Major security frameworks

- There are an overwhelming number of security resources available online. Determining which ones to use in which scenario can seem daunting. But if you break it down by your organization's needs, you are sure to find something that will help you improve your security program. Some frameworks are more comprehensive, while others are industry or domain-specific. While we aren't going to cover all of them, that would take a really long time, we will certainly touch on many. In a recent industry survey, there were four clear leaders in terms of the most highly adopted security frameworks: PCI, the CIS security controls, ISO 27001, and the NIST 800-53 framework. PCI is an industry-specific framework required for anyone accepting payment cards. You got it, friends, all that plastic in your wallet? It's covered by this framework. The CIS security controls are based on high-level business discussions. It covers security controls by grouping them into 18 critical factors to consider, using business-friendly terms. ISO 27001, on the other hand, is a globally recognized organization with a comprehensive framework that covers all of the security controls found within an information security management system. Finally, there's NIST 800-53, a comprehensive set of controls, as you can see. US federal agencies are required to follow this framework and any companies doing business with them are encouraged to do so as well. Determining the best framework to adopt relies on many factors. Choosing the right one means selecting the framework that fits your organization's unique security needs. Pause this video right now and really think about this. Write down a few notes about what's important for your organization. As you consider, think about your organization's internal business objectives. Perhaps it is a compliance requirement to a certain regulation, or if you've done a risk analysis, maybe it's around the results of that. Determine if you require more policy-based controls or more technical controls for your organization. Finally, looking at industry best practices and how to apply them can work for you as well. Each framework has pros and cons. They vary in their objectives and approaches, but rely on the same foundational principles. We'll deep dive into each of them a bit later. Organizations vary in size, complexity, and maturity. Choosing the framework that matches your requirements is paramount to achieving a security posture your organization can support and thrive under. Using a mixture of frameworks in a hybrid way is okay, too. It adds flexibility. Combining best practices from multiple frameworks can help meet specific functional requirements. Don't forget to think about including stakeholders from other departments during this process as well. Determining the needs of your organization is a precursor to aligning to one or several frameworks.