NIST's AI Risk Management Framework (AI RMF)
NIST's AI Risk Management Framework: overview
CISO Assistant
The list is constantly growing thanks to community requests and contributions đ! We add any missing open standard or regulation for free, just ask đ
ISO/IEC 27001 is the world's best-known standard for information security management systems (ISMS). It defines requirements an ISMS must meet. The ISO/IEC 27001 standard provides companies of any size and from all sectors of activity with guidance for establishing, implementing, maintaining and continually improving an information security management system. Conformity with ISO/IEC 27001 means that an organization or business has put in place a system to manage risks related to the security of data owned or handled by the company, and that this system respects all the best practices and principles enshrined in this International Standard.
The NIST CSF is a framework designed to help organizations improve their cybersecurity practices and manage cybersecurity risks effectively. It is structured around six core functions: Identify, Govern, Protect, Detect, Respond, and Recover, providing a comprehensive approach to cybersecurity. NIST CSF is one of the most used frameworks in Cyber Security programs all over the world.
The CyberFundamentals Framework, initiated by the Centre for Cybersecurity Belgium (CCB), offers a structured set of guidelines aimed at enhancing cybersecurity within both public and private sectors. The framework is distinguished by its structure across four escalating levels of cybersecurity measures: Small, Basic, Important, and Essential. Starting from the Small level, designed for organizations with limited technical expertise, it progresses to the Essential level, aimed at counteracting advanced cyber threats.
CMMC 2.0 outlines three progressive levels of cybersecurity requirements designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) shared with contractors and subcontractors through DoD acquisition programs. These levels range from foundational cybersecurity practices to advanced measures against sophisticated threats, aligning closely with well-established National Institute of Standards and Technology (NIST) cybersecurity standards, specifically NIST SP 800-171 for the "Advanced" level and a subset of NIST SP 800-172 requirements for the "Expert" level, which is still under development.
The New York Department of Financial Services (NYDFS) Cybersecurity Regulation, officially designated as 23 NYCRR Part 500, is a pioneering set of regulations established to fortify the cybersecurity posture of financial services companies operating within New York State. Enacted on March 1, 2017, and subsequently amended, these regulations set forth stringent requirements designed to protect financial institutions' information systems and nonpublic information from cyber threatsââ. The regulation encompasses a broad range of cybersecurity requirements, including but not limited to the establishment of a comprehensive cybersecurity program, the designation of a Chief Information Security Officer (CISO), penetration testing and vulnerability assessments, the management of third-party service providers, and the development of an incident response planâ.
The Digital Operational Resilience Act (DORA) represents the European Union's comprehensive approach to enhancing the digital operational resilience of its financial sector. Recognizing the pivotal role that information and communication technology (ICT) systems play in the financial industry, DORA aims to safeguard the EU's financial entities from ICT risks, ensuring that they remain resilient in the face of operational disruptions. It was adopted on December 14, 2022, and published in the Official Journal of the European Union on December 27, 2022, marking a significant step toward harmonizing digital operational resilience across the EU.
The Australian Signals Directorate (ASD) has developed prioritised mitigation strategies, in the form of the Strategies to Mitigate Cyber Security Incidents, to help organisations protect themselves against various cyber threats. The most effective of these mitigation strategies are the Essential Eight. The Essential Eight Maturity Model, first published in June 2017 and updated regularly, supports the implementation of the Essential Eight. It is based on ASDâs experience in producing cyber threat intelligence, responding to cyber security incidents, conducting penetration testing and assisting organisations to implement the Essential Eight.
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect in the European Union (EU) on May 25, 2018. Designed to strengthen privacy rights and data protection for individuals within the EU, the GDPR imposes strict guidelines on how organizations collect, store, process, and manage personal data. It introduces principles such as data minimization, where only necessary data can be processed, and consent, requiring clear and affirmative agreement from individuals before their data is used. The regulation applies to all organizations operating within the EU and those outside the EU that offer goods or services to, or monitor the behavior of, EU residents. Non-compliance can result in hefty fines, up to 4% of annual global turnover or âŹ20 million, whichever is greater. The GDPR has set a global standard, influencing many countries to revise their own data protection laws to align with its stringent requirements, thereby reshaping the landscape of global data privacy.
Le dĂ©cret n° 2018-137 du 26 fĂ©vrier 2018 sur lâhĂ©bergement de donnĂ©es de santĂ© Ă caractĂšre personnel a introduit la certification HDS pour assurer la sĂ©curitĂ© de ces donnĂ©es en France, un pilier clĂ© de la rĂ©gulation numĂ©rique dans le domaine de la santĂ©. Cinq ans aprĂšs son lancement, la DĂ©lĂ©gation du NumĂ©rique en SantĂ© et lâAgence du NumĂ©rique en SantĂ© ont initiĂ© en dĂ©but 2022 une rĂ©vision du rĂ©fĂ©rentiel HDS. Cette rĂ©vision a impliquĂ© la CNIL, le HFDS du ministĂšre de la santĂ©, ainsi que divers acteurs industriels et organismes certificateurs. AprĂšs une consultation publique fin 2022 et plus de 250 contributions analysĂ©es, la CNIL a approuvĂ© le projet de rĂ©fĂ©rentiel rĂ©visĂ© le 13 juillet 2023.
The AirCyber framework by BoostAeroSpace aims to elevate cybersecurity across the European Aerospace and Defense Supply Chain by standardizing and harmonizing IT and IS security. Developed with contributions from aerospace leaders like Airbus, Dassault Aviation, Safran, and Thales, AirCyber offers a suite of services, including maturity assessments, a catalog of cybersecurity solutions, and an encryption portal. This initiative addresses the pressing need for robust cybersecurity measures among smaller suppliers, often more vulnerable to cyber-attacks. Through disseminating advanced security practices and the AirCyber Maturity Standard, BoostAeroSpace facilitates a collective uplift in cyber resilience within the aerospace and defense sectors.
TIBER-EU is a European framework for threat intelligence-based ethical red-teaming. It provides comprehensive guidance on how authorities, entities, and threat intelligence and red-team providers should collaborate to test and improve entities' cyber resilience by conducting controlled cyberattacks.TIBER-EU tests mimic the tactics, techniques, and procedures of real-life attackers based on bespoke threat intelligence. They are tailor-made to simulate an attack on the critical functions of an entity and its underlying systems, i.e., its people, processes, and technologies. The outcome is not a pass or fail; instead, the test is intended to reveal the strengths and weaknesses of the tested entity, enabling it to reach a higher level of cyber maturity.
The Korea Information Security Management System and Personal Information Protection Framework (ISMS-P) is a comprehensive standard for managing information security and protecting personal data in South Korea. It is mandated by the Korea Internet & Security Agency (KISA) and combines requirements for information security (ISMS) and personal information protection (PMS). Organizations subject to this framework must implement robust technical and administrative controls, ensuring compliance with domestic privacy laws such as the Personal Information Protection Act (PIPA). ISMS-P certification is essential for businesses handling significant volumes of personal data or providing critical IT services, showcasing their commitment to data security and regulatory compliance.
The Minimum Standard of the German Federal Office for Information Security (BSI) for the Use of External Cloud Services establishes mandatory security requirements for federal authorities using external cloud services. It covers the entire lifecycle of cloud usageâfrom planning and procurement to operation and terminationâemphasizing the need for risk analysis and compliance with the BSI Cloud Computing Compliance Criteria Catalog (C5). Additionally, it outlines specific requirements for shared use of external cloud services without direct contractual relationships. This standard aims to ensure a uniform level of security within the federal administration and promote the secure integration of external cloud services.
The European Commissionâs Implementing Regulation (EU) 2024/2690, adopted on October 17, 2024, specifies the technical and methodological requirements for cybersecurity risk management under the NIS2 Directive (Directive (EU) 2022/2555). This regulation targets entities such as DNS service providers, TLD name registries, cloud computing services, data centers, content delivery networks, managed service providers, online marketplaces, search engines, social networking platforms, and trust service providers. It outlines detailed measures these entities must implement to manage cybersecurity risks effectively and defines criteria for identifying and reporting significant incidents. ïżŒ The regulation aims to enhance the resilience and security of critical digital services across the EU.
Cyber Essentials is an effective, Government backed scheme that will help you to protect your organisation, whatever its size, against a whole range of the most common cyber attacks. Cyber attacks come in many shapes and sizes, but the vast majority are very basic in nature, carried out by relatively unskilled individuals. Theyâre the digital equivalent of a thief trying your front door to see if itâs unlocked. Our advice is designed to prevent these attacks.
The OWASP Application Security Verification Standard (ASVS) is a framework by the Open Web Application Security Project (OWASP) designed to standardize the approach to web application security. It categorizes security controls into three levels of rigor, offering a comprehensive guide for developers, testers, and security professionals to ensure the security of web applications. Covering aspects from authentication to data protection, the ASVS serves as a benchmark for developing, testing, and evaluating the security of web applications, reflecting the latest in security challenges and best practices.
The Cloud Computing Compliance Criteria Catalogue (C5), developed by Germany's Federal Office for Information Security (BSI), sets stringent security standards for cloud service providers, focusing on transparency and trust. Updated in 2020, C5 aligns with international frameworks like ISO/IEC 27001 and the Cloud Security Alliance's Cloud Controls Matrix, covering areas such as organizational security, physical safeguards, and compliance. It requires providers to disclose key details, including data processing locations and applicable legal jurisdictions, enabling customers to make informed decisions. Widely adopted by government and private sectors, C5 audits ensure robust cloud security, fostering confidence in the reliability of cloud services.
The IT-Grundschutz-Kompendium is a comprehensive framework developed by the German Federal Office for Information Security (BSI) to help organizations implement robust information security measures. It provides detailed guidelines and best practices for protecting IT systems, covering various aspects such as risk management, security policies, and technical controls. The compendium aims to make cybersecurity accessible and manageable, offering modular and scalable solutions suitable for organizations of all sizes and sectors. Its systematic approach ensures that security measures are both effective and aligned with international standards.
En septembre 2021, la direction de la sĂ©curitĂ© de lâaviation civile a publiĂ© le Cadre ConformitĂ© Cyber France (3CF), qui a pour objectif de regrouper les diffĂ©rentes dispositions rĂ©glementaires propres Ă lâaviation civile en matiĂšre de cybersĂ©curitĂ©. le 3CF est inspirĂ© des bonnes pratiques telles que les guides et mĂ©thodes de lâAgence Nationale de la SĂ©curitĂ© des SystĂšmes dâInformation (ANSSI), et la norme ISO 27001 et prĂ©sente un ensemble d'exigences rĂ©glementaires dans le secteur de l'aviation civile.
Dans cette 2nde version, le 3CFv2 constitue dĂ©sormais un rĂ©fĂ©rentiel unique de dispositions visant Ă accompagner les organismes Ă se conformer aux : RĂšglement dâexĂ©cution (UE) 2015/1998 modifiĂ© par le rĂšglement dâexĂ©cution (UE) 2019/1583 de la commission du 25 septembre 2019 fixant des mesures dĂ©taillĂ©es pour la mise en Ćuvre des normes de base communes dans le domaine de la sĂ»retĂ© de l'aviation civile, en ce qui concerne les mesures de cybersĂ©curitĂ© ; et/ou ; RĂšglements Part-IS (Information Security) : RĂšglement dĂ©lĂ©guĂ© (UE) 2022/1645 de la commission du 14 juillet 2022 portant modalitĂ©s dâapplication du rĂšglement (UE) 2018/1139 du Parlement europĂ©en et du Conseil en ce qui concerne les exigences relatives Ă la gestion des risques liĂ©s Ă la sĂ©curitĂ© de lâinformation susceptibles dâavoir une incidence sur la sĂ©curitĂ© aĂ©rienne ; RĂšglement dâexĂ©cution (UE) 2023/203 de la commission du 27 octobre 2022 portant modalitĂ©s dâapplication du rĂšglement (UE) 2018/1139 du Parlement europĂ©en et du Conseil en ce qui concerne les exigences en matiĂšre de gestion des risques liĂ©s Ă la sĂ©curitĂ© de lâinformation susceptibles dâavoir une incidence sur la sĂ©curitĂ© aĂ©rienne.
Adobe's Common Controls Framework (CCF) is a comprehensive set of security processes and controls designed to streamline compliance across various industry standards and regulations. By analyzing and rationalizing over 1,000 criteria from multiple security certifications, Adobe consolidated them into approximately 315 common controls spanning 25 domains, including asset management, data protection, and incident response. This approach enables Adobe to efficiently meet diverse compliance requirements such as ISO/IEC 27001, SOC 2, and the Cloud Computing Compliance Criteria Catalogue (C5). In its commitment to transparency and community collaboration, Adobe has open-sourced the CCF, allowing other organizations to leverage this framework to enhance their own security and compliance efforts.
The Cloud Controls Matrix (CCM) from the Cloud Security Alliance (CSA) is a comprehensive cybersecurity framework specifically tailored for cloud computing environments. It provides a detailed set of security controls that are aligned with industry-accepted security standards, regulations, and control frameworks, such as ISO 27001/27002, ISACA COBIT, and NIST. The CCM is designed to aid organizations in assessing the overall security risk of cloud providers and to help ensure that adequate security measures are in place. The matrix covers fundamental security principles across different domains, including compliance, data security, infrastructure security, identity management, and incident response, making it a crucial tool for companies leveraging cloud technology for their operations. * This framework requires one extra manual step, given its license terms.
The California Consumer Privacy Act (CCPA) is a state law that enhances privacy rights and consumer protection for residents of California. Enacted in 2018 and effective from January 1, 2020, it gives California consumers more control over the personal information that businesses collect about them. The CCPA requires businesses to disclose their data collection and sharing practices, allows consumers to request deletion of their personal information, opt out of the sale of their data, and provides them the right to non-discrimination for exercising their CCPA rights. It applies to for-profit entities doing business in California that meet specific criteria related to revenue or data processing volume.
The CIS Critical Security Controls are a set of prioritized guidelines designed to help organizations bolster their cybersecurity posture. Developed by the Center for Internet Security, these controls are widely recognized for their effectiveness in mitigating the most common and impactful cyber threats. The framework consists of several key controls, including inventory and control of hardware and software assets, continuous vulnerability management, controlled use of administrative privileges, secure configuration of hardware and software, and the implementation of a security awareness and training program. By following these controls, organizations can significantly enhance their defensive capabilities against cyberattacks, improve their security management processes, and protect their sensitive information and systems. * This framework requires one extra manual step, given its license terms.
The Criminal Justice Information Services (CJIS) Security Policy is a comprehensive set of guidelines and requirements established by the Federal Bureau of Investigation (FBI) to ensure the security and integrity of criminal justice information. This policy outlines the security measures that must be adhered to by any agency that accesses or handles criminal justice information, encompassing data encryption, secure access, audit trails, and personnel training. The CJIS Security Policy aims to protect the privacy and civil liberties of individuals by ensuring that sensitive information, such as biometric data, criminal history, and identity information, is handled with the utmost security and confidentiality.
The Cyber Resilience Act (CRA) is a legislative proposal by the European Union aimed at enhancing the overall cybersecurity posture of products with digital elements sold within the EU market. The act focuses on ensuring that these products meet stringent cybersecurity standards from the design phase to the end of their lifecycle, thereby reducing risks and vulnerabilities that could lead to cyber-attacks. It applies to a broad range of products, including connected devices and software, with the objective of protecting consumers and businesses from cyber threats. The CRA mandates manufacturers to adhere to specified cybersecurity requirements, conduct thorough assessments of their products' cyber risks, and take appropriate measures to manage those risks effectively. Additionally, the act emphasizes transparency and accountability by requiring manufacturers to report significant cyber incidents. Through these measures, the CRA aims to foster trust and security in the digital marketplace, contributing to the resilience of the EU's digital economy against cyber threats.
L'ANSSI a publié un outil d'autoévaluation de gestion de crise cyber pour aider les organisations à évaluer leur préparation face aux crises liées à la cybersécurité. Cet outil, développé en collaboration avec le Club des directeurs de sécurité des entreprises, propose 57 questions réparties sur cinq thématiques, permettant de mesurer les compétences depuis un niveau novice jusqu'à l'état de l'art. Les résultats aident à identifier les points à améliorer et orienter les étapes suivantes pour renforcer les capacités en gestion de crise.
The Cyber Maturity Assessment Form â Fundamental Level is a tool developed by the French Directorate General of Armaments (DGA) to evaluate and enhance the cybersecurity practices of defense industry stakeholders. This framework comprises 21 basic requirements designed to establish a minimum security standard, enabling organizations to counter fundamental cyber threats effectively. It serves as an initial step in a progressive approach to improve cybersecurity maturity within the defense industrial and technological base (BITD). The DGA anticipates that adherence to this fundamental level will gradually become a contractual obligation in its engagements with industrial partners, thereby promoting a consistent and robust cybersecurity posture across the sector. ïżŒ
La Directive Nationale de la Sécurité des SystÚmes d'Information (DNSSI) du Maroc est un cadre réglementaire établi par la Direction Générale de la Sécurité des SystÚmes d'Information (DGSSI) marocaine. Elle vise à renforcer la cybersécurité des administrations et des infrastructures critiques du pays. La DNSSI définit les exigences et les bonnes pratiques en matiÚre de sécurité informatique, couvrant des aspects tels que la gouvernance, la gestion des risques, la protection des données, et la gestion des incidents. Ce cadre est conçu pour améliorer la résilience cyber du Maroc et aligner ses pratiques sur les normes internationales de sécurité de l'information.
The European Central Bankâs (ECB) Cyber Resilience Oversight Expectations (CROE) provide a comprehensive framework to enhance the cyber resilience of financial market infrastructures (FMIs). Published in December 2018, the CROE operationalize the global guidance set forth by the Committee on Payments and Market Infrastructures and the International Organization of Securities Commissions (CPMI-IOSCO) in June 2016. The framework outlines detailed steps for FMIs to strengthen their cyber resilience across key domains, including governance, identification, protection, detection, response and recovery, testing, situational awareness, and continuous learning and evolution. By adhering to these expectations, FMIs can systematically assess and enhance their cyber defenses, thereby contributing to the overall stability and security of the financial system. ïżŒ
The ECC (Essential Cybersecurity Controls) framework, developed by the National Cybersecurity Authority (NCA) of Saudi Arabia, serves as a minimum cybersecurity standard aimed at protecting sensitive government data and technology assets within the country. This framework is a result of a thorough examination of various national and international cybersecurity frameworks and standards. It is structured around 114 cybersecurity controls distributed across 29 subdomains and five main domains: Cybersecurity Governance, Cybersecurity Defense, Cybersecurity Resilience, Third-party & Cloud Computing Cybersecurity, and Industrial Control Systems Cybersecurity. These controls are designed to help organizations build robust defenses against cybersecurity risks, ensuring the confidentiality, integrity, and availability of critical government assets and data. While primarily applicable to government organizations, critical infrastructure, and companies handling sensitive data in Saudi Arabia, all organizations are encouraged to adopt the ECC framework to bolster their cybersecurity measures.
The Esquema Nacional de Seguridad (ENS) is a framework established by the Spanish government to ensure the security of information and services provided by public administrations and entities that interact with them. Its main goal is to protect the confidentiality, integrity, availability, and authenticity of the information systems. The ENS defines a series of principles, minimum requirements, and security measures that must be followed, aiming to create a more robust and resilient digital infrastructure in Spain, complying with European standards for cybersecurity.
The Federal Act on Data Protection (FADP) from Switzerland is a key legislative framework designed to protect the privacy and fundamental rights of individuals regarding the processing of their personal data. Set to be fully effective from September 2023 with substantial revisions, the updated FADP aligns more closely with global data protection standards, such as the EU's GDPR. It emphasizes the principles of transparency, purpose limitation, and data minimization, alongside introducing stricter consent requirements and enhanced rights for data subjects, such as the right to be forgotten and the right to data portability. The act also imposes rigorous obligations on data controllers and processors, including requirements for data security and for conducting impact assessments for high-risk processing activities. This makes the FADP a crucial component of the regulatory landscape for both domestic and international organizations operating within Switzerland.
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that promotes the adoption of secure cloud services across the Federal Government by providing a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Managed by the General Services Administration (GSA), FedRAMP simplifies the process for federal agencies to use commercially available cloud solutions by ensuring they meet rigorous security requirements. This framework helps agencies save time and cost in cloud deployments, enhances transparency between government and cloud service providers, and fosters trust in the security of cloud technologies.
The ENISA 5G Security controls matrix is a comprehensive and dynamic matrix of security controls and best practices for 5G networks, to support the national authorities in the EU Member States with implementing the technical measures of the EUâs 5G Cybersecurity Toolbox.
Le guide de recommandations de sĂ©curitĂ© pour un systĂšme dâIA gĂ©nĂ©rative de lâANSSI sâintĂ©resse Ă la sĂ©curisation dâune architecture de systĂšme dâIA gĂ©nĂ©rative. Il vise Ă sensibiliser les administrations et entreprises aux risques liĂ©s Ă lâIA gĂ©nĂ©rative ainsi quâĂ promouvoir les bonnes pratiques Ă mettre en Ćuvre depuis la phase de conception et dâentrainement dâun modĂšle dâIA jusquâĂ la phase de dĂ©ploiement et dâutilisation en production.
Le guide d'hygiĂšne informatique de l'ANSSI, publiĂ© le 23 janvier 2017, constitue une ressource essentielle pour les responsables de la sĂ©curitĂ© des systĂšmes d'information. Il propose 42 mesures clĂ©s destinĂ©es Ă renforcer la protection des donnĂ©es et le fonctionnement sĂ©curisĂ© des systĂšmes informatiques. En mettant l'accent sur la sensibilisation et la formation en cybersĂ©curitĂ©, ce guide vise Ă Ă©tablir un socle de pratiques fondamentales, allant de la gestion des risques liĂ©s Ă l'infogĂ©rance Ă la mise en Ćuvre d'un contrĂŽle rigoureux des accĂšs. Cette initiative reflĂšte l'engagement de l'ANSSI Ă promouvoir une culture de la sĂ©curitĂ© informatique adaptĂ©e aux enjeux actuels.
The Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996, is a significant regulatory framework designed to safeguard medical information in the United States. It sets the standard for protecting sensitive patient data, requiring healthcare providers, plans, and clearinghouses to implement physical, network, and process security measures. HIPAA encompasses a range of rules, including the Privacy Rule, which controls the use and disclosure of Protected Health Information (PHI), and the Security Rule, which mandates the secure handling of electronic PHI. Compliance with HIPAA is essential for healthcare entities to ensure the confidentiality, integrity, and availability of patient data, providing a foundation for trust in the healthcare system's handling of personal health information.
The Agile Security Framework is an open standard made by intuitem, offering an incremental and iterative approach to cybersecurity. The baseline version helps cyber security consultants establish a holistic posture during rapid assessment and can also serve as a starting point for custom frameworks and security checklists.
ISO 27001:2013 was an international standard for information security management systems (ISMS), published by the International Organization for Standardization (ISO). It provided a framework for organizations to establish, implement, maintain, and continually improve their information security management. The standard outlined requirements for assessing and treating information security risks, implementing security controls, and monitoring the ISMS's performance. However, it's important to note that ISO 27001:2013 is now obsolete, having been replaced by ISO 27001:2022, which includes updates to address modern cybersecurity challenges and align with other ISO management system standards.
La Loi de Programmation Militaire (LPM) est un dispositif lĂ©gislatif adoptĂ© par plusieurs pays pour planifier et organiser les dĂ©penses de dĂ©fense sur une pĂ©riode donnĂ©e, gĂ©nĂ©ralement de cinq Ă six ans. En France, par exemple, la LPM dĂ©finit les grandes orientations et les moyens financiers allouĂ©s aux forces armĂ©es, englobant l'acquisition d'Ă©quipements, le dĂ©veloppement de nouvelles technologies de dĂ©fense, ainsi que le soutien Ă l'innovation et Ă la recherche militaire. Elle vise Ă assurer la prĂ©paration et l'adaptation des armĂ©es aux dĂ©fis contemporains et futurs, en Ă©quilibrant les besoins en matiĂšre de dĂ©fense avec les contraintes budgĂ©taires de l'Ătat. La LPM est cruciale pour la stratĂ©gie de dĂ©fense d'un pays, reflĂ©tant ses ambitions militaires, ses engagements internationaux et sa volontĂ© de protĂ©ger sa souverainetĂ© et la sĂ©curitĂ© de ses citoyens.
The AI Act aims to provide AI developers and deployers with precise requirements and obligations regarding specific uses of AI. At the same time, the regulation seeks to reduce administrative and financial burdens on businesses, particularly small and medium-sized enterprises (SMEs). The AI Act is the first-ever comprehensive legal framework on AI worldwide. The new rules aim to foster trustworthy AI in Europe and beyond by ensuring that AI systems respect fundamental rights and safety principles and addressing the ethical risks of compelling and impactful AI models.
The OWASP MASVS (Mobile Application Security Verification Standard) is the industry standard for mobile app security. It can be used by mobile software architects and developers who want to develop secure mobile applications and by security testers to ensure completeness and consistency. It's the foundation of the OWASP MASTG, where all the tests are associated with MASVS's controls.
The Saudi National Cybersecurity Authority (NCA) has established guidelines for Operational Technology (OT) cybersecurity controls to protect critical infrastructure and industrial systems in Saudi Arabia. These controls focus on securing industrial control systems, SCADA networks, and other OT environments from cyber threats. The NCA's framework emphasizes risk assessment, access control, network segmentation, continuous monitoring, and incident response specifically tailored for OT environments. By implementing these controls, organizations aim to enhance the resilience of their industrial operations against cyberattacks and ensure the continuity of critical services.
The NCSC Cyber Assessment Framework (CAF) is a tool developed by the UK's National Cyber Security Centre to help organizations assess and improve their cyber resilience. It provides a systematic method for evaluating an organization's cyber security posture across 14 key principles, grouped into four objectives: managing security risk, protecting against cyber attack, detecting cybersecurity events, and minimizing the impact of incidents. The CAF is particularly useful for organizations responsible for vital services and infrastructure, helping them identify areas for improvement and demonstrate compliance with relevant regulations.
The NIS2 Directive, an evolution of the European Union's pioneering Network and Information Systems (NIS) Directive, represents a significant step forward in strengthening cybersecurity across the EU. Enacted to address the growing threats in the digital space, NIS2 broadens the scope of its predecessor by covering a wider range of sectors deemed critical, including energy, transport, banking, and digital infrastructure, among others. It mandates stricter security requirements, incident reporting protocols, and enhanced supervisory measures, including substantial fines for non-compliance. NIS2's primary goal is to bolster the overall resilience and security of network and information systems within the EU, ensuring a unified and high level of cybersecurity preparedness, response, and collaboration among Member States, thereby protecting the internal market and the citizens of the EU from cyber threats.
The NIS2 Technical and Methodological Requirements (EU Regulation 2024/2690), adopted under the NIS2 Directive, set forth detailed cybersecurity measures for essential and important entities within the EU. These requirements cover areas such as risk management, incident detection, response and recovery, supply chain security, and encryption standards. They provide clear criteria for identifying and reporting significant incidents, ensuring a uniform approach to cybersecurity across critical sectors like energy, healthcare, and finance. The regulation aims to enhance resilience, foster collaboration among member states, and safeguard the stability of essential services in an increasingly interconnected digital landscape.
The NIST's AI Risk Management Framework (AI RMF) is a comprehensive guideline aimed at fostering trustworthy and responsible development, deployment, and use of artificial intelligence (AI) systems. Developed through extensive collaboration with stakeholders from government, academia, and industry, the AI RMF provides a flexible and voluntary framework to help organizations manage risks associated with AI technologies, including ethical considerations, fairness, accountability, transparency, and the impact on privacy and civil liberties. It emphasizes the importance of incorporating robust risk assessment and management practices throughout the AI lifecycle, from design to deployment and monitoring, to ensure AI systems are reliable, safe, and aligned with societal values and norms. The framework is part of NIST's broader effort to build confidence in AI technologies and to support the development of AI systems that are innovative and beneficial while minimizing harm and unintended consequences.
Part-IS (EU Regulation 2023/203) introduces requirements for identifying and managing information security risks that could affect information and communication technology systems and data used for civil aviation purposes. It sets requirements for detecting information security events, identifying those that are considered information security incidents, and responding to and recovering from those information security incidents to a level commensurate with their impact on aviation safety.
The Payment Card Industry Data Security Standard (PCI-DSS) is a globally recognized security standard designed to ensure that all entities that process, store, or transmit credit card information maintain a secure environment, thereby reducing credit card fraud. Established by major credit card brands, it sets forth a comprehensive set of requirements including network security, data protection measures, vulnerability management programs, access control measures, and monitoring and testing networks. Compliance with PCI-DSS is mandatory for all such entities and is aimed at protecting sensitive cardholder data throughout the transaction process. The standard not only helps in building trust with customers but also minimizes the risk of data breaches and non-compliance penalties. With its regular updates, PCI-DSS adapts to emerging threats and technologies, ensuring that the payment ecosystem remains secure against evolving cybersecurity challenges.
The NIST Privacy Framework is a voluntary tool developed to help organizations identify and manage privacy risks and enhance individuals' privacy protections. It is designed to be compatible with various privacy laws and regulations and aims to facilitate ethical decision-making regarding data privacy. This framework is structured similarly to the NIST Cybersecurity Framework, consisting of three main parts: Core, Profiles, and Implementation Tiers, which assist organizations in developing and refining their privacy management programs. Through its adaptable approach, the NIST Privacy Framework supports organizations across different sectors and jurisdictions in achieving better compliance and privacy outcomes.
The Protective Security Policy Framework (PSPF) is an Australian Government initiative designed to assist federal government agencies in protecting their people, information, and assets, both at home and overseas. Established to provide a comprehensive set of security guidelines and principles, the PSPF ensures that government operations are conducted securely and with integrity. It encompasses various security measures, including governance, information security, personnel security, and physical security. The framework mandates agencies to implement specific security protocols to safeguard sensitive information and resources against potential threats and vulnerabilities. By standardizing security practices across all government entities, the PSPF aims to foster a resilient and trustworthy government sector, ensuring the continuous and effective delivery of government services to the Australian public and protecting national interests.
Le RĂ©fĂ©rentiel dâAudit de la SĂ©curitĂ© des SystĂšmes dâInformation est un cadre Ă©laborĂ© pour guider les auditeurs dans lâĂ©valuation de la sĂ©curitĂ© des systĂšmes dâinformation. Il fournit des critĂšres et des mĂ©thodologies standardisĂ©s pour assurer la qualitĂ© et la cohĂ©rence des audits de sĂ©curitĂ©. Ce rĂ©fĂ©rentiel couvre divers domaines, notamment la gestion des risques, le contrĂŽle dâaccĂšs, la continuitĂ© des activitĂ©s et la conformitĂ© aux rĂ©glementations en vigueur. En adoptant ce rĂ©fĂ©rentiel, les organisations peuvent identifier les vulnĂ©rabilitĂ©s potentielles, Ă©valuer lâefficacitĂ© de leurs contrĂŽles de sĂ©curitĂ© et mettre en Ćuvre des mesures correctives appropriĂ©es pour renforcer la rĂ©silience de leurs systĂšmes dâinformation. ïżŒ
Le Référentiel Général de Sécurité (RGS) élaboré par l'Agence Nationale de la Sécurité des SystÚmes d'Information (ANSSI) en France, est un cadre normatif destiné à assurer la sécurité des systÚmes d'information des administrations. Mis en place pour répondre aux exigences croissantes de protection des données au sein du secteur public, le RGS définit les rÚgles et les niveaux de sécurité obligatoires pour la protection des informations sensibles gérées par les entités gouvernementales. Il couvre divers aspects de la sécurité informatique, incluant la gestion des risques, la sécurisation des échanges électroniques, la protection de l'infrastructure, ainsi que la conformité des produits et systÚmes de sécurité. En établissant des standards de sécurité stricts, le RGS vise à renforcer la confiance dans les services publics numériques et à garantir la continuité et l'intégrité des services gouvernementaux, tout en protégeant les données personnelles et sensibles contre les cybermenaces.
La qualification SecNumCloud de lâANSSI sâadresse aux prestataires de services cloud souhaitant dĂ©montrer un niveau de sĂ©curitĂ© parmi les plus Ă©levĂ©s du marchĂ©. Cette qualification est en phase avec les attentes des Organismes dâImportance Vitale. LiĂ©e Ă un Visa de SĂ©curitĂ©, elle est la prestation dâexcellence des services cloud. BasĂ©e sur la structure de la norme ISO/IEC 27001, ce rĂ©fĂ©rentiel sâinscrit dans la stratĂ©gie nationale française pour un cloud de confiance et le Cybersecurity Act de l'Union EuropĂ©enne.
The Secure Controls Framework (SCF) is a comprehensive cybersecurity and privacy control framework designed to help organizations manage their security and compliance efforts. It provides a unified set of controls that can be mapped to various industry standards, regulations, and best practices. The SCF aims to simplify the process of implementing and maintaining a robust security program by offering a centralized repository of controls that can be tailored to an organization's specific needs, regardless of its size or industry sector.
Service Organization Control 2 (SOC 2) is a framework for managing data privacy and security, tailored for service providers storing customer data in the cloud. Developed by the American Institute of CPAs (AICPA), SOC 2 focuses on five key trust service principles: security, availability, processing integrity, confidentiality, and privacy. Unlike its predecessor SOC 1, which is centered on financial reporting controls, SOC 2 is specifically designed to address the needs of technology and cloud computing entities in securing their information systems. Compliance with SOC 2 involves a rigorous audit process, where an independent auditor assesses the extent to which a service provider adheres to these principles based on the design and operational effectiveness of its controls. This certification is crucial for technology companies as it assures clients and stakeholders of the organization's commitment to maintaining a high standard of security and data protection in its operations.
Special Publication 800-53, developed by the National Institute of Standards and Technology (NIST), is a cornerstone document that provides a comprehensive set of security and privacy controls for federal information systems and organizations in the United States. Part of the Federal Information Processing Standards (FIPS) Publication 200, SP 800-53 is designed to help ensure that federal information systems meet the stringent requirements necessary to protect governmental operations, assets, and individuals against a wide range of threats and risks. The document categorizes security controls into families, such as access control, incident response, and risk assessment, offering a structured approach to selecting and implementing measures based on the system's impact level. Regularly updated to address evolving cybersecurity challenges, SP 800-53 plays a crucial role in guiding federal agencies and their contractors in the development of robust, secure, and resilient information technology infrastructures, thereby safeguarding critical government functions and sensitive data.
NIST 800-171 Rev 2, developed by the National Institute of Standards and Technology (NIST), is a publication that provides guidelines on protecting Controlled Unclassified Information (CUI) in non-federal systems and organizations. This document is particularly crucial for contractors and subcontractors serving the U.S. federal government, as it outlines the requirements for safeguarding sensitive federal information. The guidelines are structured around 14 security requirement families, including access control, incident response, and system and information integrity. NIST 800-171 Rev 2 aims to ensure that sensitive federal information remains confidential and resilient against cyber threats while stored in or transmitted through third-party systems. This standard is pivotal in maintaining the trust and integrity of the supply chain involved in federal operations.
On May 14, 2024, the National Institute of Standard and Technology (NIST) published the final versions of Special Publication (SP) 800-171 Revision 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations and its companion assessment guide, NIST SP 800-171A, Revision 3 (collectively, âRev. 3 Final Versionâ). While the Department of Defense (DoD) is not requiring contractors who handle Controlled Unclassified Information (CUI) to implement Rev. 3 for now, it is expected that DoD will eventually incorporate Rev. 3 into both DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (DFARS 7012) as well as the forthcoming Cyber Maturity Model Certification (CMMC) program.
The National Institute of Standards and Technology (NIST) Special Publication 800-218, known as the Secure Software Development Framework (SSDF), provides guidelines for implementing secure software development practices. It aims to reduce software vulnerabilities from the design phase through deployment and maintenance. The SSDF outlines a set of high-level practices designed to help organizations integrate security into their software development lifecycle, addressing factors such as risk assessment, design, implementation, testing, and response to vulnerabilities. The framework is intended to be adaptable across different organizations and development environments, serving as a universal guideline to enhance the security of software systems.
Switzerland's ICT Minimum Standard is a cybersecurity framework developed by the Federal Office for National Economic Supply (FONES) to enhance the resilience of critical infrastructure operators against cyber threats. While primarily aimed at these operators, the standard is applicable to any organization seeking to bolster its ICT security. It provides a structured approach encompassing identification, protection, detection, response, and recovery measures, aligning with international standards such as the NIST Cybersecurity Framework. By implementing this standard, organizations can systematically assess and improve their cybersecurity posture, thereby ensuring the continuity of essential services and contributing to national economic stability.
TISAX (Trusted Information Security Assessment Exchange) is a standardized protocol for information security assessments within the automotive industry, developed and governed by the ENX Association. It was designed to ensure a uniform level of information security, data protection, and compliance among automotive manufacturers, suppliers, and service providers. TISAX enables companies to undergo a single assessment that is recognized across the board, thereby reducing the need for multiple audits and fostering a culture of transparency and trust within the industry. This assessment covers a wide range of information security measures, including the protection of sensitive and proprietary data, and aims to facilitate secure collaboration and data exchange. By adhering to TISAX, organizations can demonstrate their commitment to upholding stringent information security standards, thereby gaining a competitive edge and building stronger partnerships within the automotive sector.
It is kept for legacy purposes, as many organizations have structured their program on top of the CSF 1.1 version. The NIST Cybersecurity Framework (CSF) , developed by the NIST, is an updated guide to improve cybersecurity practices for organizations across all sectors. Building on the original framework, CSF 1.1 provides a flexible and voluntary structure composed of standards, guidelines, and best practices to manage cybersecurity-related risk. It introduces refinements to its core functionsâIdentify, Protect, Detect, Respond, and Recoverâenhancing its applicability to a broader range of cybersecurity threats and business environments. The update emphasizes the importance of cybersecurity risk management within supply chain security and clarifies the usage of authentication, authorization, and identity proofing. By adopting CSF 1.1, organizations can better align their cybersecurity efforts with business needs, manage risks effectively, and foster a proactive cybersecurity culture.
Check out CISO Assistant and see how it can help you manage your cybersecurity and compliance program.
Explore our collection of articles, guides, and tutorials on development, cyber security, AI, program management and so much more.
NIST's AI Risk Management Framework: overview
This article is an introduction to Security Orchestration, Automation, and Response
In the modern era, understanding software delivery and operational performance is paramount for business leaders. One toolset that has gained immense popularity is the suite of metrics introduced by the DevOps Research and Assessment (DORA) team.
Press release about our anouncement of the community editions and full switch to Open Source