upgrade
upgrade

🔒Cybersecurity and Cryptography

Cybersecurity Frameworks

Study smarter with Fiveable

Get study guides, practice questions, and cheatsheets for all your subjects. Join 500,000+ students with a 96% pass rate.

Get Started

Why This Matters

Cybersecurity frameworks aren't just bureaucratic checklists—they're the strategic blueprints that organizations use to defend against real-world attacks. When you're tested on this material, you're being evaluated on your understanding of risk management approaches, compliance requirements, and how different frameworks address different security challenges. The key is recognizing that each framework emerged to solve specific problems: some focus on general risk management, others on industry-specific compliance, and still others on understanding attacker behavior.

Don't just memorize framework names and their acronyms. Instead, focus on what problem each framework solves, who uses it, and how frameworks complement each other. An FRQ might ask you to recommend frameworks for a specific scenario—a healthcare organization, a payment processor, or a government agency. Knowing the underlying purpose of each framework will help you make those connections quickly and confidently.

Risk Management Frameworks

These frameworks provide comprehensive approaches to identifying, assessing, and mitigating cybersecurity risks. They focus on the continuous process of understanding threats and implementing appropriate controls based on organizational risk tolerance.

NIST Cybersecurity Framework

  • Five core functions: Identify, Protect, Detect, Respond, Recover—this lifecycle approach covers the full spectrum of security activities from prevention through incident recovery
  • Voluntary and flexible design makes it adaptable to organizations of any size or industry, not prescriptive about specific technologies
  • Risk-based approach encourages continuous improvement rather than one-time compliance, making it ideal for maturing security programs

NIST SP 800-53

  • Comprehensive control catalog for federal information systems—contains hundreds of security and privacy controls organized into families
  • Required for federal agencies and contractors handling government data, making it essential knowledge for public sector security roles
  • Control baselines (Low, Moderate, High) allow organizations to select controls based on impact levels determined through risk assessment

COBIT

  • IT governance framework that aligns security with business objectives—bridges the gap between technical controls and executive decision-making
  • Enterprise-focused approach covers not just security but overall IT management, including resource optimization and stakeholder value delivery
  • Maturity models help organizations benchmark their current capabilities and plan improvement roadmaps

Compare: NIST CSF vs. NIST SP 800-53—both come from NIST, but CSF is a flexible, voluntary framework for any organization, while SP 800-53 is a detailed control catalog primarily for federal systems. If an FRQ asks about government compliance, SP 800-53 is your answer; for general enterprise risk management, go with CSF.

International Standards and Certification

These frameworks provide globally recognized standards that organizations can certify against, demonstrating their security commitment to customers, partners, and regulators.

ISO/IEC 27001

  • International standard for Information Security Management Systems (ISMS)—the most widely recognized global security certification
  • Certification requires third-party audits to verify that organizations have implemented and maintain appropriate security controls
  • Risk assessment methodology drives control selection, ensuring security measures match actual organizational threats rather than generic checklists

SOC 2

  • Five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, Privacy—these principles guide how service providers should handle customer data
  • Type I vs. Type II reports—Type I assesses control design at a point in time; Type II evaluates operational effectiveness over a period, typically 6-12 months
  • Essential for cloud and SaaS providers who need to demonstrate security practices to enterprise customers during vendor assessments

Compare: ISO 27001 vs. SOC 2—both involve third-party assessments, but ISO 27001 is a certifiable international standard focused on the organization's overall ISMS, while SOC 2 produces attestation reports specifically about how service organizations protect customer data. Many organizations pursue both.

Industry-Specific Compliance Frameworks

These frameworks address regulatory requirements for specific sectors, with mandatory compliance obligations and potential penalties for violations.

HIPAA Security Rule

  • Protects electronic Protected Health Information (ePHI)—applies to healthcare providers, insurers, and their business associates
  • Three safeguard categories: Administrative, Physical, Technical—covers everything from workforce training to facility access to encryption requirements
  • Risk analysis requirement mandates that covered entities identify vulnerabilities specific to their environment and implement appropriate countermeasures

PCI DSS

  • 12 requirements organized into 6 control objectives—designed specifically to protect cardholder data during payment transactions
  • Compliance levels based on transaction volume—larger merchants face more rigorous assessment requirements including on-site audits
  • Specific technical mandates including encryption of cardholder data, network segmentation, and regular penetration testing

GDPR

  • EU regulation governing personal data protection—applies to any organization processing data of EU residents, regardless of where the organization is located
  • 72-hour breach notification requirement—organizations must report qualifying breaches to supervisory authorities within three days of discovery
  • Significant penalties up to €20 million or 4% of global annual revenue, whichever is higher—making it one of the most consequential compliance frameworks

Compare: HIPAA vs. PCI DSS—both are industry-specific compliance frameworks, but HIPAA protects health information with flexible implementation guidance, while PCI DSS protects payment card data with highly prescriptive technical requirements. An organization like a hospital that accepts credit cards must comply with both.

Threat Intelligence and Defensive Prioritization

These frameworks help organizations understand attacker behavior and prioritize defensive measures based on real-world threat data.

MITRE ATT&CK

  • Knowledge base of adversary tactics, techniques, and procedures (TTPs)—documents how real attackers operate based on observed incidents
  • Common language for threat intelligence—enables security teams, vendors, and researchers to communicate precisely about attack methods
  • Matrices organized by platform (Enterprise, Mobile, ICS) help organizations map their defenses against specific attack techniques relevant to their environment

CIS Controls

  • 20 prioritized security controls (now expanded to 18 in version 8) ranked by effectiveness against common attacks
  • Implementation Groups (IGs) provide tiered guidance—IG1 covers basic hygiene for all organizations, while IG2 and IG3 add controls for more mature programs
  • Emphasizes foundational security hygiene—the first several controls address asset inventory, software inventory, and secure configurations, which prevent the majority of attacks

Compare: MITRE ATT&CK vs. CIS Controls—ATT&CK describes how attackers operate while CIS Controls prescribes what defenders should do. They're complementary: use ATT&CK to understand threats, then verify your CIS Controls implementation addresses those techniques. This combination is powerful for FRQ scenarios asking about defense-in-depth.

Quick Reference Table

ConceptBest Examples
General Risk ManagementNIST CSF, COBIT, ISO 27001
Federal/Government SystemsNIST SP 800-53
Healthcare ComplianceHIPAA Security Rule
Payment Card SecurityPCI DSS
Data Privacy RegulationGDPR
Third-Party AssuranceSOC 2, ISO 27001
Threat IntelligenceMITRE ATT&CK
Prioritized ControlsCIS Controls

Self-Check Questions

  1. Which two frameworks both require third-party assessments but serve different purposes—one for certifying an organization's overall security management system and one for attesting to how service providers protect customer data?

  2. An organization processes both patient health records and credit card payments. Which two compliance frameworks must they address, and what's the key difference in how each specifies security requirements?

  3. Compare and contrast NIST CSF and NIST SP 800-53: When would you recommend each, and how do they differ in their level of prescriptiveness?

  4. A security team wants to evaluate whether their defenses address real-world attacker behavior. Which framework provides a knowledge base of adversary techniques, and which framework would help them prioritize implementing defensive controls?

  5. FRQ-style: A European e-commerce company experiences a data breach affecting customer information. Identify the relevant compliance framework, explain the notification timeline requirement, and describe one technical control from another framework that might have prevented the breach.