Latest news with #CenterforInternetSecurity
Business Journals
4 days ago
- Business
- Business Journals
How to choose the right cybersecurity framework: A guide for mid-market companies
As cyber threats become more sophisticated and regulatory requirements more stringent, companies, especially mid-market, must take a proactive approach to security. Choosing the right cybersecurity framework is a critical step in protecting sensitive data, maintaining compliance and building trust with customers, investors and regulators. However, with so many frameworks available, each with different requirements and industry applications, determining the best fit can be challenging. Understanding cybersecurity frameworks vs security standards Cybersecurity frameworks: Structured sets of best practices and methodologies for managing cybersecurity risks. Helps organizations build a structured approach to security, ensuring that policies, processes and technologies align with industry-recognized standards. Security standards: Defines specific requirements that organizations must meet to achieve compliance. Typically associated with audits, ensuring that an organization meets legal and contractual obligations. Common security standards include HIPAA, PCI DSS and GDPR. While standards ensure compliance with regulatory requirements, frameworks offer strategic guidance for building a resilient security posture. Choosing the right framework ensures a comprehensive approach to cybersecurity that not only satisfies legal requirements but also strengthens overall protection against evolving threats. Key cybersecurity frameworks in 2025 Selecting the best framework depends on your industry, regulatory landscape and business operations. NIST Cybersecurity Framework (CSF) 2.0 Developed by the National Institute of Standards and Technology (NIST), the NIST CSF 2.0 is a voluntary, risk-based cybersecurity framework focuses on six core functions: govern, identify, protect, detect, respond and recover. It provides a variety of high-level cybersecurity outcomes that organizations can use to understand, assess, prioritize and communicate their cybersecurity efforts more effectively. Best for: Organizations of any size or sector, particularly those looking for a flexible and risk-based approach to managing cybersecurity and aligning with industry standards. ISO/IEC 27001 The ISO/IEC 27001 is an internationally recognized standard for information security management. It provides a structured framework for implementing an Information Security Management System (ISMS), ensuring the confidentiality, integrity and availability of corporate data, including financial information, intellectual property, employee details and third-party managed data. Best for: Organizations of any size or sector, especially those needing a comprehensive ISMS to ensure data protection and demonstrate compliance to international standards. CIS Controls Developed by the Center for Internet Security (CIS), CIS Controls are a structured and simplified set of best practices designed to help organizations strengthen their security posture. Best for: Small to mid-market organizations seeking a simplified, actionable set of cybersecurity best practices to quickly strengthen their security posture with minimal resource investment. CMMC The Cybersecurity Maturity Model Certification (CMMC) is a unified standard developed by the U.S. Department of Defense (DoD) to ensure contractors and subcontractors meet specific cybersecurity practices when handling Controlled Unclassified Information (CUI). CMMC integrates various cybersecurity standards and best practices and assigns them across maturity levels, ranging from foundational to advanced. Best for: Defense contractors and subcontractors in the DoD supply chain who must demonstrate compliance with strict cybersecurity requirements to be eligible for government contracts. FedRAMP The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security assessment, authorization and continuous monitoring for cloud services used by federal agencies. It ensures that cloud providers meet strict federal security requirements before working with government entities. Best for: Cloud service providers aiming to do business with U.S. federal agencies and needing to prove compliance with federal cybersecurity standards. StateRAMP Modeled after FedRAMP, StateRAMP offers a standardized approach to cybersecurity for state and local governments. It helps ensure that cloud service providers meet consistent security requirements when providing services to government agencies, promoting transparency, verification and trust. Best for: Cloud vendors looking to work with state and local governments that require proven compliance with standardized cybersecurity benchmarks. How to choose the right framework for your business Assess your current security posture Before selecting a new framework, conduct a comprehensive gap assessment to evaluate your institution's existing cybersecurity controls. Identify strengths, pinpoint vulnerabilities and determine where enhancements are needed to align with your chosen framework. Understand your industry requirements Certain frameworks are better suited for meeting industry-specific regulations. Understanding your industry's unique regulatory landscape will help you determine which security frameworks align with these requirements and which ones are most effective for addressing sector-specific risks. Consider business goals and objectives When selecting a security framework, it's important to align your choice with your company's broader business objectives. For example, with the FFIEC Cybersecurity Assessment Tool being phased out, financial institutions may consider adopting ISO 27001 to enhance their cybersecurity posture and build credibility with investors and regulators. Additionally, if your organization is focused on streamlining compliance processes or reducing the burden of managing multiple audits, a consolidated compliance framework, combining assessments like NIST, ISO, PCI DSS, HITRUST and/or SOC 2, can help alleviate audit fatigue and ensure consistent, efficient compliance across various regulatory requirements. Real-world example: For companies navigating a complex landscape of regulatory requirements, working with multiple providers testing the same controls can strain internal resources. Learn how FD's Consolidated Compliance Assessment Program helped a leading global payments technology company streamline compliance, exceed regulatory requirements and reduce audit redundancies. Read more here. Engage key stakeholders Cybersecurity is not just an IT concern; it requires collaboration across executive leadership, technology teams, risk and compliance professionals and internal audit. Engaging these stakeholders early ensures alignment on strategic priorities and regulatory expectations. Monitor, validate and adapt Cyber threats and regulatory expectations continue to evolve, making ongoing monitoring essential. Regularly measure progress against targeted cybersecurity maturity levels, reassess risk factors and adjust your strategy as needed. Internal audit should be involved in periodic reviews to validate compliance and readiness for regulatory examinations. Next steps: Strengthening your security posture Choosing the right security framework is more than just a compliance requirement; it's a strategic investment in your company's resilience, reputation and long-term success. As cyber threats grow more sophisticated and regulatory landscapes shift, companies must take a proactive approach to security. By assessing your current security posture, aligning with industry requirements and considering business goals, you can implement a framework that not only meets compliance standards but also strengthens your overall cybersecurity strategy. Navigating these complexities can be challenging, but you don't have to do it alone. Frazier & Deeter's experts are here to help you evaluate your options, implement the right framework and build a security posture that protects your business now and in the future. Contact us to get started. Frazier & Deeter (FD) is comprised of Frazier & Deeter, LLC, a US licensed CPA firm that provides attest services to its clients, and Frazier & Deeter Advisory, LLC, an alternative practice structure that provides tax and advisory services to clients worldwide. Learn more at
New York Post
12-05-2025
- New York Post
Long Island school districts breached by cyber hackers — thousands of students' records exposed in alarming trend
More than 20 school districts across Long Island were hit by cyber hackers leaving more than 10,000 students' records and personal info vulnerable to criminals, state education records revealed. The widespread data breaches and digital intrusions — 28 Long Island incidents were self-reported to the state last year — have cybersecurity experts sounding the alarm about schools nationwide increasingly becoming targets for identity thieves, ransomware gangs and data extortionists. Districts with lower operating budgets are even more at risk, according to experts. More than 20 school districts in Long Island were hit with cyberattacks last year, according to state education records. Gorodenkoff – 'Schools have an incredibly rich amount of data,' Randy Rose, vice president of security operations at the Center for Internet Security told Newsday. 'People think it's just grades — but it's personal information, sometimes financial information. 'There's data associated with kids that are in need. Data on kids that are in afterschool programs.' Some of the intrusions on Long Island were minor — a student who was caught snooping on a classmate's grades — but others were much more concerning. Third-party breaches compromised the personal records of more than 6,000 students in Great Neck, another 1,000 Smithtown, as well as nearly 2,400 in Brentwood and Hewlett-Woodmere combined, according to state education records. Hackers even infiltrated software systems used by schools across the US, including major safety and security platform Raptor Technologies, which impacted at least seven Long Island districts, education records show. The attacks left more than 10,000 students' records and personal info vulnerable to criminals. CarlosBarquero – Michael Nizich, an adjunct associate professor of computer science at the New York Institute of Technology, said the level of regularly updated cybersecurity prevention necessary to adequately protect school districts is 'just not going to be feasible' economically. 'I think what you're seeing is that these school districts are now becoming targets because of the value of data that criminals are starting to find,' Nizich told Newsday. But it's not always the firewall that fails. Oftentimes breaches boil down to human error, as cybersecurity investments only go so far without proper training. Start and end your day informed with our newsletters Morning Report and Evening Update: Your source for today's top stories Thanks for signing up! Enter your email address Please provide a valid email address. By clicking above you agree to the Terms of Use and Privacy Policy. Never miss a story. Check out more newsletters About 45% of the time, hackers weren't exploiting technical flaws, but instead human behavior, according to an investigation by Newsday — pointing to phishing emails, fake login pages and malware disguised as digital ads. And the real-world impacts on districts can be devastating, as cyber incidents can derail afterschool initiatives, delay lunch programs, disrupt statewide testing — even freeze entire school operations, Rose explained. For students, the possible 'real life consequences' can be even more dire — derailing credit scores and impacting their ability to apply for loans and credit cards. 'When it comes time to go to college or get their first bank account, credit card, they're unable to,' Rose told Newsday. The new state budget just added record funding into public education, including an additional $270 million for Long Island, although each individual district will decide how the money gets spent.
Axios
29-03-2025
- Axios
What to know about safeguarding phone data while traveling
The Trump administration cited electronic data, found while examining cellphones, as reason to detain and deport U.S. residents or tourists under its escalating anti- immigration policies. Why it matters: While electronic checks make up a small percentage of border interactions, people can take measures to generally safeguard their phones and personal information while traveling. "When you're traveling, you really do want to be mindful that there are people that want access to your data and they have ways of getting access to that," said Randy Rose, the Center for Internet Security's vice president of security operations and intelligence. State of play: U.S. Customs and Border Protection has the authority to conduct warrantless device searches at the border, including in international airports, according to the Electronic Frontier Foundation (EFF). "Border agents cannot deny a U.S. citizen admission to the country," an EFF digital privacy guide said. "However, if a foreign visitor declines, an agent may deny them entry. "If a lawful permanent resident declines, agents may raise complicated questions about their continued status as a resident." Courts in the U.S. have issued different rulings on device searches at ports of entry, the Verge reported. Zoom in: Rose said he recommends deleting sensitive information such as licenses, credit card information or photos of children from phones before traveling. "Just assume that phone is not going to be yours at some point during your trip," he said. "What are you comfortable with somebody else having access to?" Zoom out: General security practices include avoiding open wifi networks, which could potentially be unsecured, and not plugging phones into power adapters rather than directly into USB ports, Rose said. Travelers can set up virtual private networks (VPNs) to encrypt personal data and mask a user's location, he said. "The internet was not built with security in mind," he said. "It was built for open communication, and over time we've tacked security on." Between the lines: Law enforcement can require people to unlock their cellphones with facial recognition and fingerprint identification, but not with numerical passcodes. "A police officer cannot make you input your passcode/password to unlock your cellphone because doing so would force you to produce the contents of your mind, according to Berry Law in Nebraska and Iowa, "The Fifth Amendment protects against this type of self-incrimination." Providing fingerprints is not considered a "testimonial act," per ESS Law Partners in Houston. Sharing a passcode reveals "explicit knowledge" and is therefore testimonial. By the numbers: U.S. Customs and Border Protection conducted 47,047 searches of electronic devices, which made up fewer than 0.01% of arriving passengers in fiscal year 2024.
Yahoo
26-03-2025
- Politics
- Yahoo
Opinion - Stop gutting America's cyber defense agency
The Trump administration's cuts in cyber programs are putting national security at risk. Secretary of Homeland Security Kristi Noem defended such cuts in her confirmation hearing, saying that the Cybersecurity and Infrastructure Security Agency needed to be 'smaller, more nimble to really fulfill their mission.' She is mistaken. Over the past three weeks, the agency has reduced staff, slashed budgets and terminated programs, with the administration suggesting that these cuts will 'eliminate redundancies' and focus its work on 'mission critical areas.' However, the cuts, imposed by the Department of Homeland Security, are in fact undercutting the agency's core mission areas, weakening U.S. national resilience and casting doubt on America's ability to repel, thwart and deter attacks in cyberspace. The Cybersecurity and Infrastructure Security Agency has attempted to fire 130 probationary workers. Among them are some of its most talented cyber experts. They include career intelligence analysts, experienced vulnerability analysts and world-class threat hunters. An unreported number of terminated employees were hired through the Cyber Talent Management System, an initiative created by Congress to help the federal government entice talent from the private sector to address significant federal cyber workforce shortages. In addition to firing employees, the Cybersecurity and Infrastructure Security Agency also terminated contracts with cybersecurity experts who serve as 'red teams.' These penetration testers hack into systems to help the government identify vulnerabilities so that defenders can bolster security before adversaries corrupt their systems. These red teams are often the most experienced and specialized experts in the cyber field. Without their essential work, vulnerabilities in government networks will go unidentified, further risking infiltration by foreign adversaries. At the same time, the agency terminated $10 million in funding to the Center for Internet Security. This nonprofit houses the Election Infrastructure Information Sharing and Analysis Center, the mechanism through which state and local election officials and federal partners can share information about cyber and physical threats to election infrastructure. Complicating this action, the Center for Internet Security also houses the Multi-State Information Sharing and Analysis Center, which provides cyber threat intelligence, cyber incident response assistance and free services to state and local governments. Among its 16,000 members are municipalities that manage local electric and water utilities and K-12 schools. The center is now unfunded, and its future is uncertain. The result is that state and local governments are made increasingly vulnerable to foreign actors. Noem also dismantled several cybersecurity advisory boards, including the Homeland Security Science and Technology Advisory Committee, the Data Privacy and Integrity Advisory Committee and the Secret Service's Cyber Investigations Advisory Board. Each of these boards provides unique perspectives on threats to U.S. cybersecurity and technology development. They serve as vehicles for the government to gain insights and advice from private industry. More concerning was the decision to disband the Cyber Safety Review Board, an investigative body that reviews significant cyber incidents. At the time it was disbanded, the board was specifically looking into how China has compromised U.S. telecommunications infrastructure. The secretary of Transportation would never have dared eliminate this board's aviation equivalent, the National Transportation Safety Board. Finally, Noem suspended the Critical Infrastructure Partnership Advisory Council, which is essential for bridging the divide between the government and private companies. It provides legal protection and serves as the convening body under which the Sector Coordinating Councils — consisting of critical infrastructure owners, operators and their associations — meet with the federal government to share threat information, engage in cyber response simulations and flesh out industry-wide cyber challenges. Not every such council was running perfectly, but some were highly successful anchor points of public-private collaboration. Because of these actions, the Sector Coordinating Councils are not operational. It remains unclear when or whether they will be reactivated, especially without the protection of the Critical Infrastructure Partnership Advisory Council. Their absence leaves industry without a critical lifeline to the government and its intelligence-gathering resources, severely limiting the public and private sectors' collaborative ability to combat threats in cyberspace. Another unintended consequence of disestablishing the Critical Infrastructure Partnership Advisory Council was the removal of protections for the use of the Enduring Security Framework, a favorite tool of the National Security Agency to share information with the private sector. There is nothing wrong with building a more efficient Cybersecurity and Infrastructure Security Agency, and certainly the agency needed some corrective course action. What Noem has done, however, is take a chainsaw to an agency that needed only a scalpel. Congress specifically created some of these now disbanded programs to address gaps in both the government's and the private sector's cybersecurity capabilities. The rationale behind and necessity for these programs remain. The consequences of these cuts will be felt in our schools and hospitals, in our water systems and electric grids and in many other critical areas as America's ability to defend itself in cyberspace erodes. This matters because the Trump administration, like the Biden team, recognizes the rapidly growing threat to our national security from China's malicious cyber activity, as shown by the exploitation of critical U.S. infrastructure by both the Volt and Salt Typhoon operations. The Cybersecurity and Infrastructure Security Agency should rehire its talent, restore funding and reinstate these programs immediately. Elections have consequences and the Trump administration certainly can make changes as it sees fit, but canceling the tools for public-private collaboration in securing America's cyberspace is a mistake. Trump recently nominated a new director, Sean Plankey. A career Coast Guard officer with extensive interagency experience, he has the talent and expertise to make the Cybersecurity and Infrastructure Security Agency more efficient. Congress needs to confirm him fast, and Noem needs to stop gutting the agency in his absence. Rear Adm. (Ret.) Mark Montgomery is a senior director at the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies, where Johanna 'Jo' Yang is a research and editorial associate. Copyright 2025 Nexstar Media, Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.
The Hill
26-03-2025
- Politics
- The Hill
Stop gutting America's cyber defense agency
The Trump administration's cuts in cyber programs are putting national security at risk. Secretary of Homeland Security Kristi Noem defended such cuts in her confirmation hearing, saying that the Cybersecurity and Infrastructure Security Agency needed to be 'smaller, more nimble to really fulfill their mission.' She is mistaken. Over the past three weeks, the agency has reduced staff, slashed budgets and terminated programs, with the administration suggesting that these cuts will 'eliminate redundancies' and focus its work on 'mission critical areas.' However, the cuts, imposed by the Department of Homeland Security, are in fact undercutting the agency's core mission areas, weakening U.S. national resilience and casting doubt on America's ability to repel, thwart and deter attacks in cyberspace. The Cybersecurity and Infrastructure Security Agency has attempted to fire 130 probationary workers. Among them are some of its most talented cyber experts. They include career intelligence analysts, experienced vulnerability analysts and world-class threat hunters. An unreported number of terminated employees were hired through the Cyber Talent Management System, an initiative created by Congress to help the federal government entice talent from the private sector to address significant federal cyber workforce shortages. In addition to firing employees, the Cybersecurity and Infrastructure Security Agency also terminated contracts with cybersecurity experts who serve as 'red teams.' These penetration testers hack into systems to help the government identify vulnerabilities so that defenders can bolster security before adversaries corrupt their systems. These red teams are often the most experienced and specialized experts in the cyber field. Without their essential work, vulnerabilities in government networks will go unidentified, further risking infiltration by foreign adversaries. At the same time, the agency terminated $10 million in funding to the Center for Internet Security. This nonprofit houses the Election Infrastructure Information Sharing and Analysis Center, the mechanism through which state and local election officials and federal partners can share information about cyber and physical threats to election infrastructure. Complicating this action, the Center for Internet Security also houses the Multi-State Information Sharing and Analysis Center, which provides cyber threat intelligence, cyber incident response assistance and free services to state and local governments. Among its 16,000 members are municipalities that manage local electric and water utilities and K-12 schools. The center is now unfunded, and its future is uncertain. The result is that state and local governments are made increasingly vulnerable to foreign actors. Noem also dismantled several cybersecurity advisory boards, including the Homeland Security Science and Technology Advisory Committee, the Data Privacy and Integrity Advisory Committee and the Secret Service's Cyber Investigations Advisory Board. Each of these boards provides unique perspectives on threats to U.S. cybersecurity and technology development. They serve as vehicles for the government to gain insights and advice from private industry. More concerning was the decision to disband the Cyber Safety Review Board, an investigative body that reviews significant cyber incidents. At the time it was disbanded, the board was specifically looking into how China has compromised U.S. telecommunications infrastructure. The secretary of Transportation would never have dared eliminate this board's aviation equivalent, the National Transportation Safety Board. Finally, Noem suspended the Critical Infrastructure Partnership Advisory Council, which is essential for bridging the divide between the government and private companies. It provides legal protection and serves as the convening body under which the Sector Coordinating Councils — consisting of critical infrastructure owners, operators and their associations — meet with the federal government to share threat information, engage in cyber response simulations and flesh out industry-wide cyber challenges. Not every such council was running perfectly, but some were highly successful anchor points of public-private collaboration. Because of these actions, the Sector Coordinating Councils are not operational. It remains unclear when or whether they will be reactivated, especially without the protection of the Critical Infrastructure Partnership Advisory Council. Their absence leaves industry without a critical lifeline to the government and its intelligence-gathering resources, severely limiting the public and private sectors' collaborative ability to combat threats in cyberspace. Another unintended consequence of disestablishing the Critical Infrastructure Partnership Advisory Council was the removal of protections for the use of the Enduring Security Framework, a favorite tool of the National Security Agency to share information with the private sector. There is nothing wrong with building a more efficient Cybersecurity and Infrastructure Security Agency, and certainly the agency needed some corrective course action. What Noem has done, however, is take a chainsaw to an agency that needed only a scalpel. Congress specifically created some of these now disbanded programs to address gaps in both the government's and the private sector's cybersecurity capabilities. The rationale behind and necessity for these programs remain. The consequences of these cuts will be felt in our schools and hospitals, in our water systems and electric grids and in many other critical areas as America's ability to defend itself in cyberspace erodes. This matters because the Trump administration, like the Biden team, recognizes the rapidly growing threat to our national security from China's malicious cyber activity, as shown by the exploitation of critical U.S. infrastructure by both the Volt and Salt Typhoon operations. The Cybersecurity and Infrastructure Security Agency should rehire its talent, restore funding and reinstate these programs immediately. Elections have consequences and the Trump administration certainly can make changes as it sees fit, but canceling the tools for public-private collaboration in securing America's cyberspace is a mistake. Trump recently nominated a new director, Sean Plankey. A career Coast Guard officer with extensive interagency experience, he has the talent and expertise to make the Cybersecurity and Infrastructure Security Agency more efficient. Congress needs to confirm him fast, and Noem needs to stop gutting the agency in his absence.
