1

Appraise Leading Frameworks, Models, and Standards Relating to Data Security Risk
 2

1. Cybersecurity Frameworks, Standards, and Models

Cyber security is an intense, relevant topic that will stay even more as far as people,

businesses, organizations, and countries rely on information technology and digital devices. And

since there’s no likelihood of the world society's exit on technology, the usage will be indefinite.

Cyber security requires various frameworks, standards, and models to achieve the security

and consistency of the information system of organizations, businesses, and individuals. Cyber

security frameworks are records that define standards, best practices, and guidelines, developed

for cyber security risk assessment. The frameworks provide a common language for security

chiefs across industries and states to have insight into their security department and vendors.

Having the right cybersecurity framework makes it easier to define the procedures and processes

that a company must take to assess, mitigate, and monitor cybersecurity threats. And further

minimize the company’s exposure to vulnerabilities and weaknesses that threat actors may take

advantage of (Bit Sight, 2022).

Simplilearn (2022) discussed types of cyber security framework models and the top-used

frameworks. Cybersecurity frameworks are split based on their function into three types of

models. These are Program frameworks, Control frameworks, and Risk frameworks. Control

Frameworks designs a fundamental blueprint for cyber security departments of companies. It

offers a minimum group of security controls by assessing the current state of the information

infrastructure and prioritizes security control implementations. Program frameworks build a

complete cybersecurity program for an organization. It assesses, analyzes, and measures the

present state of the security program of the organization. It also simplifies and facilitates

communications between the executives, managers, and the cyber security team.
 3

The third type of cyber security framework model is the Risk framework. They define the

significant processes for risk assessment and management. They measure the organization’s

security risks and construct, identify, quantify, and prioritize the appropriate security program.

Different companies use top-recognized frameworks based on their security needs. The top

used cyber security frameworks are the NIST Cyber Security Framework, the International

Standards Organization (ISO) frameworks ISO/IEC 27001 and 27002, the Center for Internet

Security Critical Security Controls (CIS), and the Health Insurance Portability and

Accountability Actor or the HIPAA ( Simplilearn, 2022).

1.1 NIST Cyber Security Framework: The National Institute of Standards and

Technology(NIST) is a US agency of the Department of Commerce that aims for industrial

competitiveness and innovation. NIST has long years of experience working with companies as a

partner to serve the public interest. The NIST framework for cybersecurity is developed based on

NIST principles. NIST framework sets security guidelines that companies can use to identify and

respond to cyber threats and features standards to support companies protect and recover from

cyberattacks. According to IBM (n.d.), there are five functions and best practices related to

NIST. The first is the Identify function. This function includes asset management, business

environment, governance, risk assessment, risk management strategy, and supply chain risk

management. To defend against cyber threats, the cybersecurity team needs a complete

understanding of what are the most significant resources and assets of the organization. The

second function is Protect: The protection covers much of the physical and technical security

controls for designing and implementing protection of critical infrastructure and appropriate

safeguards. Detect is the third function of the NIST framework. The detect function uses

measures that call an organization to cyberattacks. Detect status includes anomalies and events,
 4

detection processes, and security continuous monitoring. Respond is another best practice of

NIST. This category ensures the proper response to cyber threats and other cybersecurity events.

It includes response planning, analysis, communication, improvements, and mitigation. The

final function of the NIST framework is to Recover. It involves implementing action for cyber

resilience and ensuring business continuity in security breaches and events of a cyberattack. The

recovery functions include communications and recovery planning improvements.

1.2 ISO 27001 and ISO 27002: They are developed by the International Organization for

Standardization (ISO) and both certifications are weighed up internally and across third parties

as the international standard for validating a cybersecurity program. Companies that earn ISO

certification can reveal to shareholders, partners, and customers that they are on the right track in

managing cyber risk. Similarly, if a vendor is qualified with ISO 27001/2 certification it’s a good

sign that they have appropriate practices and monitors for cybersecurity. ISO/IEC 27001 requires

extensive management of information security risks and a focus on vulnerabilities and threats.

Though ISO 270K is demanding that it suggests 114 different controls with 14 categories it is

usually a good fit for attracting new customers ( Simply learn, 2022).

1.3 Service Organization Control (SOC2) Type 2: It is an auditing standard and a trust-based

framework created by the American Institute of Certified Public Accountants (AICPA) to justify

that partners and vendors securely manage client data. SOC2 defines 60 compliance

requirements and substantial auditing for third-party controls and systems. Audits are

comprehensive and may take a year to finish. As a result of this, SOC2 is one of the hardest

frameworks to utilize still it’s an essential framework for any third-party risk management

program (Simply learn, 2022).

 5

4. Health Insurance Portability and Accountability Actor (HIPAA): It is a cybersecurity

framework that requires healthcare organizations to use controls for protecting and securing the

digital health information and privacy of customers or patients. HIPAA demonstrates compliance

against cyber best practices training and conducts risk assessments to identify and manage

emerging risks.

It is a framework that manages consumer and confidential patient data specifically privacy

elements. This enactment secures digital healthcare data and is important for healthcare

providers, clearinghouses, and insurers (Bit Sight, 2022).

2. Cyber security frameworks and Requirements for a Hospital Risk Assessment

The two recommended cyber security frameworks for mid-sized hospital information

systems with 25,000 endpoints and 10,000 employees in a hybrid on-prem and cloud network are

NIST CSF and HIPAA. This is because HIPAA is meant for providing risk assessment and

controls in medical care and NIST CSF is the most flexible and dynamic framework that can be

applied in many ways and can work in euphony with HIPAA (Health IT Security, 2023).

2.1 Internal and External Audits

It is recommended to perform both internal and external audits since they have their

respective advantage in securing and protecting the information system of the hospital. Even

though the internal audit has a comprehensive approach that covers all areas of Business

Associates and Entities of the hospital system and operates audit compliance with the guidelines

of HIPAA Administrative Simplification Regulation related to the hospital operations, an

External audit is needed to meet the regulation of the Department of Health and Human Services

Office for Civil Rights (OCR) that ensure that covered business associates and entities adhere to

the HIPAA’s regulations. External HIPAA audit is developed to meet specific criteria of OCR´s
 6

audit protocol, a third party’s certification requirements, and a Compliance review

program( HIPAA Journal,2023).

2.2 How to prepare a Risk Audit

According to AMA (n.d.), all covered entities and business associates are eligible for an

audit. These included providers such as Doctors, Psychologists, Clinics, Dentists, Nursing

Homes, Chiropractors, and Pharmacies. Health plans such as Health insurance companies,

Company health plans, HMOs, and Government assistance programs that pay for health care

like the military and veterans’ health care programs, Medicare, and Medicaid are also involved in

the audit. OCR is in the role of liaison as an external firm and uses public information

about the entity to develop its audit pool in case the business associate or covered

entity cannot respond to information requests.

There are certain criteria that have to be fulfilled to have a successful and

complete audit. Total HIPAA (n.d.) stated the important points that must be

considered to complete a health-related audit. Providing training to employees to

prepare them constantly manage HIPAA compliance, conducting a Risk Assessment,

Assigning a privacy and security officer, applying a HIPAA compliance plan, and

regularly reviewing and updating the compliance plan.

2.3 Control gaps

If there are any significant control gaps found from the NIST and HIPAA audit certain

measures will be undertaken with their priority solutions. For instance: if it is found there are no

formally documented, periodically reviewed, or maintained internal controls, identifying the

relevant information, and evaluating data for completeness and accuracy will be the first move. If
 7

the issue is related to Fraud, identifying the types of fraud, reviewing the controls for those risks

related to the types of fraud, and assessing anything in the hospital system culture that could

cause the fraud risk will be the first steps to complete. On the other side, if it is found the control

gap is related to not having a board of directors, creating a board executive management team,

documenting the roles and responsibilities of executive management, and providing the

performance and development of internal controls will be the priority moves (CBIZ, n.d.).
 8

Appendix

Table 1

Compare and Contrast Cyber security frameworks.

Cyber security History Function Features

framework Name

NIST CSF -Established by the -Risk assessment - -Flexible and

National Institute of Monitoring to incidence customizable
Standards and response -Awareness -Regularly updated and
Technology (NIST) training, government approved
-Widely used by -Data protection -Have alternatives
American companies -Risk mitigation - through NIST.IR
-considered the gold Methodology for 7621r1
standard of CSFs limiting the impact of -Vast library and
adverse events. resource availability

ISO 27000 -Designed by the - Like the NIST, the - Similar to NIST, the
Cybersecurity International ISO is meant to provide ISO series has multiple
Framework Series Electrotechnical a framework for subsets (i.e., ISO
Commission (IEC) and acquiring a certified 27799, standards for
the International level of security healthcare)
Organization for compliance that meets -Broad in scope and
Standardization (ISO) external assessment comprehensive in detail
standards -Accompany ISO
-Data privacy and standards for quality
confidentiality assurance
-Reduction of
vulnerability to
disruptive attacks.
-Maximize operational
 9

efficiencies

CIS Cybersecurity -Developed by the -Protecting against the -Focus on protection

Framework SANS institute, most prevalent and mitigation than
international research, cyberattacks - NIST and ISO
and education Mitigating the effects of -Operational simplicity
cooperation breaches -Viewed as being the
most practical CSF

COBIT Cybersecurity Developed by ISACA -Support the integrity of -Shore up weak spots
Framework for information an organization’s data from a bigger
technology infrastructure from an perspective than other
management and IT operational perspective frameworks
governance. - like other frameworks
it assesses risks
-Like CIS, it is a more
simplified tool

Note. From NIST, ISO, CIS, or COBIT? Comparing Comprehensive Cybersecurity Frameworks,2022,

Omni struct(Omni struct. (2022). NIST, ISO, CIS, or COBIT? Comparing Comprehensive Cybersecurity

Frameworks. Omni struct.https://omnistruct.com/comparing-cybersecurity-frameworks/)

 10

References

American Medical Association. (n.d.). HIPAA audits. AMA.

 https://www.ama- assn.org/practice-management/hipaa/hipaa-audits

Bit sight. (2022). 7 Cybersecurity Frameworks That Help Reduce Cyber Risk. BitSight

https://www.bitsight.com/blog/7-cybersecurity-frameworks-to-reduce-cyber-risk

CBIZ. (n.d.). 5 Common Internal Control Gaps and How to Address Them. CBIZ

https://www.cbiz.com/insights/articles/article-details/5-common-internal-control-gaps-and-

how-to-address-them

Health IT Security. (2023). Breaking Down the NIST Cybersecurity Framework, How It Applies

to Healthcare. Tech Target. https://healthitsecurity.com/features/breaking-down-the-nist-

cybersecurity-framework-how-it-applies-to-healthcare#:~:text=

HIPAA Journal. (2023). HIPAA Audit Checklist. HIPAA Journal.

https://www.hipaajournal.com/hipaa-audit-checklist/

IBM. (n.d.). What is the NIST Cybersecurity Framework? IBM. https://www.ibm.com/topics/nist

Omni struct. (2022). NIST, ISO, CIS, or COBIT? Comparing Comprehensive Cybersecurity

Frameworks. Omni structs. https://omnistruct.com/comparing-cybersecurity-frameworks/

Simplilearn. (2022, November 23). What is a Cyber Security Framework: Types, Benefits, and

Best Practices. Simplilearn. https://www.simplilearn.com/what-is-a-cyber-security-

framework-article
 11

Total HIPAA. n.d.How to Prepare for a HIPAA Audit. Total HIPAA.

https://www.totalhipaa.com/how-to-prepare-for-a-hipaa-audit/