A cybersecurity framework is a comprehensive set of guidelines that help organizations define cybersecurity policies to assess their security posture and increase resilience in the face of cyberattacks. Cybersecurity frameworks formally define security controls, risk assessment methods, and appropriate safeguards to protect information systems and data from cyberthreats. While originally developed with large organizations and service providers in mind, cybersecurity frameworks can also be a valuable source of security best practices for medium and small businesses. Let’s have a look at the reasons for using a cybersecurity framework and see how you can find best-practice cybersecurity processes and actions to apply to web application security.
Why Cybersecurity Frameworks Were Developed
Cyberthreats have become a part of everyday life across the world, and a successful cyberattack, such as a denial of service or data breach, can have serious social, economic or even political consequences. Maintaining cybersecurity is now crucial for the operation of not only modern businesses and their supply chains, but also government institutions, markets, and entire economies. Data security and privacy are also high on the agenda, with the protection of personal data fast becoming a major concern for businesses, lawmakers, and the general public.
As public and private organizations of all sizes were having to deal with the same cybersecurity events and challenges, it became clear that a common cybersecurity framework would benefit everyone by recommending best-practice policies, protective technologies, and specific activities related to information security and cybersecurity in general. Any organization’s internal policy will include at least some of those activities, and having a ready framework would be invaluable at the planning stage, especially as organizations may lack the resources or technical competences to design their own policies from scratch.
Commonly Used Cybersecurity Frameworks
A cybersecurity framework can be any document that defines procedures and goals to guide more detailed cybersecurity policies. Existing documents that contain cybersecurity guidelines include:
- The NIST Cybersecurity Framework: Developed by the National Institute of Standards and Technology, this is probably the most widely used document for cybersecurity policy and planning.
- ISO 27001 Information Security Management: The International Organization for Standardization’s guidelines for information security management systems (ISMS).
- CIS Critical Security Controls for Effective Cyber Defense (CIS Controls): A framework of prioritized actions to protect organizations from known cyberthreats.
- Risk management frameworks: Documents such as NIST’s Risk Management Framework (NIST SP 800-37 Rev. 2) or the ISO 27005:2018 standard (Information Security Risk Management) focus on risk management strategies, including risks related to cybersecurity.
- Industry-specific frameworks: Many industries have their own security standards that are required or recommended for these sectors, such as PCI DSS for electronic payment processing, HIPAA rules for healthcare, or COBIT for IT management and governance.
A Closer Look at the NIST Cybersecurity Framework
In 2013, a presidential executive order was issued in the United States, calling for a standardized cybersecurity framework that would describe and structure activities related to cybersecurity. In response to this, the NIST developed the Framework for Improving Critical Infrastructure Cybersecurity, commonly called the NIST Cybersecurity Framework. It is a comprehensive policy document intended to help organizations better manage and reduce cybersecurity risk and to facilitate communication related to risk and cybersecurity management. While the CSF was initially intended for companies managing critical infrastructure in the US private sector, it is widely used by public and private organizations of all sizes.
The NIST CSF is divided into three main components to assist adoption by organizations:
- Framework core: This is the main informational part of the document, defining common activities and outcomes related to cybersecurity. Core information is divided into functions, categories, and subcategories.
- Framework profile: A subset of core categories and subcategories that an organization has chosen to apply based on its needs and risk assessments.
- Implementation tiers: A set of implementation levels intended to help organizations define and communicate their management approach and identified level of risk is their specific business environment.
The framework core provides a clear structure of cybersecurity management processes, with five main functions: Identify, Protect, Detect, Respond, and Recover. For each function, multiple categories and subcategories are defined, and organizations can pick and mix to put together a set of items corresponding to their individual risks, requirements, and expected outcomes. Functions and categories have unique identifiers, so for example Asset Management within the Identify function is ID.AM, and Response Planning within the Response function is RS.RP.
Each category includes a number of subcategories corresponding to appropriate activities, this time with numerical identifiers for subcategories. For example, subcategory Detection processes are tested under the Detection Processes category and Detect function is identified as DE.DP-3. Subcategories are accompanied by informative references to the relevant sections of standards documents, allowing quick access to normative guidelines for each action.
How to Apply the NIST framework to Web Application Security
By its very nature, the NIST CSF has an extremely broad scope and covers far more activities than most organizations are going to need. To apply the framework to web application security, you can start by analyzing each of the five functions in the context of your existing and planned security activities and risk management processes. Then, you can select the categories and subcategories relevant to your specific needs and use them as the backbone of your own security policy to ensure you will cover all the required cybersecurity activities. For basic web application security, a skeleton cybersecurity policy would include at least the following subcategories for each function:
- ID.AM-2: Software platforms and applications within the organization are inventoried
- ID.RA-1: Asset vulnerabilities are identified and documented
- PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
- PR.DS-2: Data-in-transit is protected
- PR.IP-10: Response and recovery plans are tested
- DE.AE-2: Detected events are analyzed to understand attack targets and methods
- DE.CM-8: Vulnerability scans are performed
- RS.RP-1: Response plan is executed during or after an incident
- RS.AN-1: Notifications from detection systems are investigated
- RC.RP-1: Recovery plan is executed during or after a cybersecurity incident
- RC.CO-3: Recovery activities are communicated to internal and external stakeholders as well as executive and management teams
Cybersecurity frameworks, such as the NIST framework, provide a detailed outline of all aspects of cybersecurity planning, implementation, and response. By selecting relevant actions (subcategories) for each fundamental function, organizations can build custom cybersecurity policies tailored to their business and compliance requirements. By combining standards-based policies with enterprise web security best practices and leading web application security solutions, you can ensure effective cybersecurity risk management with repeatable results.