Section 5: Risk Frameworks Flashcards
NIST SP 800-37 RMF
Risk Management Framework for Information Systems and Organizations
Provides a flexible 7 step process for managing security and privacy risk
NIST RMF 7 steps
PREPARE- identify different roles, strategies, control providers
CATEGORIZE- identify all of the organizational assets and categorize them in terms of risk, value, and document them
SELECT- the initial security controls necessary to protect the information system and organization
IMPLEMENT- Deploy security controls and document how they are used
ASSESS- Test the effectiveness of the controls and comply with governance
AUTHORIZE- require a senior management official to take accountability for the residual risk
MONITOR- ongoing evaluation of security effectiveness against organizational and system related changes
ISO 31000
Risk management framework that provides a common approach to managing any type of risk within any industry
8 principles
ISO 31000 Principles
Integrated
Structured and Comprehensive
Customized
Inclusive
Dynamic
Best Available Information
Human and Cultural Factors
Continual Improvement
COSO
Committee of Sponsoring Organizations
Enterprise risk management framework focused on corporate governance
Often used to comply with SOX 404 requirements
COSO Components
Governance & Culture
Strategy & Objective Setting
Performance
Review & Revision
Information, Communication & Reporting
NIST CSF
NIST Cybersecurity Framework
Risk management and reduction framework based on existing standards, guidelines, and industry best practices
Voluntary and not required by any organization, authorizing, or accrediting body
NIST CSF Core
Activities, implementations, and functions designed to achieve the desired cybersecurity outcomes
NIST CSF Tiers
Characterize how the core activities align with the desired cybersecurity outcomes
Tier 1 - Partial
Tier 2 - Risk Informed
Tier 3 - Repeatable
Tier 4 - Adaptive
NIST CSF Profiles
Alignment of requirements, objectives, implementations, and risk tolerance to the desired cybersecurity outcomes
NIST CSF Framework Steps
Identify
Protect
Detect
Respond
Recover
NIST CSF - Identify
Identify critical enterprise processes and assets
Document information flaws
Maintain hardware and software inventory
Establish policies for cybersecurity that include roles and responsibilities
NIST CSF - Protect
Manage access to assets and information
Protect sensitive data
Conduct regular backups
Securely protect your devices
Manage device vulnerabilities
Train users
NIST CSF - Detect
Test and update detection processes
Maintain and monitor logs
Know the expected data flows for your enterprise
Understand the impact of cybersecurity events
NIST CSF - Respond
Ensure response plans are tested
Ensure response plans are updated
Coordinate with internal and external stakeholders
NIST CSF - Recover
Communicate with internal and external stakeholders
Ensure recovery plans are updated
Manage public relations and company reputation
ISO/IEC 27001
Internationally recognized standard for Information Security Management Systems
Focuses on three main principles- Confidentiality, Integrity, Availability
PCI DSS
Payment Card Industry Data Security Standard
Focused on protecting cardholder data from unauthorized access or disclosure
Not a law, but treated as one
PCI DSS - CHD
Cardholder Data types:
Primary Account Number (PAN)
Cardholder Name
Expiration Date
Service Code
PCI DSS - SAD
Sensitive Authentication Data types:
Full track data (magnetic-stripe data or equivalent on a chip)
Card verification code (CVV)
PINs/PIN blocks
PCI DSS - CDE
Cardholder Data Environment
Anything that can possibly touch, process, or collect payment card data
Sherwood Applied Business Security Architecture (SABSA)
Methodology for developing enterprise and solution level security architectures that align with business objectives
Supports other standards, does not replace or compete
SABSA Contextual Architecture
Identifies organization’s business objectives, drivers, and key stakeholders
Links business objectives to security requirements to help define overall strategy
SABSA Conceptual Architecture
Translates business goals and objectives into security objectives and requirements
Defines high-level security architecture components and their relationships
SABSA Logical Architecture
Develops logical security architecture components based on the conceptual layer
Defines security services, policies, standards, and guidelines
SABSA Physical Architecture
Implements security controls and technologies to support the logical functionality
Includes physical infrastructure, network infrastructure, and systems infrastructure
SABSA Component Architecture
Focuses on the implementation of specific security components
Incorporates technologies, products, and solutions to meet security requirements
SABSA Service Management Architecture
Addresses day-to-day security management and operations
Includes incident response, vulnerability management, security awareness and training
PCI DSS Merchant Level 1
Companies with over 6 million transactions
PCI DSS Merchant Level 2
Companies that process between 1-6 million transactions
PCI DSS Merchant Level 3
Companies that process between 20k and 1 million transactions
PCI DSS Merchant Level 4
Companies that process less than 20k transactions
