03. Industry Standards and Frameworks for Information Security Flashcards
Industry Standards and Frameworks for InfoSec
An Information Security Program will/may use or adopt several types of frameworks such as…
- Control Frameworks
- Risk Management Frameworks
- Architecture Frameworks
- Security Program Management Frameworks
213
Industry Standards and Frameworks for InfoSec
Control Frameworks include…
- CIS CSC
- ISO/IEC 27002
- NIST SP 800-53
- PCI DSS
- NIST CSF
- COBIT
- ETSI TEchnical Report (TR) 103 305-1
- HITRUST CSF
213
Industry Standards and Frameworks for InfoSec
Risk Management Frameworks include…
- ISO/IEC 27005
- ISO/IEC 31000
- NIST CSF
- NIST SP 800-37
213
Industry Standards and Frameworks for InfoSec
Architecture Frameworks include…
- Zachman
- TOGAF
The Open Group Architecture Framework
213
Industry Standards and Frameworks for InfoSec
Security Program Management Frameworks include…
- ISO/IEC 27001
- NIST CSF
- COBIT
- ETSI TR 103 787-1
213
Control Frameworks
An advantage of an organisation adopting an industry-standard control framework is that they are used by thousands of companies and they are…
regularly updated to reflect changing business practivces, emerging threats, and new technologies
213
Control Frameworks
A strategist should select a control framework based on its…
alignment to the industry
214
Control Frameworks
Where a control framework has been selected based on its industry alignment, the strategist should institude a process for…
developing additional controls based on the results of risk assessments to meet the specific needs of the organisation
214
Control Frameworks: COBIT
COBIT has 4 domains…
- Plan and Organise
- Acquire and Implement
- Delivery and Support
- Monitor and Evaluate
215
Control Frameworks: COBIT
COBIT is not primarily a security control framework. It is an IT process framework that includes security processes interspersed. The security and risk related processes are…
- Ensure Risk Optimization
- Manage Risk
- Manage Security
- Manage Security Resources
- Monitor, Evaluate, and Assess compliance with external requirements
215
Control Frameworks: ITIL / ISO/IEC 20000
ITIL is a framework of…
IT Service Delivery and Management Processes
ITIL is not a security framework but a process framework for IT Service Management
215
Control Frameworks: ISO/IEC 27002
ISO/IEC 27002:
Information Technology - Security Techniques - Code of practice for information security controls is..
An international standard controls framework
ISO 27002 provides full explanations on controls
ISO 27001 is high level and includes the controls in an appendix but not in detail
216
Control Frameworks: HIPAA
HIPPA
Health Insurance Portability and Accountability Act establishes requirements for…
protecting electronic protected health information (ePHI)
216
Control Frameworks: HIPAA
HIPAA requirements fall into 3 main categories…
- Administrative safeguards
- Physical safeguards
- Technical safeguards
216
Control Frameworks: HIPAA
Each control within the framework is labeled as either…
Required or addressable
Required MUST be implemented
Addressable is considered optional if the control does not apply or the risk is negligible
216
Control Frameworks: NIST SP 800-53
NIST SP 800-53 is one of the most…
well known and adopted security control frameworks
216
Control Frameworks: NIST SP 800-53
NIST SP 800-53 is required for all…
US Government information systems and private industry that store or process federal government information
216
Control Frameworks: NIST SP 800-53
NIST SP 800-53 controls are organised into 18 categories…
- Access Control
- Awareness and Training
- Audit and Accountability
- Security Assessment and Authorisation
- Configuration Management
- Contingiency Planning
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Physical and Environmental Protection
- Planning
- Personnel Security
- Risk Assessment
- System and Services Acquisition
- System and Communications protection
- System and Information Integrity
- Program Management
216/217
Control Frameworks: NIST SP 800-171
NIST SP 800-171 is a framework of requirements for…
the protection of controlled unclassified information (CUI)
Required for all infomration systems in private industry that store or process CUI for federal government
217
Control Frameworks: NIST SP 800-171
NIST SP 800-171 is organised into 13 categories…
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Mnaagement
- Indeitifcation and Authentication
- Incident Response
- Maintenance
- Media Protection
- personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communications Protection
217
Control Frameworks: NIST SP 800-171
A framework of assessments and assessor certifications used to enforce compliance of NIST SP 800-171
Cybersecurity Maturity Model Certification
(CMMC)
217
Control Frameworks: NIST CSF
The NIST CSF is a risk based life-cycle methodology used for…
assessing risk, enacting controls, and measuring control effectiveness
217
Control Frameworks: NIST CSF
The 3 core components of the NIST CSF…
- Framework Core
- Framework Implementation Tiers
- Framework Profile
218
Control Frameworks: NIST CSF
The set of 5 functions within the Framework core of NIST CSF
- Identify
- Detect
- Protect
- Respond
- Recover
217
Control Frameworks: NIST CSF
5 Maturity levels defined within the Framework Implementation Tiers of the NIST CSF
- Partial
- Risk
- Informed
- Repeatable
- Adaptive
218
Control Frameworks: NIST CSF
The Frameowkr Profile within the NIST CSF aligns elements of the Framework Core with the organisations…
- Business requirements
- Risk tolerance
- Available resources
218
Control Frameworks: NIST CSF
Organisations implementing NIST CSF first perform an assessment by measuring maturity of the Framework Core i.e. Identify, Detect, Protect, Respond, Recover. The organisation then determins the maturity levels they desire to reach for each Framework core. The identified differences are considered…
gaps that need to be filled through sevearl means
Hiring additional resources
Training resources
Adding or changing business processes or procedures
Changing system or device configuration
Acquiring new systems or devices
218
Control Frameworks: CIS CSC
CIS CSC - Center for Internet Securtiy Critical Security Controls is a…
well-known control framework with 18 sections
218
Control Frameworks: PCS DSS
The Payment Card Industry Data Security Standard is a control framework specifically for protecting credit card numbers and related information when…
stored, processed and transmitted on an organisations network
219
Control Frameworks: PCS DSS
The PCI DSS has 12 control objectives…
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Protect all systems against malware and regularly update antivirus software or programs.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need to know.
- Identify and authenticate access to system components. .
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
219
Control Frameworks: PCS DSS
PCI DSS is mandatory for all organisations…
storing, processing, or transmitting credit card data
219
Control Frameworks: PCS DSS
Organisations that store, process or transmit high volumes of credit card data are required to undergo…
annual on-site audits
219
Information Security Management Frameworks
Information security management frameworks are business process models that include…
essential processes and activities needed by most organisations
219
Information Security Management Frameworks
Information Security Management Frameworks are risk-centric because the identification of risk is a key driver for activities in other parts of the framework to…
reduce risk to acceptable levels
219
Information Security Management Frameworks
ISO/IEC 27001 is a well-known international standard which defines the requirements and steps to run an…
Information Security Management System
(ISMS)
An ISMS is a set of processes used to assess risk, develop policy and controls, and manage all processes found in infosec program
219
Information Security Management Frameworks
COBIT 2019 is a…
controls and governance framework for managing an IT organisation
COBIT 2019 for Information Security is an additional standard that explains each component of the frameowkr from an information security perspective
220
Information Security Management Frameworks
The NIST CSF is an outcomes based security management and control framework that guides an organisation in…
- Understanding its maturity levels
- Assessing risk
- Identifying gaps
- Developing action plans for strategic improvement
220
Information Security Management Frameworks
ETSI CYBER Cybersecurity for SMEs Part 1: Cybersecurity Standardisation Essentials is a published documentation that describes a…
Top-down approach to developing and managing cybersecurity programs
220
Information Security Architecture
- Security management frameworks describe….
- Control frameworks are…
- Activities in an information security program
- Collections of security controls
The activity might be “access management” and the controls might be “RBAC or MAC” etc..
220
Enterprise Architecture (EA)
A business function and a technical model which consists of activities that ensure IT systems meet important business needs
Enterprise Architecture
(EA)
EA may include business functions being mapped to IT environments and systems at all levels
220
Information Security Architecture
A subset (special topic) within Enterprise Architecture concerned with the protective characteristics found in many components in an overall EA
Information Security Architecture
220
Information Security Architecture
The purpose of an Enterprise Architecture and Enterprise Security Architecture is…
- All hardware and software fulfil a stated purpose
- Components work well together
- Structure and consistency in infrastructure through the organisation
- Infrastructure resources are used efficiently
- Infrastructure is scalable and flexible
- Elements can be upgraded as needed
- Elements can be added as needed
220
Information Security Architecture
The 2 main layers that exist within Information Security Architecture
- Policy
- Standards
- Defines characterstics of the overall environment i.e. the need for centralised authentication
- Defines standards to be used i.e. specific protocols, methods of authentication, configuration and hardening etc..
221
Information Security Architecture
Centralised functions within an information security architecture help amplify the workfroce so that a relatively small staff level can…
effectively manage hundreds or thousands of devices
221
Information Security Architecture
Examples of modern information security architecture centralised functions that amplify a small staff workforce to manage devices…
- Authentication
- Encryption Key Management
- Monitoring
- Device Management
- Software Development
- Utilising central identity and access management services i.e. AD
- Centralised certificate authorities (CA)
- Centralised monitoring of all systems - SIEM as example
- Centralised configuration management or distribution servers as example
- Formal architectures implemented describing end to end software development environment
221
