Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity NewswireSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingCybersecurity News

How to select a cybersecurity framework to protect your greatest assets: People, property and data

By Baan Alsinawi
cybersecurity
May 14, 2021

A fact of doing business in today’s hyper-internet-connected world is the need for organizations, regardless of size or sector, to protect their enterprises against a constant onslaught of malicious actors, insider threats, and a slew of other cybersecurity risks. It’s more a matter of “when,” not “if” your organization will face an attack. Fortunately, cybersecurity frameworks have been developed that comprise best practices, standards, and guidelines designed to manage risks and combat these threats so you can protect your greatest assets: people, property and data.

Businesses that work with the government or are in defense, finance, health care, or security sectors are likely required to comply with a particular framework or to meet certain regulatory requirements. These include the Federal Information Security Modernization Act (FISMA), the Federal Risk and Authorization Management Program (FedRAMP), Defense Federal Acquisition Regulation Supplement (DFARS), the Sarbanes-Oxley Act, and the Health Insurance Portability and Accountability Act (HIPAA), among others.

Even if you are not mandated to adhere to any particular regulations, it still makes sense for your business to be proactive in managing risk. All frameworks include guidance for good cybersecurity hygiene, such as effective inventory and asset management, contingency planning, personnel security, system access control, and staff awareness and training, to list a few. To prepare for the aftermath of a cyber incident, frameworks provide incident response guidelines you can follow to recover and try to limit the damage. Establishing a framework can not only help your organization follow best practices but also bring rigorous cyber discipline to your organization.

 

Determining your risk profile

To figure out the best framework(s), the first step is to determine your risk vectors and what risks your business can tolerate. The Cybersecurity & Infrastructure Security Agency, which is part of the Department of Homeland Security, offers security tips for managers, including Questions Every CEO Should Ask About Cyber Risks. This is a good place to start.

You also might want to consider engaging a risk management firm to help you sort through your options. These experts can help you select the best-suited framework for your business; define your organization’s cybersecurity strategies, goals, and objectives; and help you prepare for the most serious cyber threats your industry faces.

The National Institute of Standards and Technology (NIST) frameworks and the NIST Cybersecurity Framework, described below, are commonly used frameworks. NIST offers several options that work for organizations in a range of industries.

 

NIST Variety of Framework and Standards 

NIST is a U.S. government agency that has developed several useful cybersecurity frameworks that represent the basis for most other frameworks. Detailed in special publications (SPs), these frameworks offer specific controls—best practices—that organizations in both the public and private sectors can follow to achieve the stated objective of the special publication.

NIST SP 800-37, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy  (known as RMF) is built around seven steps: prepare, categorize, select, implement, assess, authorize, and monitor. This process helps organizations prioritize their risk management efforts by measuring, tracking, and identifying risks.

NIST SP 800-53, Security Privacy Controls for Information Systems and Organizations is a tried-and-true framework that focuses on privacy controls in recognition that privacy is a critical concern in the cybersecurity realm.

NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, focuses on assisting organizations that store, transfer, or transmit controlled unclassified information, referred to as CUI.[1] NIST 800-171’s controls are aimed at helping nonfederal organizations that do business with the federal government protect CUI confidentiality. These are good guidelines for any organization to follow to safeguard its own and its customers’ data.

The NIST Cybersecurity Framework, known as CSF, centers on basic cyber defense functions that are required to determine risks and protect assets: identify, protect, detect, respond, and recover. It is designed to be customizable so that organizations can create a cyber security program that suits their individual risks, situations, and requirements. They can then prioritize their investment and maximize their spending on the most effective cybersecurity risk management.

 

Implementing a Framework

It can definitely be a daunting task to decide on a framework and then implement it effectively. Some firms may have the resources but could use help with interpreting the controls as they apply them to their organization. Other firms may need an outside expert to handle the whole process.

Third-party risk management firms can help in both situations by advising businesses on where to start and what frameworks make the most sense for them.

A key way a risk management firm can help is by starting with a gap analysis. This evaluates your company’s “as is” cybersecurity status and determines how to get to the “should be” status. The third-party experts will identify, quantify, and prioritize your organization’s risks and weaknesses and suggest remediation steps to address them. This can include advising on the most appropriate framework that can best protect your organization’s people, property and data and maximize your cybersecurity investment. Once a baseline is established and you address the gaps, you use the guidelines in your chosen framework to continuously measure your organization against this benchmark.

Given the complexity, artfulness, and range of cybercrimes that organizations face, it is important to use every available tool to combat these attacks. Adopting a proven cybersecurity framework that is suited to your business needs and risks gives you the tools to protect your enterprise against threats confronting you today and will continue to fend off tomorrow.

 

[1] NIST Special Publication 800-171 Revision 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, defines CUI as “any information that law, regulation, or governmentwide policy requires to have safeguarding or disseminating controls.” The CUI Registry lists these categories.

KEYWORDS: cyber security information security risk management security framework

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Baan Alsinawi is president and founder of TalaTek.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Leadership and Management
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cybersecurity
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

Internal computer parts

Critical Software Vulnerabilities Rose 37% in 2024

2025 Security Benchmark banner

Events

September 29, 2025

Global Security Exchange (GSX)

 

November 17, 2025

SECURITY 500 Conference

This event is designed to provide security executives, government officials and leaders of industry with vital information on how to elevate their programs while allowing attendees to share their strategies and solutions with other security industry executives.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • office

    Using technology to protect your security assets, workforce and data

    See More
  • online shopping

    How to protect your ecommerce data from disaster in 2021

    See More
  • blueprint

    How to protect an enterprise’s intellectual property

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing