Popular Frameworks Flashcards
CIS v8
This is a generalist cybersecurity framework, which means it covers more than just cybersecurity for application development. It’s intended to be used by organizations of any size and many of the controls include best practices for safeguarding your employees’ devices. It is primarily self-attestation (the organization states that it follows the controls and provides proof at their own discretion) as opposed to third-party attestation (a certified assessor or auditor reviews your environment and confirms that you are following the controls for a fee). CIS has historically been a self-attestation framework but they recently introduced options for third-party attestation, but the vast majority of organizations that follow CIS v8 choose to self-attest as it’s less expensive.
NIST CSF 2.0
NIST is considered the authority on cybersecurity best practices, and NIST CSF 1.0 was among the most popular cybersecurity frameworks worldwide until CSF 2.0 debuted in March of 2024. Organizations that previously followed CSF 1.0’s guidance will pivot to the updated version over the next two years. CSF stands for Cybersecurity Framework, and like CIS v8, it is a generalist framework for organizations of any size. It is a self-attestation framework with clearly-defined examples of how their controls should be implemented.
SOC2
SOC2 (System and Organization Controls) is one of the more popular frameworks internationally, and it’s particularly popular for organizations that develop software or provide software as a service. It’s an annual (yearly), third-party attestation process that requires a period of observation between 6 and 12 months. It may be prohibitively expensive for smaller organizations as the cost is typically between 20,000 and 40,000 dollars. If smaller MSPs are considering SOC2 for their own compliance, they may be unaware of the costs associated and you can suggest a self-attestation framework as an alternative.
ISO 27001
The International Organization for Standardization has created hundreds of frameworks for different industries, and ISO 27001 is their framework for information security, cybersecurity and privacy protection. Like SOC2, it is an annual third party attestation that is typically utilized by companies that create software or provide software as a service. It is utilized all over the world for organizations of any size, but the cost of third party attestation may be prohibitively expensive for smaller MSPs.
FTC Safeguards
This is also called the Gramm-Leach-Bliley Act, as it’s a law that requires any organizations in the US that offer financial services/advice or insurance to disclose their information sharing practices and to safeguard their customers’ data. These controls are required by the FTC, but are not audited unless an organization experiences a breach, and if it’s determined that the organization didn’t follow the controls, they’ll suffer a penalty.