There is a notable increase in adoption of industry recognised frameworks, standards and best practices, as many organisations have embraced cyber security compliance as a structured approach to managing their cyber security programmes and strategies. Some of these include, but are not limited to:
- ISO/IEC 27001 – An international standard that describes best practice for an ISMS (Information Security Management System);
- ISO/IEC 27002 – A supplementary standard to ISO/IEC 27001 that provides advice on how to implement the security controls listed in Annex A of ISO/IEC 27001;
- National Institute of Standards & Technology Cybersecurity Framework (NIST CSF) – Provides a high level taxonomy of cyber security outcomes and a methodology to assess and manage those outcomes;
- Control Objectives for Information and Related Technology (COBIT) – A high level framework focused on identifying and mitigating risk. Initially developed for IT governance professionals to reduce technical risk, but it’s evolved into a standard to align IT with business goals;
- Center for Information Security (CIS) – Formed in October 2000. Its mission is to "identify, develop, validate, promote, and sustain best practice solutions for cyber defence and build and lead communities to enable an environment of trust in cyber space"; and
- Information Security Forum (ISF) – Is an independent information security body. The ISF delivers a range of content, activities and tools and is a paid membership organisation; and
- Among these are also industry-specific standards such as the Payment Card Industry Data Security Standard (PCI-DSS) for credit card handling.
However, it is important to note that cyber security extends beyond alignment to a (or many) cyber security frameworks, standards and best practices. Even the most mature environments with managed or even optimised compliance implementations fall victim to cyber attacks.
According to an analysis conducted by CyberSec, 83% of organisations analysed, with mature cyber security compliance, were still considered to have significant room for improvement following an ethical hacking (penetration testing) exercise.
This is predominantly because compliance addresses a broad-spectrum approach to addressing key controls within an organisation's control environment. In other words, it should not be ignored, disregarded or set aside, but rather embraced and supported with additional specific cyber security measures and controls.
Equally, from the opposing viewpoint, an organisation with leading security technology supported by qualified subject-matter experts, may also find themselves short-changed with regards to their cyber security maturity.
This is usually owing to the core, fundamental controls (usually addressed from a compliance standpoint) being absent or poorly implemented – as a result, exposing the organisation to unnecessary risk, despite the significant investment in people and technology.
It is therefore critical that businesses embrace cyber security compliance, but also ensure it is supported by additional controls, assessments and technologies that are fit-for-purpose. Do not solely rely on compliance alone for cyber security risk assurance. Ensure that your approach to cyber security encompasses all areas of the business, collectively bringing together a synchronised and robust cyber security programme that touches on people, process and technology.
Share
CyberSec
CyberSec (Pty) Ltd is a specialist advisory and solutions company made up of cyber security subject matter experts that assists organisations in identifying and minimising their cyber security risk.
- A Business-enabling, enterprise-wide information security competency based on…
- Controls that are “baked-into” every service offering, enabling the business to…
- Reduce organisational exposure to security threats and vulnerabilities and ensure…
- Compliance with applicable Legal and Regulatory requirements as well as…
- International best practice security standards, aimed at producing…
- Effective, independently validated controls delivered through…
- Fit-for-purpose and cost effective security initiatives, that promote…
- Business ownership and stakeholder buy-in, creating confidence in…
- The ability to effectively respond to security incidents, ultimately leading to…
- Exceptional customer trust, and…
- Improved overall IT Governance
Web: www.cybersec.co.za
CyberSec (Pty) Ltd – Being Part of The Solution