Peer-Driven Insights

Security Frameworks (NIST, CIS, CSF)

About this topic

Security frameworks (NIST, CIS, CSF) refer to industry-standard models and best practices for establishing, managing, and improving cybersecurity programs. They provide structured guidance to strengthen security posture and ensure compliance.

Featured One-Minute Insights

Sept 2024

How are U.S. CISOs Addressing Liability Risk?

New regulations taking effect in the U.S. mean that cybersecurity leaders could face legal liability in the event of an incident. What strategies are they using to protect themselves?
How are U.S. CISOs Addressing Liability Risk?

Community Posts

Our organization is embarking on ISO certification for security and privacy in the cloud. We are looking for best practices to implement ISO whilst being mindful of the rigor needed to manage with multiple standards. From our initial review we were informed of BSI's PAS 99 and wanted to understand: 1. Pros and Cons 2. Adoption i.e. has it been widely adopted across business landscape, specifically in the insurance sector embarking on ISO certifications? 3. Are there alternatives or best practice recommendations when embarking on cloud ISO security and privacy certifications? Also, we understood that the current certification I.e. ISO/IEC 27017:2015 looks to be replaced by ISO/IEC DIS 27017 - Information security, cybersecurity and privacy protection — Information security controls based on ISO/IEC 27002 for cloud services. Do you recommend waiting for the revision in its current stage or progress with the incumbent certification and have a subsequent review once the new version is published?

Has anyone used CMMI Cybermaturity framework to benchmark or improve Cybersecurity maturity? I believe it is suitable to large organizations and not small or medium ones. It also needs a lot of time in order to show improvements, do you agree?

Read More Comments

Do you have processes for gathering feedback on security awareness training? How can leaders create effective feedback loops to identify and make improvements when needed?

Read More Comments

NIST cybersecurity framework 2.0 was just released – what do you think of the update so far?

Read More Comments

How do you implement cryptography for top secret information exchange foreseeing a post quantum scenario soon and what types of algorithms do you use? What about network security, are VPN keys are more secure?

Read More Comments

My security analyst is recommending we shut off access to third-party personal email accounts to reduce the risk of attack as a result of phishing attempts through these platforms.  Is this something many companies do?

Read More Comments

We are looking at implementing role-based access controls on some of our SaaS platforms due to entry into emerging markets. Does anyone have best practices to share?

Read More Comments

What is the top data governance issue?

Limited resources10%

Siloed data38%

Lack of leadership25%

Poor data quality & context19%

Lack of data control5%

Other (please explain in the comments)

View Results

Does anyone have experience standing up a central organization that is responsible for resolving findings from audits? I am tasked with intaking findings from audits, organizing remediation projects/programs/teams to remediate those findings and track remediation to completion.

Read More Comments

What platform are you using for GRC?

Drata7%

Vanta22%

Secureframe15%

KnowBe412%

Ostendio8%

AuditBoard8%

Something else -- I'll tell you in the comments6%

We’re not using a GRC platform20%

View Results

Are compliance checklists an effective way to improve cyber hygiene?

Read More Comments

We are in the process of building a secure network reference architecture for member firms as guidance. Are there any good examples I can use?

Read More Comments

What are your views on the CIS Controls framework?

Read More Comments

What are your thoughts on CMMC 2.0?

What are some critical NIST controls to focus on when building a cyber program for a new software startup?

Updated NIST password guidelines — what do you think of the recommendation to include emojis as acceptable characters?

Very positive – Offers more flexibility & personalization19%

Somewhat positive – Could enhance security if used correctly48%

Neutral – I doubt it will significantly impact security25%

Somewhat negative – May lead to predictable patterns7%

Very negative – Complicates password creation without much benefit

View Results