<br />
[https://www.epa.gov/quality/guidance-quality-assurance-project-plans-epa-qag-5 EPA QA/G-5 2.1.9]<br />
[https://www.iso.org/standard/56115.html ISO 15189:2012 4.3]<br />
[https://www.iso.org/standard/66912.html ISO/IEC 17025:2017 8.4.2]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, AT-4]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, AU-11 and AU-11(1)]<br />
[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NIST 800-53, Rev. 4, SI-12]<br />
[http://www.oecd.org/chemicalsafety/testing/oecdseriesonprinciplesofgoodlaboratorypracticeglpandcompliancemonitoring.htm OECD GLP Principles 10]<br />
[https://www.ams.usda.gov/datasets/pdp/pdp-standard-operating-procedures USDA Administrative Procedures for the PDP 5.4]<br />
[https://www.ams.usda.gov/datasets/pdp/pdp-standard-operating-procedures USDA Sampling Procedures for PDP 6.5]<br />
[https://extranet.who.int/prequal/content/who-technical-report-series WHO Technical Report Series, #986, Annex 2, 15.8–9]
|-
|}
|}
 
You'll notice many nods to U.S. Code of Federal Regulations (CFR), as well as E.U. law, agency requirements, accreditation requirements, standards, and guidelines for just this one system specification and security control. Additionally, there are surely other entities not listed in Table 1 that demand this requirement out of information system users. This example illustrates the complexity of making a complete and accurate list of regulations, standards, guidance, and other bodies of work demanding data protection from organizations.
 
That said, other types of legislation and standards relevant to cybersecurity stand out. Examples of legislation that mandate cybersecurity action include 23 NYCRR 500, the Federal Information Systems Management Act (FISMA), the General Data Protection Regulation (GDPR), the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), IC Directive 503, the Personal Information Protection and Electronic Documents Act (PIPEDA), and the Sarbanes Oxley Act.<ref name="AulakhCISOS19">{{cite web |url=https://ignyteplatform.com/top-30-security-frameworks-2019/ |title=CISOS Ultimate Guide for Top 30 Security Control Frameworks - 2019 |author=Aulakh, M. |work=Ignyte Assurance Platform |publisher=Mafazo LLC |date=25 February 2019 |accessdate=23 July 2020}}</ref> Of standards not mentioned in Table 1, ANSI UL 2900-2-1 for networked medical devices, IEEE 1686-2013 for intelligent electronic devices, and ISO/IEC 27032:2012 for cybersecurity are also representative examples of standard-based efforts to improve cybersecurity in numerous industries.<ref name="Cleaveland10Key18">{{cite web |url=https://enterpriseiotinsights.com/20180924/fundamentals/10-key-private-sector-cybersecurity-standards |title=10 key private-sector cybersecurity standards |author=Cleaveland, P. |work=Enterprise IOT Insights - Fundamentals |publisher=Arden Media Company, LLC |date=24 September 2018 |accessdate=23 July 2020}}</ref>
 
Despite the difficulty of laying out a complete picture of regulations and standards impacting cybersecurity approaches, we can confidently say a few things about those types of regulations and standards. First, the risks and consequences of poor security drive regulation and, more preferably<ref name="CiocoiuTheRole10">{{cite book |chapter=Chapter 1. The Role of Standardization in Improving the Effectiveness of Integrated Risk Management |title=Advances in Risk Management |author=Ciocoui, C.N.; Dobrea, R.C. |editor=Nota, G. |publisher=IntechOpen |year=2010 |isbn=9789535159469 |doi=10.5772/9893}}</ref><ref name="JPMorganData18">{{cite web |url=https://www.jpmorganchase.com/corporate/news/document/call-to-action.pdf |archiveurl=https://web.archive.org/web/20191214203246/https://www.jpmorganchase.com/corporate/news/document/call-to-action.pdf |format=PDF |title=Data Standardization: A Call to Action |publisher=JPMorgan Chase & Co |date=May 2018 |archivedate=14 December 2019 |accessdate=23 July 2020}}</ref>, standardization, which in turn moves the "goalposts" of cybersecurity among organizations. In the case of regulations, those organization that get caught not conforming to applicable regulations tend to suffer negative consequences, providing some incentive for them to improve organizational processes. One of the downsides of regulations is that they can at times be "imprecise" or "disconnected"<ref name="JPMorganData18" /> from what actually occurs within the organization and its information systems. Rather than compelling significant focus on regulatory conformance, cybersecurity standards may, when adopted, provide a clearer path of opportunity for organizations to instead focus on improving their cybersecurity culture and outcomes, particularly since standards are usually developed with a broader consensus of interested individuals with expertise in the field.<ref name="CiocoiuTheRole10" /> In turn, the organizations that adopt well-designed standards likely have a better chance of conforming to the regulations they must, and they'll likely have more interest in maintaining and improving the goalposts of cybersecurity.
 
That's not to say that compliance with regulations and standards alone can stop critical risks in their tracks<ref name="KaplanManaging12">{{cite web |url=https://hbr.org/2012/06/managing-risks-a-new-framework |title=Managing Risks: A New Framework |author=Kaplan, R.S.; Mikes, A. |work=Harvard Business Review |date=June 2012 |accessdate=23 July 2020}}</ref>:
 
<blockquote>Rules and compliance can mitigate some critical risks but not all of them. Active and cost-effective risk management requires managers to think systematically about the multiple categories of risks they face so that they can institute appropriate processes for each. These processes will neutralize their managerial bias of seeing the world as they would like it to be rather than as it actually is or could possibly become.</blockquote>
 
Second, modern cybersecurity standards frameworks and controls, which help guide organizations in developing a cybersecurity strategy, are typically harmonized with other standards and updated as business processes, technologies, cyber threats, and regulations evolve. For example, the industry-specific ''Water Sector Cybersecurity Risk Management Guidance v3.0'', which contains a set of cybersecurity controls as they relate to the water and wastewater sectors, is harmonized with the NIST Cybersecurity Framework.<ref name="AWWACyber19">{{cite web |url=https://www.awwa.org/Resources-Tools/Resource-Topics/Risk-Resilience/Cybersecurity-Guidance |title=Water Sector Cybersecurity Risk Management Guidance |author=West Yost Associates |publisher=American Water Works Association |date=04 September 2019 |accessdate=23 July 2020}}</ref> And NIST's Special Publication 800-171, Revision 2: ''Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations'' has controls mapped to ISO/IEC 27001:2013 controls.<ref name=NISTSP800-171_18">{{cite web |url=https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final |title=NIST SP 800-171, Rev. 2 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations |work=Computer Security Resource Center |publisher=National Institute of Standards and Technology |date=February 2020 |accessdate=23 July 2020}}</ref> These and other signs point to some consolidation of thought on influential cybersecurity standards, as well as what constitutes relevant and necessary action towards preparing an organization to be more prepared for cyber threats and their potential consequences.
 
Third, when it comes to the question of what regulations are driving an organization to embrace cybersecurity, the general answer is "it's specific to each organization." While it's true that industries have their own regulations, and organizations in those industries often share the same set of challenges, additional factors such as regional requirements (e.g., the European Union General Data Protection Regulations [GDPR] and California Consumer Privacy Act [CCPA]) and even local requirements (e.g., privacy rules and guidelines, banning of specific technology in a city<ref name="WaddellCities19">{{cite web |url=https://www.axios.com/cities-data-privacy-laws-fa0be8cb-234f-4237-b670-10ad042a772e.html |title=Cities are writing privacy policies |author=Waddell, K. |work=Axios |date=29 June 2019 |accessdate=23 July 2020}}</ref>) will affect how the organization must operate. This information gathering process is a unique aspect of organizational cybersecurity planning; in the end it's up to the organization to "identify all obligatory cybersecurity requirements and controls with which it must comply."<ref name="CGIUnderstand19">{{cite web |url=https://www.cgi.com/sites/default/files/2019-08/cgi-understanding-cybersecurity-standards-white-paper.pdf |format=PDF |title=Understanding Cybersecurity Standards |publisher=CGI, Inc |date=April 2019 |accessdate=23 July 2020}}</ref> Armed with that information, the organization can integrate those identified requirements and controls with an existing baseline framework of broad and industry-specific cybersecurity controls, as well as any internal standards and control objectives specific to the organization and its policy requirements.<ref name="CGIUnderstand19" />
 
===2.1 Cybersecurity standards frameworks===
What are cybersecurity standards? CGI, Inc. calls them "critical means by which the direction described in an enterprise’s cybersecurity strategy and policies are translated into actionable and measurable criteria." They contain a set of statements about what processes must be followed to achieve the security outcomes expected by the organization.<ref name="CGIUnderstand19" /> Sometimes those standards get placed within a framework, which adds additional policy, procedure, and process to the set of statements laid out in the standards. This resulting cybersecurity standards framework acts as a defined, collective approach to how the information system, data, and services are managed within the organization.
 
Some experts further differentiate between frameworks. Frank Kim, founder of security consulting firm ThinkSec and curriculum director at the SANS Institute, splits frameworks into three categories: control, program, and risk frameworks. Control frameworks provide a baseline set of controls for assessing technical capability, prioritizing implementation, and developing a cybersecurity plan. Program frameworks offer a more program-based approach, allowing organizations to broadly assess the current state of their cybersecurity program and further develop it. Risk frameworks "allow cybersecurity professionals to ensure they are managing their program in a way that is useful to stakeholders throughout the organization, and help determine how to prioritize security activities."<ref name="RayomeHowTo19">{{cite web |url=https://www.techrepublic.com/article/how-to-choose-the-right-cybersecurity-framework/ |title=How to choose the right cybersecurity framework |author=Rayome, A.D. |work=TechRepublic |publisher=CBS Interactive |date=07 March 2019 |accessdate=23 July 2020}}</ref> Data communications and security specialist Robert Slade does something similar using slightly different terminology. Checklist frameworks are the equivalent of Kim's control frameworks, governance frameworks appear to be Kim's program frameworks, and risk management frameworks represent Kim's risk frameworks. Slade adds a fourth category, however: audit and assurance.<ref name="SladeSecurity11">{{cite web |url=http://itm.iit.edu/netsecure11/RobertSlade_SecFrameworks.pdf |format=PDF |title=Security Frameworks |author=Slade, R.M. |publisher=Illinois Institute of Technology |date=2011 |accessdate=23 July 2020}}</ref>
 
Numerous cybersecurity standards frameworks exist, some based in specific countries, others based on specific industries. According to at least one authority, the top four cybersecurity standards frameworks being leveraged by organizations are the Payment Card Industry Data Security Standards (PCI DSS), ISO/IEC 27001:2013, Center for Internet Security (CIS) Controls, and the NIST Cybersecurity Framework.<ref name="WatsonTopFour19">{{cite web |url=https://www.itgovernanceusa.com/blog/top-4-cybersecurity-frameworks |title=Top 4 cybersecurity frameworks |author=Watson, M. |work=IT Governance USA Blog |publisher=GRC International Group plc |date=17 January 2019 |accessdate=23 July 2020}}</ref> These and a selection of additional cybersecurity standards frameworks and standards are shown in Table 2:
 
{|
| STYLE="vertical-align:top;"|
{| class="wikitable" border="1" cellpadding="5" cellspacing="0" width="85%"
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;" colspan="4"|'''Table 2.''' Examples of cybersecurity standards frameworks and standards
|-
|-
  ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Name
  ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Developer
  ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Framework type
  ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Industry
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|ANSI/ISA 62443 Standards<ref name="ISAThe62443_16">{{cite web |url=https://cdn2.hubspot.net/hubfs/3415072/Resources/The%2062443%20Series%20of%20Standards.pdf |format=PDF |title=The 62443 series of standards |publisher=ISA |date=December 2016 |accessdate=23 July 2020}}</ref>
  | style="background-color:white; padding-left:10px; padding-right:10px;"|ISA
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Control and Program
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Industrial automation and control systems
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Baseline Cyber Security Controls for Small and Medium Organizations<ref name="CCCSBaseline19">{{cite web |url=https://cyber.gc.ca/en/guidance/baseline-cyber-security-controls-small-and-medium-organizations |title=Baseline Cyber Security Controls for Small and Medium Organizations |publisher=Canadian Centre for Cyber Security |date=20 November 2019 |accessdate=23 July 2020}}</ref>
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Canadian Centre for Cyber Security
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Control
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Industry-neutral; small and medium organizations
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Center for Internet Security (CIS) Controls<ref name="CISThe20_19">{{cite web |url=https://www.cisecurity.org/controls/cis-controls-list/ |title=The 20 CIS Controls & Resources |work=CIS Controls |date=2019 |accessdate=23 July 2020}}</ref>
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Center for Internet Security
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Control
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Industry-neutral
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Cloud Controls Matrix<ref name="CSA_CSM19">{{cite web |url=https://cloudsecurityalliance.org/research/cloud-controls-matrix/ |title=Cloud Controls Matrix (CCM) |publisher=Cloud Security Alliance |accessdate=23 July 2020}}</ref>
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Cloud Security Alliance
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Control
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Cloud services and implementation
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Code Quality Standards<ref name="CISQCode19">{{cite web |url=https://www.it-cisq.org/standards/code-quality-standards/index.htm |title=Code Quality Standards |publisher=Consortium for Information & Software Quality |date=2019 |accessdate=23 July 2020}}</ref>
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Consortium for Information & Software Quality
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Control
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Software development
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Control Objectives for Information and Related Technologies (COBIT)<ref name="ISACA_COBIT19">{{cite web |url=http://www.isaca.org/knowledge-center/cobit/Pages/Overview.aspx |archiveurl=https://web.archive.org/web/20200121085305/http://www.isaca.org/knowledge-center/cobit/Pages/Overview.aspx |title=COBIT 4.1: Framework for IT Governance and Control |publisher=Information Systems Audit and Control Association |date=2019 |archivedate=21 January 2020 |accessdate=23 July 2020}}</ref>
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Information Systems Audit and Control Association
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Program
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Industry-neutral
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Critical Infrastructure Protection (CIP) Standards<ref name="NERC_CIP17">{{cite web |url=https://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx |title=CIP Standards |publisher=North American Electric Reliability Corporation |date=2017 |accessdate=23 July 2020}}</ref>
  | style="background-color:white; padding-left:10px; padding-right:10px;"|North American Electric Reliability Corporation
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Control
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Utilities
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Cybersecurity Assessment Tool<ref name="FFIECCyber17">{{cite web |url=https://www.ffiec.gov/cyberassessmenttool.htm |title=Cybersecurity Assessment Tool |publisher=Federal Financial Institutions Examination Council  |date=May 2017 |accessdate=23 July 2020}}</ref>
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Federal Financial Institutions Examination Council
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Control
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Financial services
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Essential Cybersecurity Controls (ECC - 1: 2018)<ref name="NCAEssential18">{{cite web |url=https://itig-iraq.iq/wp-content/uploads/2019/08/Essential-Cybersecurity-Controls-2018.pdf |format=PDF |title=Essential Cybersecurity Controls (ECC - 1: 2018) |publisher=National Cybersecurity Authority of Saudi Arabia |date=2018 |accessdate=23 July 2020}}</ref>
  | style="background-color:white; padding-left:10px; padding-right:10px;"|National Cybersecurity Authority of Saudi Arabia
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Control
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Industry-neutral
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|ETSI TR 103 305 V1.1.1<ref name="ETSICritical15">{{cite web |url=https://www.etsi.org/deliver/etsi_tr/103300_103399/103305/01.01.01_60/tr_103305v010101p.pdf |format=PDF |title=Critical Security Controls for Effective Cyber Defence |publisher=European Telecommunications Standards Institute |date=May 2015 |accessdate=23 July 2020}}</ref>
  | style="background-color:white; padding-left:10px; padding-right:10px;"|European Telecommunications Standards Institute
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Control
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Telecommunications
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Federal Information Processing Standards (FIPS)<ref name="NISTCompli19">{{cite web |url=https://www.nist.gov/standardsgov/compliance-faqs-federal-information-processing-standards-fips |title=Compliance FAQs: Federal Information Processing Standards (FIPS) |work=Standards.gov |publisher=National Institute of Standards and Technology |date=15 November 2019 |accessdate=23 July 2020}}</ref>
  | style="background-color:white; padding-left:10px; padding-right:10px;"|National Institute of Standards and Technology
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Control
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Industry-neutral
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|HISO 10029:2015 Health Information Security Framework<ref name="MoH_HISO19">{{cite web |url=https://www.health.govt.nz/publication/hiso-100292015-health-information-security-framework |title=HISO 10029:2015 Health Information Security Framework |publisher=New Zealand Ministry of Health |date=21 June 2019 |accessdate=23 July 2020}}</ref>
  | style="background-color:white; padding-left:10px; padding-right:10px;"|New Zealand Ministry of Health
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Control
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Healthcare
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|HITRUST CSF<ref name="HITRUSTCSF19">{{cite web |url=https://hitrustalliance.net/hitrust-csf/ |title=HITRUST CSF |publisher=HITRUST Alliance |date=2019 |accessdate=23 July 2020}}</ref>
  | style="background-color:white; padding-left:10px; padding-right:10px;"|HITRUST Alliance
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Risk
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Industry-neutral
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|ISO/IEC 15408-1:2009<ref name="ISO15408_14">{{cite web |url=https://www.iso.org/standard/50341.html |title=ISO/IEC 15408-1:2009 Information technology — Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general model |publisher=International Organization for Standardization |date=January 2014 |accessdate=23 July 2020}}</ref>
  | style="background-color:white; padding-left:10px; padding-right:10px;"|International Organization for Standardization
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Program
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Industry-neutral
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|ISO/IEC 27001:2013<ref name="ISO27001_19">{{cite web |url=https://www.iso.org/standard/54534.html |title=ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements |publisher=International Organization for Standardization |date=03 June 2019 |accessdate=23 July 2020}}</ref>
  | style="background-color:white; padding-left:10px; padding-right:10px;"|International Organization for Standardization
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Program
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Industry-neutral
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|NIST Cybersecurity Framework<ref name=NISTCyber19">{{cite web |url=https://www.nist.gov/cyberframework |title=Cybersecurity Framework |work=Cybersecurity Framework |publisher=National Institute of Standards and Technology |date=2019 |accessdate=23 July 2020}}</ref>
  | style="background-color:white; padding-left:10px; padding-right:10px;"|National Institute of Standards and Technology
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Program
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Industry-neutral
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|NIST SP 800-53, Rev. 4 Security and Privacy Controls for Federal Information Systems and Organizations<ref name=NISTSP800-53_18">{{cite web |url=https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final |title=NIST SP 800-53, Rev. 4 Security and Privacy Controls for Federal Information Systems and Organizations |work=Computer Security Resource Center |publisher=National Institute of Standards and Technology |date=22 January 2015 |accessdate=23 July 2020}}</ref>
  | style="background-color:white; padding-left:10px; padding-right:10px;"|National Institute of Standards and Technology
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Control
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Industry-neutral; U.S. federal information systems and organizations
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|NIST SP 800-171, Rev. 2 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations<ref name=NISTSP800-171_18">{{cite web |url=https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final |title=NIST SP 800-171, Rev. 2 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations |work=Computer Security Resource Center |publisher=National Institute of Standards and Technology |date=February 2020 |accessdate=23 July 2020}}</ref>
  | style="background-color:white; padding-left:10px; padding-right:10px;"|National Institute of Standards and Technology
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Control
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Industry-neutral; U.S. non-federal information systems and organizations
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|OCTAVE Allegro<ref name="CaralliIntro07">{{cite web |url=https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=8419 |title=Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process |author=Caralli, R.A.; Stevens, J.F.; Young, L.R. et al. |publisher=Software Engineering Institute |date=2007 |accessdate=23 July 2020}}</ref>
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Software Engineering Institute
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Risk
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Industry-Neutral
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Payment Card Industry Data Security Standards (PCI DSS) V3.2.1<ref name="PCIData18">{{cite web |url=https://www.pcisecuritystandards.org/document_library |title=Payment Card Industry Data Security Standard - Requirements and Security Assessment Procedures |publisher=PCI Security Standards Council, LLC |date=May 2018 |accessdate=23 July 2020}}</ref>
  | style="background-color:white; padding-left:10px; padding-right:10px;"|PCI Security Standards Council, LLC
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Control
  | style="background-color:white; padding-left:10px; padding-right:10px;"|"All entities involved in payment card processing"
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Protective Security Requirements<ref name="NZProtect19">{{cite web |url=https://www.protectivesecurity.govt.nz/ |title=Protective Security Requirements |publisher=New Zealand Security Intelligence Service |date=August 2019 |accessdate=23 July 2020}}</ref>
  | style="background-color:white; padding-left:10px; padding-right:10px;"|New Zealand Security Intelligence Service
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Program
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Industry-neutral
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Secure Controls Framework<ref name="SCFSecure19">{{cite web |url=https://www.securecontrolsframework.com/secure-controls-framework |title=Secure Controls Framework (SCF) |publisher=Secure Controls Framework Council, LLC |date=2019 |accessdate=23 July 2020}}</ref>
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Secure Controls Framework Council, LLC
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Control
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Industry-neutral
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Sherwood Applied Business Security Architecture (SABSA)<ref name="SABSAExec18">{{cite web |url=https://sabsa.org/sabsa-executive-summary/ |title=SABSA Executive Summary |publisher=The SABSA Institute C.I.C |date=2018 |accessdate=23 July 2020}}</ref>
  | style="background-color:white; padding-left:10px; padding-right:10px;"|The SABSA Institute C.I.C.
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Program and Risk
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Enterprise-level business
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Standard of Good Practice for Information Security 2018<ref name="ISFTheISF18">{{cite web |url=https://www.securityforum.org/tool/the-isf-standard-good-practice-information-security-2018/ |title=The ISF Standard of Good Practice for Information Security 2018 |publisher=Information Security Forum Ltd |date=2018 |accessdate=23 July 2020}}</ref>
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Information Security Forum Ltd.
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Control
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Industry-neutral
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|System and Organization Controls for Cybersecurity (SOC-C)<ref name="AICPA_SOC19">{{cite web |url=https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/aicpacybersecurityinitiative.html |title=SOC for Cybersecurity |publisher=Association of International Certified Professional Accountants |date=2019 |accessdate=23 July 2020}}</ref>
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Association of International Certified Professional Accountants
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Control
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Industry-neutral
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Water Sector Cybersecurity Risk Management Guidance v3.0<ref name="AWWACyber19" />
  | style="background-color:white; padding-left:10px; padding-right:10px;"|American Water Works Association
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Risk
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Water and wastewater
|-
|}
|}
 
Choosing the appropriate frameworks requires consideration and research. For the purposes of this guide, NIST SP 800-53, Rev. 4 and, to a lesser degree, the NIST Cybersecurity Framework receive the most focus. That is not meant to dissuade organizations from using other frameworks. For example, the PCI DSS is heavily geared to the financial services industry and is industry-appropriate for those working with credit card transactions. However, additional controls from other frameworks may also be of use. In fact, more than 40 percent of organizations work with more than one set of cybersecurity controls when developing their cybersecurity plan.<ref name="WatsonTopFour19" /> NIST SP 800-53, Rev. 4 and the NIST Cybersecurity Framework are particularly appealing though, having been developed with thousands of stakeholders giving feedback, and in such a way that the controls remain "intuitive and accessible to a wide range of practitioners."<ref name="NISTNIST19">{{cite web |url=https://www.nist.gov/news-events/news/2019/02/nist-marks-fifth-anniversary-popular-cybersecurity-framework |title=NIST Marks Fifth Anniversary of Popular Cybersecurity Framework |publisher=National Institute of Standards and Technology |date=12 February 2019 |accessdate=23 July 2020}}</ref><ref name="PerryExplain19">{{cite web |url=https://www.infosecurity-magazine.com/opinions/breakout-nist-cybersecurity-1-1/ |title=Explaining the Breakout Success of the NIST Cybersecurity Framework |author=Perry, J. |work=Infosecurity Magazine |publisher=Reed Exhibitions Limited |date=16 April 2019 |accessdate=23 July 2020}}</ref>
 
==References==
{{Reflist|colwidth=30em}}
 





Revision as of 20:22, 24 July 2020

-----Return to the beginning of this guide-----

2. What are the major regulations and standards dictating cybersecurity action?

To be fair, the question of which regulations and standards affect how an organization implements cybersecurity is a most difficult one to answer. Not only do related regulations and standards vary by industry, they also vary by geography, complexity, and ease of implementation. Let's turn to the example of data retention requirements for businesses. Consider this software system requirements statement:

The system shall have a mechanism to securely retain data in the system for a specific time period and enable protections that ensure the accurate and ready retrieval of that data throughout the records retention period.

Through recent updates to LIMSpec, the following national and international regulations, standards, and guidance (Table 1) that tie into data retention and the protection of that retained data have been found (and that list will certainly continue to grow):

Table 1. Regulations, standards, and guidance affecting data retention and the security of retained data

7 CFR Part 91.30
7 CFR Part 331.17 (c)
9 CFR Part 2.35
9 CFR Part 121.17 (c)
10 CFR Part 20.2103–10
10 CFR Part 30.34 (g)
10 CFR Part 30.51–2
21 CFR Part 1.1154 (a)
21 CFR Part 11.10 (c)
21 CFR Part 58.195
21 CFR Part 106.100 (n)
21 CFR Part 112.164
21 CFR Part 114.100 (e)
21 CFR Part 117.315
21 CFR Part 120.12
21 CFR Part 123.9
21 CFR Part 129.80 (h)
21 CFR Part 211.180
21 CFR Part 212.110 (c)
21 CFR Part 225.42 (b-8)
21 CFR Part 225.58 (c–d)
21 CFR Part 225.102
21 CFR Part 225.110
21 CFR Part 225.158
21 CFR Part 225.202
21 CFR Part 226.42 (a)
21 CFR Part 226.58 (f)
21 CFR Part 226.102
21 CFR Part 226.115
21 CFR Part 312.57
21 CFR Part 312.62
21 CFR Part 507.208
21 CFR Part 606.160 (d)
21 CFR Part 812.140 (d)
21 CFR Part 820.180 (b)
29 CFR Part 1910.120 (f)(8)
29 CFR Part 1910.1030 (h-2)
40 CFR Part 141.33
40 CFR Part 141.722
40 CFR Part 262.11 (f)
40 CFR Part 262.40
40 CFR Part 262.213
40 CFR Part 704 Subpart A
40 CFR Part 717.15 (d)
42 CFR Part 73.17 (c)
42 CFR Part 93.313 (h)
42 CFR Part 93.317
42 CFR Part 493.1105
42 CFR Part 493.1283
45 CFR Part 164.105
45 CFR Part 164.316
45 CFR Part 164.530
61 FR 38806, 9 CFR Part 310.25
61 FR 38806, 9 CFR Part 381.94
61 FR 38806, 9 CFR Part 417.5
A2LA C223 5.4
A2LA C223 5.9
AAFCO QA/QC Guidelines for Feed Laboratories Sec. 2.4.4 or 3.1
AAVLD Requirements for an AVMDL Sec. 4.10.1.2
AAVLD Requirements for an AVMDL Sec. 4.10.2.1
AAVLD Requirements for an AVMDL Sec. 5.4.3.2
ABFT Accreditation Manual Sec. E-33
ACMG Technical Standards for Clinical Genetics Laboratories C1.5
ACMG Technical Standards for Clinical Genetics Laboratories C5.6
ACMG Technical Standards for Clinical Genetics Laboratories E2.1
AIHA-LAP Policies 2022 2A.7.5.1
ASCLD/LAB Supp. Reqs. for the Accreditation of Forensic Science Testing Laboratories 4.14.1.2 and 4.15.1.2
ASCLD/LAB Supp. Reqs. for the Accreditation of Forensic Science Testing Laboratories 5.9.3.6 and 5.9.7
ASTM E1578-18 E-17-4
BRC GSFS, Issue 8, 3.3.2
CAP Laboratory Accreditation Manual
CDC Biosafety in Microbiological and Biomedical Laboratories (BMBL), 6th Edition
CJIS Security Policy 5.3.4
CJIS Security Policy 5.4.6–7
CJIS Security Policy 5.5.2.1
CLSI QMS22 2.8.3
Codex Alimentarius CXC 1-1969, Ch.1, 7.4 EMA Guidance on Good Manufacturing Practice and Good Distribution Practice
E.U. Annex 11-7.1
E.U. Commission Directive 2003/94/EC Article 9.1
E.U. Commission Directive 2003/94/EC Article 11.4
E.U. Commission Reg. No. 852/2004 Annex I, Section III.8.d
E.U. Commission Reg. No. 852/2004 Annex I, Section III.9.c
EPA 815-R-05-004 Chap. III, Sec. 15
EPA 815-R-05-004 Chap. IV, Sec. 8
EPA ERLN Laboratory Requirements 4.9.18
EPA ERLN Laboratory Requirements 4.11.17
EPA QA/G-5 2.1.9
GFSI Benchmarking Rqmts., v2020.1, Part 3, A1, A2, B1, B2, B3, C0, C1, C2, C3, C4, I - FSM 9.2.1
GFSI Benchmarking Rqmts., v2020.1, Part 3, D - FSM 9.2.2
GFSI Benchmarking Rqmts., v2020.1, Part 3, K - FSM 9.2.3
ICH GCP 4.9.5
IFS Food 7, Part 2, 2.1.2.2
IFS PACsecure 2, Part 2, 2.1.2.2
ISO 15189:2012 4.3
ISO/IEC 17025:2017 8.4.2
NIST 800-53, Rev. 5, AT-4
NIST 800-53, Rev. 5, AU-11 and AU-11(1)
NIST 800-53, Rev. 5, SI-12
NYSDOH CLEP Clinical Laboratory Standards of Practice, General Systems Standards
OECD GLP Principles 10
OSHA 1910.1020(d)(1)(i–ii)
OSHA 1910.1450(j)(2)
PFP Human and Animal Food Testing Laboratories Best Practices Manual
Safe Food for Canadians Regulations SOR/2018-108 Division 3, 48 (4)
Safe Food for Canadians Regulations SOR/2018-108 Part 5, 90
SQF FSC 9, Food Manufacturing, Part B, 2.2.3.3
SQF FSC 9, Pet Food Manufacturing, Part B, 2.2.3.3
SQF FSC 9, Manufacture of Food Packaging, Part B, 2.2.3.3
TNI EL-V1-2016-Rev.2.1 (throughout)
USDA Administrative Procedures for the PDP 5.4
USDA Hemp Production Program Laboratory Testing Guidelines, Information Sharing 2
USDA LAS Laboratory Approval Program (LAP) Policies and Procedures 10c
USDA Sampling Procedures for PDP 6.5
WADA International Standard for Laboratories (ISL) 5.2.3.5 and 5.4.4
WADA International Standard for the Protection of Privacy and Personal Information (ISPPPI) 10.0
WHO Technical Report Series, #986, Annex 2, 15.8–9
WHO Technical Report Series, #996, Annex 5, 11.15 and Appendix 1

You'll notice many nods to U.S. Code of Federal Regulations (CFR), as well as E.U. law, agency requirements, accreditation requirements, standards, and guidelines for just this one system specification and security control. Additionally, there are surely other entities not listed in Table 1 that demand this requirement out of information system users. This example illustrates the complexity of making a complete and accurate list of regulations, standards, guidance, and other bodies of work demanding data protection from organizations.

That said, other types of legislation and standards relevant to cybersecurity stand out. Examples of legislation that mandate cybersecurity action include 23 NYCRR 500, the Federal Information Systems Management Act (FISMA), the General Data Protection Regulation (GDPR), the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), IC Directive 503, the Personal Information Protection and Electronic Documents Act (PIPEDA), and the Sarbanes Oxley Act.[1] Of standards not mentioned in Table 1, ANSI UL 2900-2-1 for networked medical devices, IEEE 1686-2013 for intelligent electronic devices, and ISO/IEC 27032:2012 for cybersecurity are also representative examples of standard-based efforts to improve cybersecurity in numerous industries.[2]

Despite the difficulty of laying out a complete picture of regulations and standards impacting cybersecurity approaches, we can confidently say a few things about those types of regulations and standards. First, the risks and consequences of poor security drive regulation and, more preferably[3][4], standardization, which in turn moves the "goalposts" of cybersecurity among organizations. In the case of regulations, those organization that get caught not conforming to applicable regulations tend to suffer negative consequences, providing some incentive for them to improve organizational processes. One of the downsides of regulations is that they can at times be "imprecise" or "disconnected"[4] from what actually occurs within the organization and its information systems. Rather than compelling significant focus on regulatory conformance, cybersecurity standards may, when adopted, provide a clearer path of opportunity for organizations to instead focus on improving their cybersecurity culture and outcomes, particularly since standards are usually developed with a broader consensus of interested individuals with expertise in the field.[3] In turn, the organizations that adopt well-designed standards likely have a better chance of conforming to the regulations they must, and they'll likely have more interest in maintaining and improving the goalposts of cybersecurity.

That's not to say that compliance with regulations and standards alone can stop critical risks in their tracks[5]:

Rules and compliance can mitigate some critical risks but not all of them. Active and cost-effective risk management requires managers to think systematically about the multiple categories of risks they face so that they can institute appropriate processes for each. These processes will neutralize their managerial bias of seeing the world as they would like it to be rather than as it actually is or could possibly become.

Second, modern cybersecurity standards frameworks and controls, which help guide organizations in developing a cybersecurity strategy, are typically harmonized with other standards and updated as business processes, technologies, cyber threats, and regulations evolve. For example, the industry-specific Water Sector Cybersecurity Risk Management Guidance v3.0, which contains a set of cybersecurity controls as they relate to the water and wastewater sectors, is harmonized with the NIST Cybersecurity Framework.[6] And NIST's Special Publication 800-171, Revision 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations has controls mapped to ISO/IEC 27001:2013 controls.[7] These and other signs point to some consolidation of thought on influential cybersecurity standards, as well as what constitutes relevant and necessary action towards preparing an organization to be more prepared for cyber threats and their potential consequences.

Third, when it comes to the question of what regulations are driving an organization to embrace cybersecurity, the general answer is "it's specific to each organization." While it's true that industries have their own regulations, and organizations in those industries often share the same set of challenges, additional factors such as regional requirements (e.g., the European Union's GDPR and the California Consumer Privacy Act [CCPA]) and even local requirements (e.g., privacy rules and guidelines, banning of specific technology in a city[8]) will affect how the organization must operate. This information-gathering process is a unique aspect of organizational cybersecurity planning; in the end it's up to the organization to "identify all obligatory cybersecurity requirements and controls with which it must comply."[9] Armed with that information, the organization can integrate those identified requirements and controls with an existing baseline framework of broad and industry-specific cybersecurity controls, as well as any internal standards and control objectives specific to the organization and its policy requirements.[9]

2.1 Cybersecurity standards frameworks

What are cybersecurity standards? CGI, Inc. calls them "critical means by which the direction described in an enterprise’s cybersecurity strategy and policies are translated into actionable and measurable criteria." They contain a set of statements about what processes must be followed to achieve the security outcomes expected by the organization.[9] Sometimes those standards get placed within a framework, which adds additional policy, procedure, and process to the set of statements laid out in the standards. This resulting cybersecurity standards framework acts as a defined, collective approach to how the information system, data, and services are managed within the organization.

Some experts further differentiate between frameworks. Frank Kim, founder of security consulting firm ThinkSec and curriculum director at the SANS Institute, splits frameworks into three categories: control, program, and risk frameworks. Control frameworks provide a baseline set of controls for assessing technical capability, prioritizing implementation, and developing a cybersecurity plan. Program frameworks offer a more program-based approach, allowing organizations to broadly assess the current state of their cybersecurity program and further develop it. Risk frameworks "allow cybersecurity professionals to ensure they are managing their program in a way that is useful to stakeholders throughout the organization, and help determine how to prioritize security activities."[10] Data communications and security specialist Robert Slade does something similar using slightly different terminology. Checklist frameworks are the equivalent of Kim's control frameworks, governance frameworks appear to be Kim's program frameworks, and risk management frameworks represent Kim's risk frameworks. Slade adds a fourth category, however: audit and assurance.[11]

Numerous cybersecurity standards frameworks exist, some based in specific countries, others based on specific industries. Top cybersecurity standards frameworks being leveraged by organizations include the Payment Card Industry Data Security Standards (PCI DSS), ISO/IEC 27001:2022 and 27002:2022, Center for Internet Security (CIS) Controls, and the NIST Cybersecurity Framework.[12][13] These and a selection of additional cybersecurity standards frameworks and standards are shown in Table 2:

Table 2. Examples of cybersecurity standards frameworks and standards
Name Developer Framework type Industry
ISA/IEC 62443 Standards[14] ISA Control and Program Industrial automation and control systems
Baseline Cyber Security Controls for Small and Medium Organizations[15] Canadian Centre for Cyber Security Control Industry-neutral; small and medium organizations
Center for Internet Security (CIS) Controls[16] Center for Internet Security Control Industry-neutral
Cloud Controls Matrix[17] Cloud Security Alliance Control Cloud services and implementation
Control Objectives for Information and Related Technologies (COBIT)[18] Information Systems Audit and Control Association Program Industry-neutral
Cyber Essentials[19] National Cyber Security Centre Control Industry-neutral
Cybersecurity Assessment Tool[20] Federal Financial Institutions Examination Council Control Financial services
Cybersecurity Maturity Model Certification (CMMC) 2.0[21] Department of Defense, Chief Information Officer Control Industry-neutral; U.S. federal information systems and organizations
Enterprise Risk Management—Integrating with Strategy and Performance[22] Committee of Sponsoring Organizations of the Treadway Commission Risk Enterprise-level business
Essential Cybersecurity Controls (ECC - 1: 2018)[23] National Cybersecurity Authority of Saudi Arabia Control Industry-neutral
Essential Eight[24] Australian Cyber Security Centre Control Industry-neutral
ETSI TR 103 305-1 V4.1.2[25] European Telecommunications Standards Institute Control Telecommunications
Federal Information Processing Standards (FIPS)[26] National Institute of Standards and Technology Control Industry-neutral
HISO 10029:2022 Health Information Security Framework[27] Health New Zealand Control Healthcare
HITRUST CSF v11.0.0[28] HITRUST Alliance Risk Industry-neutral
ISO/IEC 5055:2021 (formerly the Automated Source Code Quality Measures)[29] International Organization for Standardization (formerly by the Consortium for Information & Software Quality)[29] Control Software development
ISO/IEC 15408-1:2022[30] International Organization for Standardization Program Industry-neutral
ISO/IEC 27001:2022[31] and 27002:2022[32] International Organization for Standardization Program Industry-neutral
NERC Reliability Standards, CIP-002 (BES Cyber System Categorization)[33] North American Electric Reliability Corporation Control Utilities
NIST Cybersecurity Framework[34] National Institute of Standards and Technology Program Industry-neutral
NIST SP 800-53, Rev. 5 Security and Privacy Controls for Information Systems and Organizations[35] National Institute of Standards and Technology Control Industry-neutral; U.S. federal information systems and organizations
NIST SP 800-66, Rev. 2 (Draft) Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide[36] National Institute of Standards and Technology Control Healthcare
NIST SP 800-171, Rev. 2 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations[7] National Institute of Standards and Technology Control Industry-neutral; U.S. non-federal information systems and organizations
OCTAVE Allegro[37] Software Engineering Institute Risk Industry-Neutral
OWASP Top Ten[38] Open Web Application Security Project Risk Software development
Payment Card Industry Data Security Standards (PCI DSS) V4.0[39] PCI Security Standards Council, LLC Control "All entities involved in payment card processing"
Protective Security Requirements[40] New Zealand Security Intelligence Service Program Industry-neutral
Secure Controls Framework[41] Secure Controls Framework Council, LLC Control Industry-neutral
Sherwood Applied Business Security Architecture (SABSA)[42] The SABSA Institute C.I.C. Program and Risk Enterprise-level business
Standard of Good Practice for Information Security 2020[43] Information Security Forum Ltd. Control Industry-neutral
System and Organization Controls for Cybersecurity (SOC-C)[44] Association of International Certified Professional Accountants Control Industry-neutral
Water Sector Cybersecurity Risk Management Guidance v3.0[6] American Water Works Association Risk Water and wastewater

Choosing the appropriate frameworks requires consideration and research. For the purposes of this guide, NIST SP 800-53, Rev. 5 and, to a lesser degree, the NIST Cybersecurity Framework receive the most focus. That is not meant to dissuade organizations from using other frameworks. For example, the PCI DSS is heavily geared to the financial services industry and is industry-appropriate for those working with credit card transactions. However, additional controls from other frameworks may also be of use. In fact, more than 40 percent of organizations work with more than one set of cybersecurity controls when developing their cybersecurity plan.[13] NIST SP 800-53, Rev. 5 and the NIST Cybersecurity Framework are particularly appealing though, having been developed with thousands of stakeholders giving feedback, and in such a way that the controls remain "intuitive and accessible to a wide range of practitioners."[45][46]

References

  1. Aulakh, M. (25 February 2019). "CISOS Ultimate Guide for Top 30 Security Control Frameworks - 2019". Ignyte Assurance Platform. Mafazo LLC. https://ignyteplatform.com/top-30-security-frameworks-2019/. Retrieved 21 March 2023. 
  2. Cleaveland, P. (24 September 2018). "10 key private-sector cybersecurity standards". Enterprise IOT Insights - Fundamentals. Arden Media Company, LLC. Archived from the original on 23 January 2021. https://web.archive.org/web/20210123040627/https://enterpriseiotinsights.com/20180924/fundamentals/10-key-private-sector-cybersecurity-standards. Retrieved 21 March 2023. 
  3. 3.0 3.1 Ciocoui, C.N.; Dobrea, R.C. (2010). "Chapter 1. The Role of Standardization in Improving the Effectiveness of Integrated Risk Management". In Nota, G.. Advances in Risk Management. IntechOpen. doi:10.5772/9893. ISBN 9789535159469. 
  4. 4.0 4.1 "Data Standardization: A Call to Action" (PDF). JPMorgan Chase & Co. May 2018. Archived from the original on 14 December 2019. https://web.archive.org/web/20191214203246/https://www.jpmorganchase.com/corporate/news/document/call-to-action.pdf. Retrieved 21 March 2023. 
  5. Kaplan, R.S.; Mikes, A. (June 2012). "Managing Risks: A New Framework". Harvard Business Review. https://hbr.org/2012/06/managing-risks-a-new-framework. Retrieved 21 March 2023. 
  6. 6.0 6.1 West Yost Associates (4 September 2019). "Water Sector Cybersecurity Risk Management Guidance". American Water Works Association. https://www.awwa.org/Resources-Tools/Resource-Topics/Risk-Resilience/Cybersecurity-Guidance. Retrieved 21 March 2023. 
  7. 7.0 7.1 "NIST SP 800-171, Rev. 2 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations". Computer Security Resource Center. National Institute of Standards and Technology. February 2020. https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final. Retrieved 21 March 2023. 
  8. Waddell, K. (29 June 2019). "Cities are writing privacy policies". Axios. https://www.axios.com/2019/06/29/cities-data-privacy-laws. Retrieved 21 March 2023. 
  9. 9.0 9.1 9.2 "Understanding Cybersecurity Standards" (PDF). CGI, Inc. April 2019. https://www.cgi.com/sites/default/files/2019-08/cgi-understanding-cybersecurity-standards-white-paper.pdf. Retrieved 21 March 2023. 
  10. Rayome, A.D. (7 March 2019). "How to choose the right cybersecurity framework". TechRepublic. CBS Interactive. https://www.techrepublic.com/article/how-to-choose-the-right-cybersecurity-framework/. Retrieved 21 March 2023. 
  11. Slade, R.M. (2011). "Security Frameworks" (PDF). Illinois Institute of Technology. http://itm.iit.edu/netsecure11/RobertSlade_SecFrameworks.pdf. Retrieved 21 March 2023. 
  12. Atumu, M. (22 December 2021). "Top 5 Cybersecurity Frameworks in 2022". Liquid Web Blog. https://www.liquidweb.com/blog/top-cybersecurity-frameworks/. Retrieved 21 March 2023. 
  13. 13.0 13.1 Watson, M. (17 January 2019). "Top 4 cybersecurity frameworks". IT Governance USA Blog. GRC International Group plc. https://www.itgovernanceusa.com/blog/top-4-cybersecurity-frameworks. Retrieved 21 March 2023. 
  14. "ISA/IEC 62443 Series of Standards". ISA. 2022. https://www.isa.org/standards-and-publications/isa-standards/isa-iec-62443-series-of-standards. Retrieved 21 March 2023. 
  15. "Baseline Cyber Security Controls for Small and Medium Organizations". Canadian Centre for Cyber Security. February 2020. https://cyber.gc.ca/en/guidance/baseline-cyber-security-controls-small-and-medium-organizations. Retrieved 21 March 2023. 
  16. "The 18 CIS Critical Security Controls". CIS Controls. 2023. https://www.cisecurity.org/controls/cis-controls-list/. Retrieved 21 March 2023. 
  17. "Cloud Controls Matrix (CCM)". Cloud Security Alliance. 6 July 2021. https://cloudsecurityalliance.org/research/cloud-controls-matrix/. Retrieved 21 March 2023. 
  18. "COBIT 4.1: Framework for IT Governance and Control". Information Systems Audit and Control Association. 2019. Archived from the original on 21 January 2020. https://web.archive.org/web/20200121085305/http://www.isaca.org/knowledge-center/cobit/Pages/Overview.aspx. Retrieved 21 March 2023. 
  19. "About Cyber Essentials". National Cyber Security Centre. 2023. https://www.ncsc.gov.uk/cyberessentials/overview. Retrieved 21 March 2023. 
  20. "Cybersecurity Assessment Tool". Federal Financial Institutions Examination Council. May 2017. https://www.ffiec.gov/cyberassessmenttool.htm. Retrieved 21 March 2023. 
  21. "Cybersecurity Maturity Model Certification". Department of Defense, Chief Information Officer. 2021. https://dodcio.defense.gov/CMMC/. Retrieved 21 March 2023. 
  22. "Enterprise Risk Management—Integrating with Strategy and Performance (2017)". Committee of Sponsoring Organizations of the Treadway Commission. 2017. https://www.coso.org/SitePages/Enterprise-Risk-Management-Integrating-with-Strategy-and-Performance-2017.aspx?web=1. Retrieved 21 March 2023. 
  23. "Essential Cybersecurity Controls (ECC - 1: 2018)" (PDF). National Cybersecurity Authority of Saudi Arabia. 2018. https://itig-iraq.iq/wp-content/uploads/2019/08/Essential-Cybersecurity-Controls-2018.pdf. Retrieved 21 March 2023. 
  24. "Essential Eight". Australian Cyber Security Centre. 2023. https://www.cyber.gov.au/acsc/view-all-content/essential-eight. Retrieved 21 March 2023. 
  25. "Critical Security Controls for Effective Cyber Defence" (PDF). European Telecommunications Standards Institute. April 2022. https://www.etsi.org/deliver/etsi_tr/103300_103399/10330501/04.01.02_60/tr_10330501v040102p.pdf. Retrieved 21 March 2023. 
  26. "Compliance FAQs: Federal Information Processing Standards (FIPS)". Standards.gov. National Institute of Standards and Technology. 15 November 2019. https://www.nist.gov/standardsgov/compliance-faqs-federal-information-processing-standards-fips. Retrieved 21 March 2023. 
  27. "HISO 10029:2022 Health Information Security Framework". Health New Zealand. 23 December 2022. https://www.tewhatuora.govt.nz/publications/health-information-security-framework. Retrieved 21 March 2023. 
  28. "HITRUST CSF". HITRUST Alliance. 18 January 2023. https://hitrustalliance.net/product-tool/hitrust-csf/. Retrieved 21 March 2023. 
  29. 29.0 29.1 "Software Quality Standards - ISO 5055". Consortium for Information & Software Quality. 2023. https://www.it-cisq.org/standards/code-quality-standards/. Retrieved 21 March 2023. 
  30. "ISO/IEC 15408-1:2022 Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Part 1: Introduction and general model". International Organization for Standardization. August 2022. https://www.iso.org/standard/72891.html. Retrieved 21 March 2023. 
  31. "ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection — Information security management systems — Requirements". International Organization for Standardization. October 2022. https://www.iso.org/standard/82875.html. Retrieved 21 March 2023. 
  32. "ISO/IEC 27002:2022 Information security, cybersecurity and privacy protection — Information security controls". International Organization for Standardization. February 2022. https://www.iso.org/standard/75652.html. Retrieved 21 March 2023. 
  33. "US Reliability Standards". North American Electric Reliability Corporation. 2023. https://www.nerc.com/pa/Stand/Pages/USRelStand.aspx. Retrieved 21 March 2023. 
  34. "Cybersecurity Framework". Cybersecurity Framework. National Institute of Standards and Technology. April 2018. https://www.nist.gov/cyberframework. Retrieved 21 March 2023. 
  35. "NIST SP 800-53, Rev. 5 Security and Privacy Controls for Information Systems and Organizations". Computer Security Resource Center. National Institute of Standards and Technology. 10 December 2020. https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final. Retrieved 21 March 2023. 
  36. "NIST SP 800-66, Rev. 2 (Draft) Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide". Computer Security Resource Center. National Institute of Standards and Technology. 21 July 2022. https://csrc.nist.gov/publications/detail/sp/800-66/rev-2/draft. Retrieved 21 March 2023. 
  37. "OWASP Top Ten". OWASP Foundation. 2021. https://owasp.org/www-project-top-ten/. Retrieved 21 March 2023. 
  38. Caralli, R.A.; Stevens, J.F.; Young, L.R. et al. (2007). "Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process". Software Engineering Institute. https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=8419. Retrieved 21 March 2023. 
  39. "Payment Card Industry Data Security Standard - Requirements and Security Assessment Procedures". PCI Security Standards Council, LLC. March 2022. https://www.pcisecuritystandards.org/document_library/. Retrieved 21 March 2023. 
  40. "Protective Security Requirements". New Zealand Security Intelligence Service. August 2019. https://www.protectivesecurity.govt.nz/. Retrieved 21 March 2023. 
  41. "Secure Controls Framework (SCF)". Secure Controls Framework Council, LLC. January 2023. https://securecontrolsframework.com/start-here/. Retrieved 21 March 2023. 
  42. "SABSA Executive Summary". The SABSA Institute C.I.C. 2023. https://sabsa.org/sabsa-executive-summary/. Retrieved 21 March 2023. 
  43. "The ISF Standard of Good Practice for Information Security 2020". Information Security Forum Ltd. 2020. https://www.securityforum.org/solutions-and-insights/standard-of-good-practice-for-information-security-2020/. Retrieved 21 March 2023. 
  44. "SOC for Cybersecurity". Association of International Certified Professional Accountants. 2022. https://www.aicpa.org/topic/audit-assurance/audit-and-assurance-greater-than-soc-for-cybersecurity. Retrieved 21 March 2023. 
  45. "NIST Marks Fifth Anniversary of Popular Cybersecurity Framework". National Institute of Standards and Technology. 12 February 2019. https://www.nist.gov/news-events/news/2019/02/nist-marks-fifth-anniversary-popular-cybersecurity-framework. Retrieved 21 March 2023. 
  46. Perry, J. (16 April 2019). "Explaining the Breakout Success of the NIST Cybersecurity Framework". Infosecurity Magazine. Reed Exhibitions Limited. https://www.infosecurity-magazine.com/opinions/breakout-nist-cybersecurity-1-1/. Retrieved 21 March 2023. 


-----Go to the next chapter of this guide-----

Citation information for this chapter

Chapter: 2. What are the major regulations and standards dictating cybersecurity action?

Title: Comprehensive Guide to Developing and Implementing a Cybersecurity Plan

Edition: First

Author for citation: Shawn E. Douglas

License for content: Creative Commons Attribution-ShareAlike 4.0 International

Publication date: July 2020