0xnhl

Back

Security Frameworks

Created: 1/12/2026 Updated: 1/12/2026
#gcpc#cybersec#grc

Security frameworks and controls#

Security frameworks are guidelines used for building plans to help mitigate risks and threats to data and privacy.
Purpose of security frameworks

  • Protecting PII
  • Securing financial information
  • Identifying security weaknesses
  • Managing organizational risks
  • Aligning security with business goals
    Core components of security frameworks
  1. Identifying and documenting security goals
  2. Setting guidelines to achieve security goals
  3. Implementing security processes
  4. Monitoring and communicating results

Security frameworks are about:

  • Governance (e.g., ISO 27001, COBIT)
  • Risk Management (e.g., NIST RMF, FAIR)
  • Compliance (e.g., HIPAA, PCI-DSS)
  • Controls and Standards (e.g., CIS, NIST CSF)
  • Threat modeling and mapping (e.g., MITRE ATT&CK)

CIA Triad#

NIST Cybersecurity Framework (CSF)#

A voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk.
NIST CSF components: Core, Tiers, Profiles

Core#

The CSF core is a set of desired cybersecurity outcomes that help organizations customize their security plan. It consists of six functions, or parts: Identify, Protect, Detect, Respond, Recover, and Govern.

  1. Identify: management of cybersecurity risk and its effect on an organization’s people and assets.
  2. Protect: The strategy used to protect an organization through the implementation of policies, procedures, training, and tools that help mitigate cybersecurity threats.
  3. Detect: Identifying potential security incidents and improving monitoring capabilities to increase the speed and efficiency of detections.
  4. Respond: Making sure that the proper procedures are used to contain, neutralize, and analyze security incidents, and implement improvements to the security process.
  5. Recover: The process of returning affected systems back to normal operation.
  6. Govern

Tiers#

The CSF tiers are a way of measuring the sophistication of an organization’s cybersecurity program. CSF tiers are measured on a scale of 1 to 4. Tier 1 is the lowest score, indicating that a limited set of security controls have been implemented. Overall, CSF tiers are used to assess an organization’s security posture and identify areas for improvement.

Profiles#

The CSF profiles are pre-made templates of the NIST CSF that are developed by a team of industry experts. CSF profiles are tailored to address the specific risks of an organization or industry. They are used to help organizations develop a baseline for their cybersecurity plans, or as a way of comparing their current cybersecurity posture to a specific industry standard.

Implementing the CSF#

  • Create a current profile of the security operations and outline the specific needs of your business.
  • Perform a risk assessment to identify which of your current operations are meeting business and regulatory standards.
  • Analyze and prioritize existing gaps in security operations that place the businesses assets at risk.
  • Implement a plan of action to achieve your organization’s goals and objectives.

The NIST CSF also expands into the protection of the United States federal government with NIST special publication, or SP 800-53. It provides a unified framework for protecting the security of information systems within the federal government, including the systems provided by private companies for federal government use.

Other frameworks#

  • NIST Risk Management Framework (RMF)
  • The Federal Energy Regulatory Commission - North American Electric Reliability Corporation (FERC-NERC)
  • The Federal Risk and Authorization Management Program (FedRAMP®)
  • Center for Internet Security (CIS®)
  • General Data Protection Regulation (GDPR)
    GDPR is a European Union (E.U.) general data regulation that protects the processing of E.U. residents’ data and their right to privacy in and out of E.U. territory.
  • Payment Card Industry Data Security Standard (PCI DSS)
  • The Health Insurance Portability and Accountability Act (HIPAA) - 1996
  • International Organization for Standardization (ISO)
  • System and Organizations Controls (SOC type 1, SOC type 2)
    The American Institute of Certified Public Accountants® (AICPA) auditing standards board developed this standard. The SOC1 and SOC2 are a series of reports that focus on an organization’s user access policies at different organizational levels.

Cyber Threat Framework (CTF)#

According to the Office of the Director of National Intelligence, the CTF was developed by the U.S. government to provide “a common language for describing and communicating information about cyber threat activity.” By providing a common language to communicate information about threat activity, the CTF helps cybersecurity professionals analyze and share information more efficiently. This allows organizations to improve their response to the constantly evolving cybersecurity landscape and threat actors’ many tactics and techniques.

International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001#

An internationally recognized and used framework is ISO/IEC 27001. The ISO 27000 family of standards enables organizations of all sectors and sizes to manage the security of assets, such as financial information, intellectual property, employee data, and information entrusted to third parties. This framework outlines requirements for an information security management system, best practices, and controls that support an organization’s ability to manage risks. Although the ISO/IEC 27001 framework does not require the use of specific controls, it does provide a collection of controls that organizations can use to improve their security posture.