What is a security framework?
A security framework defines policies and procedures for establishing and maintaining security controls. Frameworks clarify processes used to protect an organization from security risks. They help information security and IT security professionals keep their organizations compliant and insulated from threats against their information resources and systems. It can help save time by providing a clear structure for acting.
With a framework, it is easier to map where the security journey will begin and help to identify gaps so it will be more precise, actionable conversations with stakeholders at the organization.
NIST cybersecurity framework
There are several different security frameworks that organizations can use to manage and reduce security risks. The National Institute of Standards and Technology (NIST) has compiled a set of guidelines under the name NIST Cybersecurity Framework to help organizations better understand how to take action against cyber threats. The framework includes five functions that are of high importance in managing cybersecurity risks:
- Identify
- Protect
- Detect
- Respond
- Recovery
Within every function, there are several categories (tasks or challenges) the organization must carry out to identify risks, protect systems, detect breaches etc.