A cybersecurity framework is a set of guidelines for business environments to manage security effectively. Cybersecurity frameworks are adaptive and usually cover multiple aspects of cybersecurity programs, including security controls, appropriate safeguards and mitigation, appropriate activities, risk management programs, protective technology, continuous monitoring, as well as cybersecurity incident response planning and recovery planning. They can be applied to various information systems and may help manage external service providers. Such frameworks don’t focus on the web but can be applied to web security and also show how it needs to be a part of the big picture.

It is a common misconception that cybersecurity frameworks are methodologies that are meant only for large organizations. In large environments, they are indispensable but they may be used just as successfully as a baseline for small private sector organizations, helping stakeholders to focus on what’s important in their cybersecurity posture.

Popular cybersecurity frameworks

The term cybersecurity framework is very general and may apply to different types of guidelines. The following are some of the popular cybersecurity frameworks:

  • The NIST Framework (Framework for Improving Critical Infrastructure Cybersecurity), developed by the National Institute of Standards and Technology, is currently one of the most popular if not the most popular and complete general cybersecurity frameworks. ISO 27001 Information Security Management is another such renowned general standard. It is designed as a set of requirements for an information security management system (ISMS).
  • Other cybersecurity frameworks focus on specific controls. For example, NIST SP 800-53 is a set of security and privacy controls and CIS Controls are a prioritized set of actions to protect an organization and data from known cyber attack vectors.
  • There are cybersecurity frameworks that focus on cybersecurity risk management. ISO 27005:2018 Information Security Risk Management focuses on the management of cybersecurity risk for information technology. FAIR risk management defines building blocks for implementing effective cyber risk management processes and programs.
  • There are also specialized frameworks perceived as security standards for specific industries or scenarios: PCI DSS, COBIT, HIPAA, and more.

To see, how web security fits in a cybersecurity framework, we can take the NIST CSF as an example. While NIST CSF may not be the ideal fit for your organization and you may decide to follow a different framework instead, the basic approach remains the same.

To effectively use the NIST CSF or any other cybersecurity framework in your organization, you can’t focus just on web security. Web security is and always will be part of the bigger picture. The NIST CSF is meant to achieve organizational understanding in all cybersecurity areas, not just web security, and to help you design security policies that interweave all the aspects together.

NIST cybersecurity framework and the web

The NIST CSF is composed of three parts. The Framework Core is a set of cybersecurity activities, desired outcomes, and common references. It presents standards, guidelines, and practices in a way that lets you communicate cybersecurity activities and outcomes across all levels of the organization. It contains four elements: Functions, Categories, Subcategories, and Informative References. The Framework Implementation Tiers focus on cybersecurity risk and processes to manage that risk. The Framework Profile contains repeatable outcomes based on business needs selected from the Framework Categories and Subcategories.

To see clearly, how the NIST CSF applies to web security, it’s best to look at the structure of the Framework Core functions. At the top level of the Core are the following functions: Identify, Protect, Detect, Respond, and Recover. Each of the Functions contains several categories, for example, the Identify function contains categories such as Asset Management, Business Environment, Governance, Risk Assessment, Risk Management Strategy, and Supply Chain Risk Management. Each of these categories has specific subcategories that define desired outcomes.

None of the NIST CSF elements are meant specifically for the web but many of them apply to web security as well. Here are some notable examples:

  • ID.AM-2: Software platforms and applications within the organization are inventoried: This outcome applies to web applications as well. To reach this outcome, you need to find a way to create an inventory of all web applications in your organization.
  • ID.RA-2: Cyber threat intelligence is received from information sharing forums and sources: From the point of view of the web, this means that external sources are needed to know about potential web cybersecurity events, for example, new attack vectors.
  • PR.DS-5: Protections against data leaks are implemented: Critical data and sensitive information is often accessible using web applications. To avoid data breaches and guarantee data security, organizations must implement suitable web access controls. Many recent leaks were caused by unprotected documents accessible via the web.
  • DE.CM-8: Vulnerability scans are performed: The fact that vulnerability scanning is highlighted as a separate category shows its importance in detection processes according to NIST.

Acunetix and Invicti may help your organization reach several outcomes highlighted by NIST CSF including those mentioned above.

Tomasz Andrzej Nidecki
Principal Cybersecurity Writer
Tomasz Andrzej Nidecki (also known as tonid) is a Primary Cybersecurity Writer at Invicti, focusing on Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.