Which Cyber Security Framework Is Best for Your Business?

Australia passed legislation to introduce large fines for privacy breaches, and although New Zealand isn't expected to make any changes yet, aligning to global standards will help all New Zealand organisations build better resilience.

There are a number of different cyber security frameworks available to reference that help to provide a structured, measurable and proactive approach to maturing your cyber security, protecting your assets and minimising the impact of cyber threats.

‍

What are some of the benefits of aligning to a cyber security framework?

Improving security posture

It goes without saying that aligning to a cyber security framework will enhance your business' security posture. Whether you start with a smaller framework or decide to tackle a large one, they all focus on security controls, policies, and procedures that will help strengthen your security posture and guide the implementation processes and systems that will improve your ability to prevent, detect, and respond to cyber threats. These frameworks help you understand your gaps, help you focus and prioritise where you should be allocating your budget, and help you establish an ongoing program to evaluate and monitor your security measures continually.

Trust

As the focus on the security and integrity of our supply chains continues, aligning with a framework is a great way to show your customers, stakeholders and partners that you take your security seriously. By investing in a program of work to align with a cyber security framework, you are demonstrating an intention to protect your systems and minimise the risk of compromise, showing you are committed to protecting your customers and their sensitive information.

A standardised approach

Aligning with cyber security frameworks provides easy access to industry-accepted good practices, guidelines, and controls. The different frameworks are well-documented and often have templates and tools available to help you track your progress. By aligning to a framework, you can establish a standardised approach to managing and improving your cybersecurity posture, ensuring consistency across different processes, departments, and systems and a common set of controls and processes that will be recognisable to your customers and your supply chain.

Risk management

With 'assume breach' now accepted as a realistic approach to cyber security, aligning with a framework helps you prepare for this eventuality. Having a framework will assist you in identifying and assessing the threats, vulnerabilities, and risks to your business. Once you understand your business-critical systems and their associated risks, you can prioritise and implement appropriate cyber security measures to mitigate these risks effectively and ultimately reduce the likelihood and impact of cyber incidents.

Meeting compliance requirements

Depending on your business and the nature of the information assets you hold, you may need to align with different legal and regulatory requirements around protecting these assets. At the very least, we are all responsible for keeping our employee's personal information safe as required by the New Zealand Privacy Act 2020. Aligning to a framework will help you build processes to protect your sensitive data and demonstrate compliance with the relevant regulatory requirements for your industry. Should a breach occur, demonstrating compliance with applicable laws and regulations can help you avoid penalties and reputational damage.

‍

Frameworks overview

Choosing the correct framework is going to depend on your resourcing, your budget and your needs. For most businesses, I recommend you start small as there is only so much you can do in a day's work. It's better to focus on the essential controls that will immediately improve your security posture. Even a small list of controls can mean multiple large-scale projects!

‍

New Zealand and Australian government frameworks

Luckily for us, the New Zealand and Australian governments have developed their own small frameworks that are great for getting started.

CertNZ Critical Controls

CERT NZ's critical controls are designed to help you decide where to spend your time and money. They have been developed based on data and insights they received from reports and international threat feeds.

Many of their controls start by encouraging you to identify your assets. This identification is fundamental in any security operation because it's difficult to protect systems and infrastructure if you don't know they exist.

The controls include patching software and systems, using multi-factor authentication, building security awareness with your employees, and offering a practical list of controls to focus on.

You can reference these controls here: CERT NZ's Critical Controls

ACSC Essential Eight

The Australian Cyber Security Centre's 'Essential Eight' provides recommendations around a minimum set of preventative measures to help mitigate cyber threats.

With the Essential Eight, four maturity levels are defined (maturity level zero through to maturity level three). The maturity levels are based on an increased ability for an organisation to mitigate more complex tactics and techniques used by malicious actors and provide a great roadmap for maturing your security posture over time.

The Essential Eight controls are technical controls that include restricting administrative privileges and regular backups.

You can reference the Essential Eight controls here: Essential Eight | Cyber.gov.au

‍

Global standards

If you're looking to benchmark your organisation's cyber security maturity against more global standards and have regulatory obligations that need to be met, then frameworks like NIST and ISO 27001 are both appropriate choices to align with.

NIST Cyber Security Framework

The NIST Cyber Security Framework is a widely leveraged cybersecurity framework developed by the United States National Institute of Standards and Technology (NIST).

The NIST CSF provides a flexible and voluntary framework that you can adopt to manage and reduce cyber security risk. It consists of a set of cyber security activities divided into five core functions: Identify, Protect, Detect, Respond, and Recover, plus implementation tiers to help you assess and track your maturity level over time and profiles to align the core functions with specific business requirements.

It's not for the faint-hearted; the framework covers 98 controls and is very in-depth. When we complete NIST Assessments for our customers, we allow three months to complete the audit activities to ensure we capture all the evidence for the 98 controls.

You can reference the NIST Cyber Security Framework here: Framework Documents | NIST

ISO 27001

The ISO 27001 is a standard for Information Security Management Systems (ICMS). An ICMS is a framework of policies, processes, procedures and controls used to manage and protect an organisation's information assets.

The ISO 27001 standard provides guidance for establishing, implementing, maintaining and continually improving an organisation's ICMS and proactively identifying and addressing weaknesses. It's an internationally recognised standard, making it the choice for organisations that want to have a globally recognised, comprehensive security certification.

The latest version of ISO 27001 was released in 2022 and covers four control areas, including organisational controls, people controls, physical controls and technological controls. There are 93 controls that are measured in ISO 27001:2022.

The process of having your organisation certified against ISO 27001 is complex and costly and requires a large investment of both money and stakeholder engagement.

You can reference the ISO 27001 standard here: ISO/IEC 27001:2022 - Information security, cybersecurity and privacy protection.

‍

Strategic/business approach framework

Suppose you want a less granular, more strategic approach to developing your cyber security priorities. In that case, the new Cyber Security Framework from the New Zealand National Cyber Security Centre is a bit different in that it doesn't provide a list of controls but instead provides a core set of Cyber Security functions to provide a high-level strategic view for managing cyber security risk alongside a set of cyber security outcomes related to each of the functions. I see this approach being useful for discussing your cyber security goals and needs across the wider organisation in plain language, relating the outcomes to business needs rather than technical deliverables.

NCSC Cyber Security Framework

The New Zealand National Cyber Security Center (NCSC) has released a beta of its new Cyber Security Framework with five functions representing the breadth of work needed to secure an organisation.

The framework is founded on the NIST framework but adds a local New Zealand perspective to address our diversity needs around securing Māori data and meeting Treaty partner's security expectations.

This new framework adapts from the NIST framework in two significant ways. Where the NIST framework details 22 categories and more than 100 sub-categories of activities under its five top-level functions, the NCSC framework focuses on describing what good outcomes look like for each top-level function rather than delving into the details of each one.

The framework's five functions are Guide & Govern, Identify & Understand, Prevent & Protect, Detect & Contain and Respond & Recover.

You can reference the beta documentation for this framework here: NCSC Cyber Security Framework | National Cyber Security Centre

‍

Additional resources

If you're looking for very prescriptive advice on what to configure to enable common processes and controls, there are two additional resources that are useful and can be used for reference alongside or instead of the frameworks mentioned above.

CIS Critical Security Controls

The Center for Internet Security (CIS) is a US-based not-for-profit organisation that draws on the expertise of cyber security and IT professionals from government, business, and academia worldwide to identify, develop, validate, promote and sustain best practice solutions for cyber defence. The CIS Critical Security Controls are a set of 18 prioritised safeguards to mitigate the most prevalent cyber-attacks against today's modern systems and networks and map to common frameworks such as NIST.

The CIS Benchmarks are configuration baselines and best practices for securing a system that provides actual guidance and recommendations on what configurations should be enabled or disabled for the relevant endpoint operating systems, including (but not limited to) Intune for Windows, Windows Server, Microsoft SharePoint, Docker, Kubernetes and Cloud Providers including AWS, Azure and Google Cloud.

CIS also provides access to free policy templates, including Asset Management, Configuration Management, Acceptable Use and Incident Response Policies for organisations starting from scratch.

You can reference the CIS Benchmarks here: CIS Benchmarks (cisecurity.org)

NZISM – New Zealand Information Security Manual

The New Zealand Information Security Manual was specifically written by the New Zealand Government to provide guidance on how government agencies should manage personnel, information, and physical security. Baseline controls detailed in the document are the minimum acceptable level of controls that should be applied to all government systems.

The manual defines explicitly what policies and configurations should be set and gives guidance on whether the controls are optional (should) or mandatory (must).

This manual has tended to lack the perspective of real world application and often fails to take into account user experience, but can be a great guideline of what to strive for.

You can reference the NZISM here ISM Document | New Zealand Information Security Manual (gcsb.govt.nz)

‍

Summary

The summary table below provides a quick view of the costs and complexity associated with each framework.

‍