Frameworks Flashcards
A Framework is
a structure underlying a system, concept, or text.
Purpose of frameworks in IT and cybersecurity is to ____
Provide structure to the ways in which we manage risks, develop enterprise architecture, and secure all our assets.
Four Basic breakdown of Framework
- Risk
- Security Program
- Security Controls
- Enterprise Architecture
Example of Risk Frameworks
- NIST RMF
- ISO/IEC 27005
- OCTAVE
- FAIR
Examples Security Program Framework
- ISO/IEC 27005 series
- NIST Cybersecurity Framework
Examples of Security Control Framework
- NIST SP 800-53
- CIS Controls
- COBIT 2019
Examples of Enterprise Architecture Framework
- Zachman Framework
- TOGAF
- DoDAF
- SABSA
NIST RMF is described in three core interrelated Special Publications
- SP 800-37 R2 RMF for Information Systems and Organizations
- SP 800-39 Managing Information Security Risk
- SP 800-30 R1, Guide for conducting Risk Assessment
NIST RMF - 2. Categorize - What is the SP?
NIST SP 800-60 applies sensitivity and criticality to each security objective (CIA) to determine a system’s criticality.
NIST RMF Defines 3 types of security controls, they are_____
- Common
- System Specific
- Hybrid
NIST RMF 3. Select SP
NIST SP 800-53 R5 Security and Privacy Controls for Information Systems and Organizations
ISO/IEC 27005 outlines 4 ways in which the risk can be treated:
- Mitigate
- Accept
- Transfer
- Avoid
For RMF best results, which 2 ISO should be combined?
ISO/IEC 27005
ISO/IEC 27001
OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation)
Is a RMF or Methodology for Risk Assessment?
It is not a Framework but more of a methodology for risk assessment.
Common Use of OCTAVE is in Public Sector or Private Sector?
Private Sector
OCTAVE Approach focuses on which type of Asset
Most critical assets
80% of the Consequences come from 20% of the causes (Pareto Principle) used in which Risk Assessment Methodology?
OCTAVE
OCTAVE Risk Assessment Methodology is divided into 3 phases:
- Organizational view for most critical assets
- Organizational Technology infrastructure vulnerabilities
- Team Risk High, Medium, Low assessment and developing mitigation strategies
More Rigorous quantitative approach to manage risk - Proprietary Framework?
FAIR ( Factor Analysis Information Risk)
FAIR - Factor Analysis of Information Risk focus on: Possible Threats or Probable Threats
Probable Threats
Information Security Frameworks can be divided into 2 Categories:
- Looks holistically at the entire security program
- Focused on Controls
Which ISO standard series serve as industry best practices for the management of security controls in a holistic manner within organizations around the world
ISO/IEC 27000
As you probably realize, ISO_______ is the most important of these standards for the most organization:
ISO 27001
NIST Cybersecurity Framework is divided into three main components:
- Frame Core
- implementation Tiers
- Framework Profile
NIST Cybersecurity Framework core practices organize Cybersecurity activities into 5 higher level functions l:
- Identify
- Protect
- Detect
- Respond
- Recover
Which NIST covers, Security and Privacy Controls for information systems and Organizations.
NIST SP 800-53
NIST SP 800-53 Prescribes 4 Step process
- Select the appropriate security control baseline
- Tailor the baseline
- Document the security control selection process
- Apply the controls
How many controls NIST SP 800-53 lists: more than # controls
1000 Controls into 20 families
CIS - Centre for Internet Security, is a non profit organization that among other things maintains a list of # critical security controls
List of 20 Critical Security Controls
CIS (Centre for Internet Security) recognize that not every organization will not have the resources necessary to implement all the controls. For this reason they are grouped into 3 Categories, and they are:
- Basic - Key Controls
- Foundational- Best Practices
- Organizational - improved Cybersecurity (People and Processes focused)
COBIT 2019 (Control Objectives for Information Technologies) is a framework for governance and management developed by ISACA, it helps Organizations:
Optimize the value of their IT by balancing resource utilization, risk levels, and realizations of benefits.
Security Control framework
COBIT 2019 (Control Objectives for Information Technologies) has 6 key principles:
- Provide stakeholder value
- Holistic Approach
- Dynamic Governance Systems
- Governance distinct from management
- Tailored to enterprise needs
- End-to-end governance system
COBIT 2019 specifies # enterprise and # alignment goals. These 2 steps of goals are different but related
13
A Majority of the security compliance auditing practices used today in the industry are based off which security control framework?
COBIT 2019
Is COBIT 2019 purely security focused or IT governance as well
Both
One of the first enterprise architecture framework that was created is the:
Zachman Framework
The Zachman Framework is a two-dimensional model that uses # basic communication interrogatives:
What
How
Where
Who
When
Why
The Open Group Architecture Framework (TOGAF), which has its origins in the U. S. Department of Defence. This be used to develop the following 4 architecture types:
- Business Architecture
- Data Architecture
- Application Architecture
- Technology Architecture
TOGAF can be used to create these individual architecture type through the use of: what method?
Architecture Development Method (ADM)
TOGAF ( The Open Group Architecture Framework) architectures can allow a technology architect to understand the enterprise from 4 different views:
- Business
- Data
- Application
- Technology
DoDAF stands for
Department of Defence Architecture Framework (DoDAF)
The focus of The Department of Defence Architecture Framework (DoDAF):
- Command
- Control
- Communications
- Computers
- intelligence
- Surveillance
- Reconnaissance systems and Processes
Other Frameworks (3)
- ITIL
- Six Sigma
- Capability Maturity Model
ITIL (Information Technology Infrastructure Library) 1980s by UK’s Central Computer and Telecommunications Agency. ITIL is the_____now
De facto standard of best practices for IT services management
Four dimensional in ITIL model:
-Organizations and People
-Value Stream and Processes
- Information and Technology
- Partners and Suppliers
Six Factors in ITIL model:
- Political
- Economic
- Social
- Technological
- Legal
- Environmental
Six Sigma was developed by Motorola with a goal of identifying and removing defects in its manufacturing process . It focuses on ______ ______ methodology.
Process improvement methodology
Goal or Six Sigma
Improve Process Quality by using statistical methods of measuring operation efficiency and reducing variation, defects, and waste.
CMM (Capability Maturity Model) 6 levels starting from 0:
Level 0: Nonexistent Management
Level 1: Unpredictable Processes
Level 2: Repeatable Processes
Level 3: Defined Processes
Level 4: Managed Processes
Level 5: Optimized Processes
Framework designed to align an organization’s security architecture with its business strategy
SABSA
It is a framework that assists both business and IT by using a common language of understanding
ITIL
