[johngalt]

NIST CSF = The encyclopedia which breaks security down into as many areas/steps/sections as possible. If you are planning a 500-person security department, this is how you give them all something to do. The idea is to accomplish the task with manpower rather than elegance. CSF itself is mostly just a pointer to NIST 800-53. For truly large-scale operations it can be an ok fit, but for most organizations it is overkill that your cyber-insurance vendor will still expect you to do. Otherwise, best used as a reference not a guide.

ISO 27001 = Not super familiar with this one.

COBIT = The management/process focused version of NIST CSF. Great if you have an executive suite CTO, CISO, CRiskO, CPrivacyO, and want to coordinate their efforts in a program that divides responsibilities among them and associated committees. Includes maturity modeling, which gives it a +1, but it is distant from anything technology related. Instead, it is all about which committees should be formed to decide on risk management strategies etc...

PCI-DSS = You'll do this one because VISA makes you do it. Much more actionable than NIST or COBIT, but it depends on the third-party auditor who is issuing your attestation of compliance. "Your label maker has it's default password?" = audit finding.

CIS18 Controls = The most actionable/lightweight framework now that they have incorporated maturity levels (aka implementation groups). Not as thorough as NIST or COBIT. Well implemented, CIS18 is enough for most organizations provided they do not have a specific security standard or requirement in their industry.

[tptacek]

Additional color commentary:

27001 is Euro-SOC2. Technically, 27001 is a certification, and SOC2 is just an attestation --- there is an external ground truth that 27001 is matching security programs to, where SOC2 is just validating internal consistency. But the subject matter is the same and they're generally thought of as equivalents for each other, with 27001 being the more rigorous.

Ironically, COBIT is the IT-focused equivalent of COSO --- in other words, it's the ostensibly more technical set of controls. But SOC2 keys off of COSO, and is audited by accountants, so practitioners are more likely to have experience with the fuzzier COSO controls.

PCI-DSS is an industrywide joke; it's a checklist audit performed by race-to-the-bottom consultancies, which have invariably PCI-certified all of the most egregious payment card breach shops since PCI was standardized. Ironically, as bad as PCI is, it's the controls standard that has probably had the most practical impact, because of how prescriptive it is, and how rote the audits have become. Its impact is still malign!

[kasey_junk]

I had a pci shop try to make us turn _off_ 2fa because it’s not required for our certification level.

[unethical_ban]

Worked at a bank for years. So many things we wanted to do to really get our firewall policies modern and more actionable for the SOC. Layer 7 enforcement, user-based policies, deduplication of rules, more aggressive cleanup.

Things needing to be done a certain way for the auditors was a major hamper in our processes.

I'm now consulting and I have seen people do changes to their policies in such strange ways because they have to jump through ridiculous hoops for their industry regulator.

[tptacek]

Yes. I've come to believe that much of the skill involved in doing security compliance work is in managing (strangling) down the scope of the framework, and almost none of it is in using the framework to inform and improve real security practices. This is what I mean when I keep saying here that these frameworks are not a "good first step". If you don't actually have to engage with them, because your customers aren't demanding it, you should actively avoid them and use that precious time to build a real security practice.

[johngalt]

Agree 100% with this and your other comments. These frameworks often create risks by obscuring reality behind procedure. Sucking up all the air that would go towards more direct security objectives. Businesses think they are done with cybersecurity because they are done with the checklist. Believing we are safe because a non-technical auditor said so, can be a risky spot. Specially if that is used to overrule subject matter experts.

[WelcomeShorty]

> PCI-DSS is an industrywide joke; it's a checklist audit performed by race-to-the-bottom consultancies

We ended up with a consultants from a former Eastern Europe country that charge less per hour then local cashiers make (which is NOT a statement to the quality of said consultants).

I (irregular) deal with PCI-DSS and never ever felt so close to quit my job and become a full time lawn mower.