Infosec and Cybersecurity: Standards, Frameworks, and Resources

More than before, information security is  top priority for every organization. In today’s digital world, it’s essential to distinguish between information security (infosec) and cybersecurity.

The Difference Between Infosec and Cybersecurity

Information security refers to the protection of the confidentiality, integrity, and availability of data, regardless of its form. 

We think of information security in terms of computers and digital information, but meaningful, valuable data can be stored in many forms. Information security can be as much about protecting a filing cabinet full of important documents as it is about protecting your organization's database.

Cybersecurity is not just about protecting information in its  digital form,  it also consists in  protecting the relevant framework by securing anything that is vulnerable to hacks, attacks, or unauthorized access, i.e. , hardware, software, and networks.

Both information security and cybersecurity deal with the protection of information, albeit in different ways. Examples of where these two disciplines intersect include data privacy, identity management, security policies and procedures, and risk management. 

Infosec standards are guidelines and regulations to ensure the security, privacy, and integrity of information within an organization or information system by mitigating the risks of cyber threats, cyber attacks, data theft, and other vulnerabilities that can put an organization's data and assets at risk.

Key objectives of infosec standards

- Privacy: Infosec standards help to establish guidelines for data protection, including secure access, storage, and transmission of sensitive information.
- Risk Management: The standards contribute to defining processes for identifying, assessing, and mitigating cyber risks, thus enabling organizations to make informed decisions about information security.
- Confidentiality, Integrity, and Availability: Infosec standards aim at ensuring information confidentiality, data integrity, and system availability by preventing unauthorized access, unwanted modification, or disruption.
- Legal and regulatory compliance: Standards prompt organizations to comply with laws, regulations, and industry obligations related to data protection and privacy.
- Awareness and Training: Standards prompt organizations to promote cybersecurity awareness and employee training to reduce the risk of human error.
- Access management: Standards ask for organizations to define procedures for securely managing access to resources and information, allowing only authorized users to access data and systems.

Australian Signals Directorate

The Australian Signals Directorate (ASD), an Australian government agency concerned with cyber security.
 
The ASD Essential Eight framework (PDF) is one of its most prominent contributions. It defines eight key control areas to protect organizations from cyber threats:
 
- Mitigating risks associated with untrusted applications
- Protecting credentials
- Implementing advanced security measures to protect data.

ASD's risk-based approach emphasizes the importance of identifying and protecting critical assets.
 
ASD also recommends implementing security measures commensurate with the value and sensitivity of those assets.

ISO 2700X

ISO 2700x standards, specifically ISO 27001 and ISO 27002, focus on information security management.

ISO 27001 defines the requirements for implementing an information security management system (ISMS) through  a framework for identifying, assessing and managing information security risks.

ISO 27002, on the other hand, details specific security controls to protect information.

By adopting and gaining a certification to ISO 2700x standards, organizations can establish a consistent framework for managing and continuously improving IT security.

Information Systems Audit and Control Association

Information Systems Audit and Control Association (ISACA) is a professional organization that focuses on information security, audit, and control of information systems. It offers several internationally recognized frameworks and certifications.
 
COBIT (Control Objectives for Information and Related Technologies) is one of the most well-known frameworks developed by ISACA as a comprehensive guidance for IT systems management. This framework helps organizations define objectives and metrics for control and governance of information systems, ensuring alignment between business processes and IT technologies.
 
ISACA also offers several certifications, including:
 
·       CISA (Certified Information Systems Auditor)
·       CISM (Certified Information Security Manager)
·       CRISC (Certified in Risk and Information Systems Control).

National Institute of Standards and Technology

The National Institute of Standards and Technology (NIST) is a U.S. government agency that provides guidelines, frameworks, and best practices for information security. It is also widely recognized internationally for its contributions to information security.

The NIST Cybersecurity Framework (CSF) is a key tool that helps organizations manage and mitigate cyber risks through 5 main functions:

•    identification
•    protection
•    detection
•    response
•    remediation

The CSF provides a flexible framework for assessing and improving cybersecurity, adapting to an organization's specific needs.

In addition to the CSF, NIST has developed a series of technical guidelines, known as SP 800 (Special Publication), that cover various aspects of cybersecurity, providing detailed recommendations on topics such as password management, encryption, network protection, and many others.