The Use of Security Frameworks in DeRISK 4.0

With ever-growing cyberthreats facing organizations today, security stakeholders are implementing new cybersecurity standards and looking for maturity level frameworks to better structure their security programs. But how exactly does a company choose which standard or framework is the best fit for them? How can security stakeholders observe if they're reducing their organizations' "real" exposure to cyber risk? In the creation of DeRISK 4.0, we have completed a deep analysis of the different frameworks to help security  and risk stakeholders alike implement cybersecurity programs that fit them best. 

Industrial organizations choose cybersecurity and maturity frameworks based on many different factors. Some of the factors are industry, region, required regulations, and overall maturity of the company. For example, electric utilities in North America are regulated by North American Electric Reliability Corporation (NERC) and are required to implement a cybersecurity standard called, Critical Infrastructure Protection (CIP). Whereas non-regulated entities in North America can choose to implement CIS 7.1 or 8 and NIST Cybersecurity Framework.

When traveling across the pond to Europe, it is much more common to find entities leveraging International Organization for Standardization and the International Electrotechnical Commission (IEC), ISO/IEC 27001, instead of CIS or NIST CSF, for non-regulated entities. Within the industrial field, cybersecurity for operational technology in automation and control systems, the ISA/IEC 62433 framework has become an established common standard as well.

Furthermore , each of these security frameworks has a series of controls that can be fulfilled with a different degree of maturity, ranging from partial, informal compliance to an adaptable and optimizable control, logically passing through its management and documentation.

These different degrees of maturity provides insight on the robustness of an organization in terms of the implementation of the different cybersecurity controls. For the definition of these different degrees of maturity of the controls, there are several frameworks.  In some cases, they are linked to a specific controls framework, such as: NIST, ISO/IEC, CMMC, CMMI, C2M2.

Download the DeRISK 4.0 Industrial Solution Brief to Learn More

The standards and frameworks mentioned above are just the tip of the iceberg of the varies options a company can choose to implement. Understanding the parallels and variations between the different standards and frameworks will help a company chose the most fitting one for their organizational needs.

In performing this research, we determined that DeRISK must be able to have the flexibility to understand all the different cybersecurity standards and maturity levels frameworks that our customer may use. With each new release of DeRISK, new standards and frameworks are added.