Compliance and Confusion – Your Guide to Navigate the Most Common Frameworks and Regulations for Cyber Security
In this comprehensive guide we will go through the most common frameworks and regulations for Cyber Security, as there might be some confusion in how to apply them to the everyday work. The frameworks and regulations we will map out here are in the table of contents below. Use the links to navigate the article.
The confusion
If you buy a product, it normally gives you an opportunity or serves to solve one of your many problems. In the cyber security world, there are numerous problems and piles of (alleged) solutions. As with the highway to hell, it is also a world littered with good intentions. I say littered due to the fact that there is no single uniform framework to deal with – there are loads of them.
Governments have in the latter years become more active. This is because of an unhealthy level of tension in this world, combined with ever-higher reliance on the digital world for better, faster and more comprehensive basic and extended services. So, they are now finally adding their own piece of mind to this plethora of intentions – the difference this time around is that governments can enforce their roadmaps to create a safer digital world. We are talking gargantuan fines even potential jail time for not doing your due diligence with regards to the regulations of tomorrow’s resilience.
We believe this is a great thing, for many reasons. First and foremost, it will make everyone safer as the digital world will be hardened and as such more difficult to crack. River Security provides several services and products with this mission statement already, we want to help you be secure – we do this by offering Attack Surface Management (“ASM”), Continuous Threat Exposure Management (“CTEM”) and agile Penetration Testing through our platform Active Focus. We also offer post incident handling and CISOaaS to help you straighten your security posture.
The compliance
Now, whatever choice you have made in the past about which framework to be compliant to, certified or guided by – we see the need to clarify how we through our products help you do exactly that. Whether it is audits of your certification, government regulated audits post or pre incident or just your need to get an overview of which controllers/articles or measures you check through purchasing our products, we want you to find your framework, your regulation or guidelines listed in an accessible and easy to use overview.
Therefore we have mapped out all of our services to the most common frameworks: CIS 18, ISO27001,NIST CSF, NIST 800-53 and “NSM’s grunnprinsipper”. Furthermore, this fall and winter will see the onset of DORA and NIS2 – both quite comprehensive EU directives that will be applicable from earliest October 2024 and January 2025.
To read more about each individual framework or regulation, please follow the links above. This is the least we can do, as cyber security experts, we want to help you help yourself and not least be compliant. We see this as a way to enhance the daily work of our cyber security professionals, as the endless work often boils down to ticking of a box that allows you to be compliant rather than confused.
Best of luck navigating this challenging terrain!
DORA – The Digital Operational Resiliency Act
DORA, this will shake things up, the requirements are sensible but comprehensive. There are five pillars of DORA:
- IT Risk Management
- Third Party Risk Management
- Digital Operational Resilience Testing
- Information Sharing
- IT Incident Reporting
This regulation mandates a comprehensive approach to ICT risk management, incident reporting, digital operational resilience testing, and managing ICT third-party risk. The provisions of DORA, such as those detailed in Articles 5 to 15, require financial entities to establish a well-documented ICT risk management framework that includes policies, procedures, and tools to protect information and ICT assets (Article 6(1)).
Pillars Described – Getting Started
Of these some are challenging where as others are more easily solved. Incident Reporting is considered easily solved by creating some templates and Standard Operation Procedures (“SOP”s) in tandem with you Incident Response (“IR”) provider. In River Security we take pride in having an experienced and solid team that will help you do this and then stand on the ready if something happens.
Information Sharing needs some policies on the how, what and who but shouldn’t need too much engineering. Ideally information sharing will be implemented via well-known protocols such as Trusted Automation eXchange of Intelligence Information (“TAXII“) and Structured Threat Intelligenxe eXpression (“STIX“).
DORA vamps up the frequency and scope of Digital Operational Resilience Testing quite a bit. However, here we are talking higher costs but also a much more sensible and effective testing. The “once a year” de facto rule so far is will now be set in law, for parts of or all your digital assets? Every three years an “advanced” pentest is required, Threat Lead Penetration Testing (“TLPT”) which will be administered through TIBER is next level. White, Blue or Purple team working in tandem with a Red Team who’s scope will be much broader – this should be reflected in your yearly pentests to ease post test work. If you are an Active Focus client, hosting and providing these learning opportunities will be easier as our Threat Intelligence Managers are well equipped to be bridges between attackers and defenders.
Third Party Risk Management sets new standards your suppliers must adhere to, but furthermore the levels of overview and knowledge you must have of them and their place in your own digital operation is very high. Active Focus in combination with a responsibility matrix between third party and yourself will give you a great overview of which ones you have, their space on your attack surface and the resilience they offer.
IT Risk Management, frameworks are no longer optional and you will be audited. Most popular frameworks should allow you to be compliant here, such as ISO 27001 and NIS CSF, but implementing one and keeping things up to date is quite the chore. With the emphasis on operational resilience testing, meaning continues ongoing testing with good feedback loops we see that the bar is raised. River Security believes that this type of focus on finding potential points of failure, keeping operational track of risk when doing changes and identifying exactly where you are exposed is key to a great security posture – this is what Active Focus was designed for.
So, in short, we all have a lot of work ahead of us. We believe this work will have great dividends, the requirements are tough and rigorous and we believe we can help you with much of it, IR, Third Party Risk Management and easing the IT Risk management overall. Have a look at our compliance matrix, to see if we give you something you now are lack
NIS2 – The Network and Information Regulation
The NIS2 Directive, officially titled DIRECTIVE (EU) 2022/2555, outlines measures to achieve a high common level of cybersecurity across the Union. It mandates that Member States adopt national cybersecurity strategies and establish competent authorities, cyber crisis management authorities, single points of contact, and computer security incident response teams (CSIRTs) (Article 1). This directive applies to a broad range of public and private entities, including medium-sized enterprises and essential service providers, such as public electronic communications networks, trust service providers, and top-level domain name registries (Article 2).
External Attack Surface Management (EASM) is critical for compliance with NIS2, particularly in vulnerability management and incident prevention (Article 21). EASM services help organizations continuously monitor their external attack surface, identify new assets, and conduct vulnerability scanning. This proactive approach allows organizations to address vulnerabilities before they can be exploited, thus adhering to the directive’s requirement for risk analysis and information system security policies. Additionally, EASM can identify third-party risks, ensuring that supply chain security, a key component of the directive, is maintained.
Chief Information Security Officer as a Service (CISOaaS) is instrumental in helping organizations develop and implement the policies and procedures required by NIS2. A CISOaaS can guide the creation of comprehensive cybersecurity risk-management measures, which include incident handling, business continuity, and crisis management (Article 21). This service ensures that the management bodies of essential and important entities approve and oversee the implementation of these measures, fostering a culture of accountability and continuous improvement within the organization.
Internal Penetration Testing is another critical service for NIS2 compliance, focusing on the internal security posture of the organization. By simulating attacks from within, internal penetration testing can uncover hidden vulnerabilities and risks that external testing might miss. This aligns with the directive’s emphasis on thorough risk analysis and vulnerability management (Article 21). Regular internal penetration testing helps organizations to continuously improve their cybersecurity defenses and ensure that their internal network and information systems are secure.
Incident Response (IR) services are crucial for organizations to meet the reporting and response requirements of NIS2 (Article 23). In the event of a cybersecurity incident, IR services provide rapid containment, investigation, and recovery, helping to minimize the impact on the organization and its stakeholders. By leveraging third-party IR capabilities, organizations can ensure that they have the expertise and resources needed to handle incidents effectively, thereby maintaining compliance with the directive’s stringent incident reporting and management obligations.
In summary, achieving compliance with the NIS2 Directive requires a multifaceted approach that includes continuous monitoring, robust policy development, thorough internal testing, and effective incident response. Services such as EASM, CISOaaS, internal penetration testing, and IR are essential tools for organizations to meet the directive’s requirements and maintain a high level of cybersecurity. By integrating these services, organizations can not only achieve compliance but also enhance their overall security posture, ensuring resilience against cyber threats.
ISO 27001 – Plan, Do, Check, Act: A Steering System for Information Security
ISO/IEC 27001 is a cornerstone in the realm of information security management systems (ISMS), offering a comprehensive framework that medium and enterprise-sized companies can adopt to enhance their cybersecurity posture. This standard specifies the requirements for establishing, implementing, maintaining, and continually improving an ISMS within the context of an organization’s overall risks. Among its key elements are the assessment and treatment of information security risks, ensuring that companies are well-prepared to handle any threats to the confidentiality, integrity, and availability of their information assets.
External Attack Surface Management (EASM) is an essential service to align with ISO/IEC 27001’s requirement for continuous risk assessment and management (Clause 6.1.2). EASM provides continuous vulnerability scanning, identification of new assets, and penetration testing on each change, which helps in proactively identifying and mitigating risks. By integrating EASM, companies can comply with the standard’s demand for a documented information security risk assessment process that is consistent and produces valid results. Additionally, EASM’s offensive SOC capabilities can help in maintaining an updated inventory of information and assets, aligning with control 5.9 in Annex A.
Chief Information Security Officer as a Service (CISOaaS) is another critical component that supports compliance with ISO/IEC 27001, particularly in fulfilling leadership and commitment requirements (Clause 5.1). A CISOaaS can aid organizations in developing and implementing information security policies, procedures, and documentation necessary for ISMS. This service ensures that the information security objectives are compatible with the strategic direction of the organization and that the ISMS requirements are integrated into the organization’s processes. The expert consultant’s guidance can help achieve ongoing compliance and continual improvement, as specified in Clause 10.1.
Internal Penetration Testing aligns with the need for internal audits and performance evaluations (Clause 9.2) as well as information security risk assessment and treatment (Clauses 6.1.2 and 6.1.3). Conducting regular internal penetration tests enables organizations to uncover hidden vulnerabilities and assess the effectiveness of their internal controls. This practice ensures that the internal issues affecting the ISMS are identified and addressed, facilitating the continual improvement of the system. Internal Penetration Testing supports the organization’s efforts to meet the requirements of Annex A controls such as 5.27, which emphasizes learning from information security incidents to strengthen controls.
Incident Response (IR) services are crucial in meeting the standard’s requirements for responding to information security incidents (Clause 8.2 and 8.3). IR services provide the expertise needed to contain, mitigate, and recover from incidents, ensuring that organizations can swiftly return to normal operations. This aligns with Annex A controls like 5.26 and 5.29, which mandate documented procedures for incident response and maintaining information security during disruptions. The IR service helps companies manage and document their response to incidents, meeting the standard’s requirements for corrective actions and continual improvement (Clause 10.2).
In summary, achieving compliance with ISO/IEC 27001 involves a comprehensive approach that incorporates various cybersecurity services. EASM helps with ongoing risk assessments and asset management, while CISOaaS ensures robust policy and strategic alignment. Internal Penetration Testing aids in identifying and mitigating internal vulnerabilities, and IR services provide essential support for incident management and recovery. By leveraging these services, medium and enterprise-sized companies can enhance their information security posture and ensure ongoing compliance with ISO/IEC 27001.
CIS18 – Center for Information Security Top 18 Critical Controls
The CIS Top 18 Controls framework provides a comprehensive set of guidelines to enhance the security posture of medium and enterprise-sized companies. These controls are essential for establishing robust cybersecurity practices and mitigating risks associated with various assets, including hardware, software, and data. To achieve compliance with these controls, companies can leverage a range of cybersecurity services, such as External Attack Surface Management (EASM), Chief Information Security Officer as a Service (CISOaaS), Internal Penetration Testing, and Incident Response (IR).
The first control emphasizes establishing and maintaining an accurate inventory of all enterprise assets. This aligns well with EASM, which continuously monitors and updates the asset inventory, including end-user devices, network devices, IoT devices, and cloud environments. EASM’s real-time vulnerability scanning and detection of unauthorized assets ensure that the inventory is up-to-date and secure (CIS Control 1). Additionally, EASM helps identify third-party risks, providing an offensive SOC capability to preemptively identify potential incidents.
CISOaaS plays a crucial role in helping companies develop and maintain policies and procedures required for compliance with the CIS Controls. For instance, Control 2 requires establishing and maintaining a software inventory, ensuring only authorized and supported software is used. A CISOaaS consultant can help build and document the necessary processes to manage software assets, address unauthorized software, and utilize automated inventory tools to detect and respond to software vulnerabilities (CIS Control 2). This service ensures that companies have a structured approach to managing their software assets and mitigating associated risks.
Internal Penetration Testing complements the EASM by focusing on identifying vulnerabilities within the internal network. This service helps uncover hidden assets, configuration issues, and other security gaps that could be exploited by attackers. Regular internal penetration tests ensure that companies are aware of their internal security posture and can take corrective actions to mitigate risks. This aligns with Control 18, which emphasizes the importance of establishing and maintaining a penetration testing program, including periodic internal and external tests (CIS Control 18).
Incident Response (IR) capabilities are critical for managing and recovering from security incidents. IR services provide containment, eradication, and recovery support, ensuring that companies can quickly return to normal operations after an incident. This service aligns with several CIS Controls, including Control 17, which focuses on establishing and maintaining an incident response process, designating personnel for incident handling, and conducting post-incident reviews. By leveraging IR services, companies can ensure they are prepared to respond effectively to security incidents and minimize the impact on their operations.
In summary, the CIS Top 18 Controls provide a robust framework for enhancing cybersecurity in medium and enterprise-sized companies. By leveraging services such as EASM, CISOaaS, Internal Penetration Testing, and IR, companies can achieve compliance with these controls and significantly improve their security posture. These services work together to provide comprehensive coverage of asset management, software inventory, vulnerability identification, and incident response, ensuring that companies are well-prepared to address the evolving threat landscape.