A Security Framework that protects and strengths your Customer & Employee Experience, leverages your Leadership & Strategy and accelerates sustainable results with Innovation & Agility.

Significant revenue loss as a result of a security breach is common. Studies show that 29% of businesses that face a data breach end up losing revenue. Of those that lost revenue, 38% experienced a loss of 20% or more. Does an information security breach or cyber-attack can impact the business?

Depending on the type of data involved, the consequences can include destruction or corruption of databases, the leaking of confidential information, the theft of intellectual property and regulatory requirements to notify and possibly compensate those affected.

There can be long-term consequences like loss of trust and diminished reputation. Perhaps the biggest long-term consequence of a data breach is the loss of customer trust. Your customers share their sensitive information with businesses like yours assuming that you have the proper security measures in place to protect their data.

Businesses that come under a security breach or cyber-attack also incur higher costs from operational disruption and altered business practices. The biggest losses come from reputational damage. Companies that have lost control of their customers' data have paid millions to settle claims.

Is information security the same as cybersecurity? Let’s first understand the difference! To be fair, there is some overlap between cybersecurity and information security, and that causes some justified confusion about the two terms. Most information is stored digitally on a network, computer, server, or in the cloud. Criminals can gain access to this information to exploit its value.

The value of the data is the biggest concern for both types of security. In information security, the primary concern is protecting the confidentiality, integrity, and availability of the data. In cybersecurity, the primary concern is protecting against unauthorized electronic access to the data. In both circumstances, it is important to understand what data, if accessed without authorization, is most damaging to the organization, so a security framework can be established with proper controls in place to prevent unauthorized access.

Cybersecurity and information security are often used interchangeably, even among some of those in the security field. The two terms are not the same, however. They each address different kinds of security that complement each other.

Cybersecurity is defined by NIST as the “ability to protect or defend the use of cyberspace from cyber-attacks.” While there are other definitions — CISA has its own definition as does ISO — although all of them are similar. Cybersecurity is related to attacks from the inside or outside of an organization. It is the framework of protecting and securing anything that is vulnerable to hacks, attacks, or unauthorized access which mainly consists of computers, devices, networks, servers, and programs. It pertains exclusively to the protection of data that originates in a digital form — it’s specific to digital files, which is a keyway it differs from information security. So, when we talk about cybersecurity, we are automatically discussing digital information, systems and networks.

The value of the data is the biggest concern for both types of security. In information security, the main concern is to protect the confidentiality, integrity and availability of data. In cybersecurity, the main concern is protection against unauthorized electronic access to data. In both circumstances, it is important to understand which data, if accessed without authorization, is most damaging to the organization so that a security framework can be put in place with appropriate controls to prevent unauthorized access.

Cybersecurity and information security are often used interchangeably, even among some in the security field. However, the two terms are not the same. Each addresses different types of security that complement each other.

Different organizations such as the National Institute of Standards and Technology (NIST), the Cybersecurity and Infrastructure Security Agency (CISA) and the International Organization for Standardization (ISO) they have their own definition for information security and cybersecurity; however, they are all similar.

Cybersecurity is related to attacks from inside or outside an organization. It is the protection and security framework of anything that is vulnerable to hacking, attacks or unauthorized access, which mainly consists of computers, devices, networks, servers and programs. It refers exclusively to the protection of data created in a digital format; it is specific to digital files, which is one keyway in which it differs from information security. So, when we talk about cybersecurity, we are automatically talking about information, systems and digital networks.

Information security primarily refers to protecting the confidentiality, integrity, and availability of data, no matter its form. Information security can just as easily be about protecting a filing cabinet of important documents as it is about protecting your organization’s database. Information security is, broadly, the practice of securing your data, no matter its form. According to NIST, information security consists of protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide:

• Integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity
• Confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information and
• Availability, which means ensuring timely and reliable access to and use of information.

All companies depend on the reliable functioning of critical infrastructure. Security threats exploit the increased complexity and connectivity of critical infrastructure systems, placing the company at risk. Like financial and reputational risks, cybersecurity risk affects a company’s bottom line. It can drive up costs and affect revenue. It can harm an organization’s ability to innovate and to gain and maintain customers.

To better address these risks, the use of a framework focused on using business drivers to guide information and cybersecurity activities and considering information and cybersecurity risks as part of the organization’s risk management processes is highly recommended. The framework we recommend is based on standards established by the National Institute of Standards and Technology and the Information Security Management System ISO 27001: 2013. 

The Framework is a guidance, based on existing standards, guidelines, practices and controls for organizations to better manage and reduce information and cybersecurity risk. In addition to helping organizations manage and reduce risks, it was designed to foster risk and to manage communications amongst both internal and external organizational stakeholders. It is composed of 3 primary components and 114 controls divided into 14 categories.

The Security Framework requirements aren’t simply within the remit of the organization’s IT function, as many people assume. It addresses people, processes and technology. It involves the whole business and requires the expertise of people from across the organization. Companies that already have in place ISO 9001: 2015 have an advantage and can use it as a foundation to scale-up and build a robust Information Security Management System. It can be an easy and smooth transition.

We are here to help!

If you are curious and want to learn more! Here are more details…

The 3 primary components:

1. Core: Desired cybersecurity outcomes organized in a hierarchy and aligned to more detailed guidance and controls.
2. Profiles: Alignment of an organization’s requirements and objectives, risk appetite and resources using the desired outcomes of the Framework Core.
3. Implementation Tiers: A qualitative measure of organizational cybersecurity risk management practices.

The 114 controls divided into 14 categories:

• Annex A.5 – Information security policies (2 controls): Designed to make sure that policies are written and reviewed in line with the overall direction of the organization’s information security practices.
• Annex A.6 – Organization of information security (7 controls): Covers the assignment of responsibilities for specific tasks. It’s divided into two sections, with Annex A.6.1 ensuring that the organization has established a framework that can adequately implement and maintain information security practices. Meanwhile, Annex A.6.2 addresses mobile devices and remote working. It’s designed to ensure that anyone who works from home or on the go – either part-time or full-time – follows appropriate practices.
• Annex A.7 – Human resource security (6 controls): It makes sure that employees and contractors understand their responsibilities.
• Annex A.8 – Asset management (10 controls): Concerns the way organizations identify information assets and define appropriate protection responsibilities.
• Annex A.9 – Access control (14 controls): Ensures that employees can only view information that’s relevant to their job. It’s divided into four sections, addressing the business requirements of access controls, user access management, user responsibilities and system and application access controls, respectively.
• Annex A.10 – Cryptography (2 controls): It’s about data encryption and the management of sensitive information. Its two controls ensure that organizations use cryptography effectively to protect data confidentiality, integrity and availability.
• Annex A.11 – Physical and environmental security (15 controls): It addresses the organization’s physical and environmental security. It’s the most extensive annex in the Standard, containing 15 controls separated into two sections.
• Annex A.12 – Operations security (14 controls): Ensures that information processing facilities are secure and is comprised of seven sections:
• Annex A.12.1 addresses operational procedures and responsibilities, ensuring that the correct operations are in place.
• Annex A.12.2 addresses malware, ensuring that the organization has the necessary defenses to mitigate infection risk.
• Annex A.12.3 covers organizations’ requirements when it comes to backing up systems to prevent data loss.
• Annex A.12.4 is about logging and monitoring. It’s designed to make sure that organizations have documented evidence when security events occur.
• Annex A.12.5 addresses organizations’ requirements when it comes to protecting the integrity of operational software.
• Annex A.12.6 covers technical vulnerability management and is designed to ensure that unauthorized parties don’t exploit system weaknesses.
• Annex A.12.7 addresses information systems and audit considerations. It’s designed to minimize the disruption that audit activities have on operation systems.
• Annex A.13 – Communications security (7 controls): Concerns the way organizations protect the information in networks.
• Annex A.14 – System acquisition, development and maintenance (13 controls): Ensures that information security remains a central part of the organization’s processes across the entire lifecycle.
• Annex A.15 – Supplier relationships (5 controls): Concerns the contractual agreements organizations have with third parties.
• Annex A.16 – Information security incident management (7 controls): It’s about how to manage and report security incidents. This process involves identifying which employees should take responsibility for specific actions, thus ensuring a consistent and effective approach to the lifecycle of incidents and responses.
• Annex A.17 – Information security aspects of business continuity management (4 controls): Its aim is to create an effective system to manage business disruptions.
• Annex A.18 – Compliance (8 controls): Ensures that organizations identify relevant laws and regulations. This helps them understand their legal and contractual requirements, mitigating the risk of non-compliance and the penalties that come with that.