Frameworks offer an organised way to improve security by measuring existing company cyber security, data protection and privacy risk controls against effective standards defined by the leading authorities.
Frameworks come in various 'shapes and sizes' and address differing requirements. Some framework reflect risk control requirements specific to legislation in a geographic jurisdiction. Others address security, data protection or privacy risk controls. Some frameworks are used to benchmark maturity while others are essentially checklists.
Ultimately every framework has specific uses and should be selected based on the organisation's risk context.
Hawkstream provides the flexibility to select both individual frameworks or just specific risk controls (from within frameworks) and add these to your security program. The guidance notes below provide information on what frameworks are available in Hawkstream and when you may choose to use them.
*Be sure to check suitability of the control frameworks you select to use with legislation in your jurisdiction and specific industry requirements.
Publisher: Adapted by Hawkstream from Australian Cyber Security Centre (ACSC) under Creative Commons License.
Jurisdiction: Australia
Original content attribution: https://www.cyber.gov.au/
Description:
The Essential Eight Maturity Model, first published in June 2017 and updated regularly, supports the implementation of the Essential Eight. It is based on the ACSC’s experience in producing cyber threat intelligence, responding to cyber security incidents, conducting penetration testing and assisting organisations to implement the Essential Eight.
Reasons to use this framework:
> Assess cyber security maturity againsts essential eight risk controls.
> Compliance requirement for Australian Government organisations.
> Relevant to organisations with Microsoft-based networks.
> Suitable for all sized organisations*.
Publisher: Adapted by Hawkstream from National Cyber Security Centre (UK) under Open Government Licence
Jurisdiction: United Kingdom
Original content attribution: https://www.ncsc.gov.uk/
Description:
Cyber Essentials helps you to guard your organisation against the most common cyber threats and demonstrate your commitment to cyber security.
Reasons to use this framework:
> Develop cyber security controls to prevent data breach.
> Prepare for Cyber Essentials certification (required for some UK Government contracts).
> Identify cyber security risk control gaps.
> Suitable for small/medium organisations*.
Publisher: Adapted by Hawkstream from Office of the Australian Information Commissioner (OAIC) under Creative Commons Licence.
Jurisdiction: Australia
Original content attribution: https://www.oaic.gov.au/
Description:
The Consumer Data Right is designed to keep your data secure and protect your privacy. The Consumer Data Right privacy safeguards in the Australian Competition and Consumer Act 2010 set out your privacy rights and the strict obligations on businesses collecting and handling your data. There are 13 legally binding privacy safeguards.
Reasons to use this framework:
> Ensure your company can interact and collect customer information inline with privacy legislation requirements.
> Identify privacy risk control gaps.
> Suitable for organisations of all sizes*.
Publisher: Adapted by Hawkstream from Information Commissioner’s Office (ICO) under Open Government Licence.
Jurisdiction: United Kingdom
Original content attribution: https://ico.org.uk/
Description:
The checklist covers a range of data protection controls broadly useful to controlling risks relevant to smaller organisations.
Reasons to use this framework:
> Simple and practical data protection controls.
> Identify risk control gaps.
> Suitable for small and medium sized organisations.
> Complementary to other cyber security control frameworks.
Publisher: Adapted by Hawkstream from National Institute of Standards and Technology (NIST) - Cyber Security Framework.
Jurisdiction: United States
Attribution: https://www.nist.gov/
Description:
NIST Cyber Security Framewok provides a comprehensive cyber risk assessment. The framework provides guidelines that are applicable to a wide range of organisations.
Reasons to use this framework:
> Suitable for a organisations looking to complete a comprehensive risk assessment against NIST Cyber Security Framework*.
Publisher: Adapted by Hawkstream from National Institute of Standards and Technology (NIST) - cyber security framework.
Jurisdiction: United States
Attribution: https://www.nist.gov/
Description:
Based on NIST Cyber Security Framewok; a simple and high level cyber risk assessment.
Reasons to use this framework:
> Simple and practical cyber risk assessment.
> Suitable for small and medium organisations*.
Publisher: Adapted by Hawkstream from National Institute of Standards and Technology (NIST) - cyber security framework.
Jurisdiction: United States
Attribution: https://www.nist.gov/
Description:
Provides guidelines privacy related risk controls. NIST privacy frameworks is a leading framework used by organisations around the world to establish general best practice risk controls.
Reasons to use this framework:
> Simple and practical questions.
> Identify general privacy-related risk control gaps.
> Suitable for all organisations*.
Publisher: Hawkstream
Jurisdiction: Global
Attribution: https://hawkstream.io
Description:
Third party cyber risk assessments help to understand the risks to data when utilising third party vendors' products and services.
Assessing vendors routinely can help to keep informed about changes to security postures and work with vendors to remediate
Reasons to use this framework:
> Identify specific gaps in vendors' cyber and privacy risk controls.
> Suitable for organisations of all sizes*.
Publisher: Adapted by Hawkstream from Australian Cyber Security Centre (ACSC) under Creative Commons Licence.
Jurisdiction: Australia
Orginal content attribution: https://www.cyber.gov.au/
Description:
The framework questions are intended to identify and manage relevant information security risks associated with the evolving field of cloud computing.
Reasons to use this framework:
> Evaluate cloud risk controls.
> Suitable for organisations of all sizes*.
Publisher: Adapted by Hawkstream from Australian Cyber Security Centre (ACSC) under Creative Commons Licence.
Jurisdiction: Australia
Orginal content attribution: https://www.cyber.gov.au/
Description:
The purpose of the cyber security principles is to provide strategic guidance on how an organisation can protect their systems and data from cyber threats.
Reasons to use this framework:
> Align your cyber security program around guiding principles.
> Suitable for organisations of all sizes*.
Publisher: Hawkstream
Jurisdiction: Global
Attribution: https://hawkstream.io
Description:
A Privacy Impact Assessment (PIA) is a tool that can be use to assess the privacy impacts of a new project and where necessary, identify ways in which the obligations set out in privacy legislations.
Reasons to use this framework:
> Identify risks to personal identifiable information during projects.
> Establishing a ‘privacy by design approach’ to information handling.
Publisher: Hawkstream
Jurisdiction: Global
Attribution: https://hawkstream.io
Description:
Identity and access management is a key part of cyber security as it ensure the right people have access to an organisation’s information.
Reasons to use this framework:
> Ensure your organisation has the fundamental risk controls.
Publisher: Secure Controls Framework Council, LLC; under Creative Commons Attribution-NoDerivatives 4.0 International Public License
Jurisdiction: Global
Attribution: https://securecontrolsframework.com/
Description:
SCF provides comprehensive set of controls to inform your cyber security program.
Reasons to use this framework:
> Ensure your organisation has the fundamental risk controls.
Publisher: Adapted by Hawkstream from Office of the Australian Information Commissioner (OAIC) under Creative Commons Licence.
Jurisdiction: Australia
Original content attribution: https://www.oaic.gov.au/
Description:
The Australian Privacy Principles are the cornerstone of the Privacy Act 1988.
Reasons to use this framework:
> Comply with Australian Privacy Act 1988 (legislation).
Publisher: Hawkstream
Jurisdiction: EU
Description:
A Data Protection Impact Assessment (DPIA) is required when processing activities are likely to result in a high risk to the rights and freedoms of individuals. This requirement is outlined in Article 35 of the General Data Protection Regulation (GDPR). DPIAs help organizations assess, identify, and minimize risks related to data processing activities.
Reasons to use this framework:
> Comply with GDPR.
Download free eBook