A regulation is a government-enforced set of security guidelines an organization must follow to increase its cybersecurity standards. A cybersecurity framework, on the other hand, is a set of guides helping organizations improve their security posture.
A common mistake is oversimplifying the difference between the two terms by saying regulations are mandatory and cybersecurity frameworks are voluntary. This isn’t technically correct. Some cybersecurity frameworks consist of controls that map to the security requirements of a specific regulation. For example, implementing NIST CSF will help achieve compliance with the Health Insurance Portability and Accountability Act (HIPAA), a regulation for healthcare entities, because NIST CSF maps to HIPAA’s security and data protection requirements.
Cybersecurity frameworks offer organizations a pathway for improving their cybersecurity posture, relieving them of the burden of designing a fresh cybersecurity program from the group up.
Organizations bound to a regulation should choose a cybersecurity framework that best maps to the security standards of that regulation. When regulatory compliance is not required, an organization should pick a cyber framework that’s most supportive of its corporate security objectives. The NIST Cybersecurity Framework is also a popular choice for generic cyber threat resilience.
Examples of Cybersecurity Regulations
Some examples of cybersecurity regulations include:
- The General Data Protection Regulation (GDPR).
- Payment Card Industry Data Security Standard (PCI DSS).
- The Gramm–Leach–Bliley Act (GLBA).
- The Health Insurance Portability and Accountability Act (HIPAA).
- Quality System Regulation (QSR).
- The Sarbanes-Oxley (SOX) act of 2002.
- The Bank Secrecy Act (BSA).
- The Federal Information Security Management Act (FISMA)
- North American Electric Reliability Corporation - Critical Infrastructure Protection (NERC CIP)
Examples of Cybersecurity Frameworks
Some examples of cybersecurity frameworks include:
- Control Objectives for Information Technology (COBIT).
- ISO/IEC 27001.
- NIST CSF.
- Service Organization Control (SOC) Type 2.
- Australian Government Protective Security Policy Framework (PSPF).
- Essential Eight.
- Australian Energy Sector Cyber Security Framework (AESCSF).
- CIS Controls.
- HITRUST (originally Health Information Trust) Common Security Framework (CSF)
- Cloud Controls Matrix (CCM)
- ISO/IEC 38500
Other Common Cybersecurity Misconceptions
The theoretical complexity of cybersecurity, with its myriad of disciplines and concepts, makes the industry highly susceptible to misunderstanding. Below, some of the most common questions asked about cybersecurity are answered, with the hope of also addressing the misconceptions likely motivating each inquiry.
“Is SOC 2 a certification?”
No. SOC 2 is not a certification. It’s a voluntary customer data management and security standard aimed at service organizations.
“Is the HIPAA security rule a cybersecurity framework for HIPAA compliance?
No. The HIPAA security and privacy rules are separate sets of compliance standards for the Health Insurance Portability and Accountability Act (HIPAA).
“Is antivirus software enough to protect my computer from all cyber threats?”
Antivirus software can protect against some cyber threats, but it is not enough to protect against all types of cyber attacks. Achieving a security posture that’s resilient to most cyber attacks requires a multi-layered approach consisting of firewalls, threat awareness training, risk assessments, and Vendor Risk Management (VRM).
“Does encryption only apply to government or military entities?”
Encryption is not just limited to government and military entities. Encryption is one of the most basic standards of best data security practices. It’s also a common requirement across most regulations.
“Is social engineering only about tricking people through email?”
Social engineering includes any tactic for tricking victims into divulging sensitive information. As such, it could be used in any form of communication, including email, phone calls, and in-person interactions.
“Is a firewall only necessary for businesses and not for individuals?”
Firewalls help both businesses and individuals defend against unauthorized network access. The use of firewalls is especially important for individuals working from home, as an absence of this control could turn a remote working environment into an attack vector for a company data breach.
“Is two-factor authentication only for high-risk accounts?”
Two-Factor Authentication (2FA) can provide an additional layer of security for any online account, not just high-risk accounts. For a superior degree of account protection, Multi-Factor Authentication (MFA) should be preferenced over 2FA.
“Can I safely ignore software updates because they take too long to install?”
Ignoring software updates can leave your software vulnerable to new security threats and overlooked software exposures. Always keep all software up-to-date to ensure the best possible protection, even if the process slightly delays your humourous giphy messages between colleagues.
“Does using an ad blocker guarantee protection against malicious advertising?”
Ad blockers can block some types of advertisements, but they do not guarantee protection against all types of malicious advertisements. It is important to remain vigilant and not click on suspicious banners or unknown links.
“Is it safe to share personal information on social media, as long as my privacy settings are set to the highest level?
Setting privacy settings to the highest level on social media does not guarantee the complete protection of any personal information. Shared information can still be intercepted by advanced hackers, especially while connected to free public Wi-Fi.
“Can Mac computers get infected with malware or viruses?”
Mac computers are not immune to malware, viruses, or hacking. Mac users are also equally vulnerable to the most popular method of malware delivery - phishing attacks.
“Does regularly clearing your browser history and cookies provide enough protection against online tracking and cyber threats?”
Clearing browser history and cookies can provide some protection against online tracking, but it is not enough to protect against all types of cyber threats. A multi-layered approach to security is recommended.
“Is it safe to open all attachments and click on all links in emails, as long as they are from people I know?”
Not all attachments and links in emails are safe, even if the email appears to be sent from someone you know. Hackers can utilize a tactic known as email spoofing, where they forge a sender address to make it seem like it’s from a trusted source. This attack strategy is commonly used in phishing emails, where victims are tricked into clicking on links leading to a credential-stealing website.
If an email seems suspicious, always confirm the source sent it by contacting them directly, either by composing a new email or calling them via their official contact number.
“Does using public Wi-Fi at a hotel, airport, or coffee shop automatically mean that my internet traffic is encrypted?”
Using public Wi-Fi does not automatically mean that internet traffic is encrypted. It is important to use a VPN or a secure network whenever possible to protect sensitive information.
“Is it safe to save credit card information in my browser for convenience?”
No. If a hacker were to steal your laptop or remotely access your system, they could make purchases from your browser using the credit information stored in it. Browsers like Chrome still ask users to input their CCV before confirming a purchase for all saved credit cards. But these numbers can easily be compromised through a simple social engineering attack where a hacker, pretending to be a representative from the victim’s bank, calls the victim and asks them to verify their identity by providing the CCV number of their credit card. Given that only the CCV is requested and not the entire credit card number, such calls are unlikely to rouse suspicion.
“Does using HTTPS on websites guarantee complete protection against cyber threats and data breaches?”
HTTPS provides encryption for information transmitted between a user's device and a website, but it doesn’t guarantee complete protection against cyber threats and data breaches. It’s important always to be vigilant and follow safe online practices, even if a website is secured with HTTPS.
Regulatory Compliance and Cyber Framework Alignment with UpGuard
With an ever-growing library of customizable risk assessments mapping to popular regulations and cyber frameworks, UpGuard helps organizations and their third-party vendors achieve data breach resilience in line with recommended standards.