03. Industry Standards and Frameworks for Information Security Flashcards
Industry Standards and Frameworks for InfoSec
An Information Security Program will/may use or adopt several types of frameworks such as…
- Control Frameworks
- Risk Management Frameworks
- Architecture Frameworks
- Security Program Management Frameworks
213
Industry Standards and Frameworks for InfoSec
Control Frameworks include…
- CIS CSC
- ISO/IEC 27002
- NIST SP 800-53
- PCI DSS
- NIST CSF
- COBIT
- ETSI TEchnical Report (TR) 103 305-1
- HITRUST CSF
213
Industry Standards and Frameworks for InfoSec
Risk Management Frameworks include…
- ISO/IEC 27005
- ISO/IEC 31000
- NIST CSF
- NIST SP 800-37
213
Industry Standards and Frameworks for InfoSec
Architecture Frameworks include…
- Zachman
- TOGAF
The Open Group Architecture Framework
213
Industry Standards and Frameworks for InfoSec
Security Program Management Frameworks include…
- ISO/IEC 27001
- NIST CSF
- COBIT
- ETSI TR 103 787-1
213
Control Frameworks
An advantage of an organisation adopting an industry-standard control framework is that they are used by thousands of companies and they are…
regularly updated to reflect changing business practivces, emerging threats, and new technologies
213
Control Frameworks
A strategist should select a control framework based on its…
alignment to the industry
214
Control Frameworks
Where a control framework has been selected based on its industry alignment, the strategist should institude a process for…
developing additional controls based on the results of risk assessments to meet the specific needs of the organisation
214
Control Frameworks: COBIT
COBIT has 4 domains…
- Plan and Organise
- Acquire and Implement
- Delivery and Support
- Monitor and Evaluate
215
Control Frameworks: COBIT
COBIT is not primarily a security control framework. It is an IT process framework that includes security processes interspersed. The security and risk related processes are…
- Ensure Risk Optimization
- Manage Risk
- Manage Security
- Manage Security Resources
- Monitor, Evaluate, and Assess compliance with external requirements
215
Control Frameworks: ITIL / ISO/IEC 20000
ITIL is a framework of…
IT Service Delivery and Management Processes
ITIL is not a security framework but a process framework for IT Service Management
215
Control Frameworks: ISO/IEC 27002
ISO/IEC 27002:
Information Technology - Security Techniques - Code of practice for information security controls is..
An international standard controls framework
ISO 27002 provides full explanations on controls
ISO 27001 is high level and includes the controls in an appendix but not in detail
216
Control Frameworks: HIPAA
HIPPA
Health Insurance Portability and Accountability Act establishes requirements for…
protecting electronic protected health information (ePHI)
216
Control Frameworks: HIPAA
HIPAA requirements fall into 3 main categories…
- Administrative safeguards
- Physical safeguards
- Technical safeguards
216
Control Frameworks: HIPAA
Each control within the framework is labeled as either…
Required or addressable
Required MUST be implemented
Addressable is considered optional if the control does not apply or the risk is negligible
216
Control Frameworks: NIST SP 800-53
NIST SP 800-53 is one of the most…
well known and adopted security control frameworks
216
Control Frameworks: NIST SP 800-53
NIST SP 800-53 is required for all…
US Government information systems and private industry that store or process federal government information
216
Control Frameworks: NIST SP 800-53
NIST SP 800-53 controls are organised into 18 categories…
- Access Control
- Awareness and Training
- Audit and Accountability
- Security Assessment and Authorisation
- Configuration Management
- Contingiency Planning
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Physical and Environmental Protection
- Planning
- Personnel Security
- Risk Assessment
- System and Services Acquisition
- System and Communications protection
- System and Information Integrity
- Program Management
216/217