Frameworks Flashcards
A Framework is
a structure underlying a system, concept, or text.
Purpose of frameworks in IT and cybersecurity is to ____
Provide structure to the ways in which we manage risks, develop enterprise architecture, and secure all our assets.
Four Basic breakdown of Framework
- Risk
- Security Program
- Security Controls
- Enterprise Architecture
Example of Risk Frameworks
- NIST RMF
- ISO/IEC 27005
- OCTAVE
- FAIR
Examples Security Program Framework
- ISO/IEC 27005 series
- NIST Cybersecurity Framework
Examples of Security Control Framework
- NIST SP 800-53
- CIS Controls
- COBIT 2019
Examples of Enterprise Architecture Framework
- Zachman Framework
- TOGAF
- DoDAF
- SABSA
NIST RMF is described in three core interrelated Special Publications
- SP 800-37 R2 RMF for Information Systems and Organizations
- SP 800-39 Managing Information Security Risk
- SP 800-30 R1, Guide for conducting Risk Assessment
NIST RMF - 2. Categorize - What is the SP?
NIST SP 800-60 applies sensitivity and criticality to each security objective (CIA) to determine a system’s criticality.
NIST RMF Defines 3 types of security controls, they are_____
- Common
- System Specific
- Hybrid
NIST RMF 3. Select SP
NIST SP 800-53 R5 Security and Privacy Controls for Information Systems and Organizations
ISO/IEC 27005 outlines 4 ways in which the risk can be treated:
- Mitigate
- Accept
- Transfer
- Avoid
For RMF best results, which 2 ISO should be combined?
ISO/IEC 27005
ISO/IEC 27001
OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation)
Is a RMF or Methodology for Risk Assessment?
It is not a Framework but more of a methodology for risk assessment.
Common Use of OCTAVE is in Public Sector or Private Sector?
Private Sector
OCTAVE Approach focuses on which type of Asset
Most critical assets
80% of the Consequences come from 20% of the causes (Pareto Principle) used in which Risk Assessment Methodology?
OCTAVE
OCTAVE Risk Assessment Methodology is divided into 3 phases:
- Organizational view for most critical assets
- Organizational Technology infrastructure vulnerabilities
- Team Risk High, Medium, Low assessment and developing mitigation strategies
More Rigorous quantitative approach to manage risk - Proprietary Framework?
FAIR ( Factor Analysis Information Risk)
FAIR - Factor Analysis of Information Risk focus on: Possible Threats or Probable Threats
Probable Threats