Security Management Framework Flashcards
ISO/IEC 27000
A series of Information Security standards or best practices to help organisations improve their information security.
Published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (ICO), the ISO 27000 standards set out comprehensive information security management system (ISMS) requirements.
ISMS
An Information Security Management System consists of all of the administrative, technical and operational controls that address information security within an organisation.
ISO 27000 twelve domains
- Risk assessment
- Security Policy
- Organisation of Information Security
- Asset management
- Physical and environmental security
- Communications and operations management
- Information systems acquisition, development and maintenance
- Access Control
- Information security incident management
- Business continuity management
- Compliance
What is the difference between the ISO cybersecurity model and the Open System Interconnection (OSI) model?
The structure of this ISO cybersecurity model differs from the Open System Interconnection (OSI) model in that it is a peer model that uses domains rather than layers to describe the security categories. Each domain has a direct relationship with the other domains.
Risk assessment
This is the first step in the risk management process, which determines the quantitative and qualitative value of risk related to a specific situation or threat.
Security policy
This document addresses the constraints and behaviours of individuals within an organisation and often specifies how data can be accessed, and what data is accessible by whom.
Organisation of Information Security
This is the governance model set out by an organization for information security.
Asset management
This is an inventory of and classification scheme for information assets within an organization.
Human resources security
This refers to the security procedures in place that relate to employees joining, moving within and leaving an organization.
Physical and environmental security
This refers to the physical protection of an organisation’s facilities and information.
Communications and operations management
This refers to the management of technical security controls of an organisation’s systems and networks.
Information systems acquisition, development and maintenance
This refers to security as an integral part of an organisation’s information systems.
Access Control
This describes how an organization restricts access rights to networks, systems, applications functions and data in order to prevent unauthorised user access.
Information Security Incident Management
This describes an organisation’s approach to the anticipation of and response to information security breaches.
Business Continuity Management
This describes the ability of an organisation to protect, maintain and recover business-critical activities following a disruption to information systems.
Compliance
This describes the process of ensuring conformance with information security policies, standards and regulations.
Control Objectives ISO 27001
Control objectives define the high level requirements for implementing a comprehensive information security management system within an organisation, and usually provide a checklist to use during an ISMS audit.
Controls ISO 27002
Controls set out how to accomplish an organisation’s control objectives.
They establish guidelines for implementing, maintaining and improving the management of information security in an organisation.
The ISO controls specifically address security objectives for data in each of the three states:
- in process
- at rest
- in transit
SOA
Statement Of Applicability allows the organisation to tailor the available control objectives and controls to best meet its priorities around Confidentiality, Integrity and availability.
NIST
The National Institute of Standards and Technologies created the National Cybersecurity Workforce Framework to support organisations seeking cybersecurity professionals.
The National Cybersecurity Workforce Framework
The framework organizes cybersecurity work into seven categories, outlining the main job roles, responsibilities and skills needed for each one.
Operate and Maintain
Provides the support, administration and maintenance required to ensure effective and efficient IT system performance and security.
Protect and Defend
Identifies, analyses and mitigates threats to internal systems and networks.
Investigate
Investigates cybersecurity events and/or cyber attacks involving IT resources.
Collect and Operate
Provides specialised denial and deception operations and collection of cybersecurity information.
Analyse
Performs highly specialized review and evaluation of incoming cybersecurity information to determine its usefulness for intelligence.
Oversee and Govern
Provides leadership, management, direction or development and advocacy so an organization may effectively conduct cybersecurity work.
Securely provision
Conceptualises, designs, procures or builds secure IT systems.
Basic Controls
Organizations with limited resources and cybersecurity expertise available should implement:
- Inventory and control of hardware assets
- Inventory and control of software assets
- Continuous vulnerability management
- Controlled use of administrative privileges
- Secure configurations for hardware and software
- Maintenance, monitoring and analysis of audit logs
Foundational Controls
Organisations with moderate resources and cybersecurity expertise available should implement the basic controls as well as:
- Email and web browser protections
- Malware defense
- Limitation and control of network ports, protocols and services
- Data recovery capabilities
- Secure configurations for network devices
- Boundary defense
- Data protections
- Controlled access based on the ‘need to know’ principle
- Wireless access control
- Account monitoring and control
Organisational Controls
Organisations with significant resources and cybersecurity expertise available should implement the basic and foundational controls, as well as:
- A security awareness and training program.
- Application software security
- Incident response and management
- Penetration tests and red team exercises (simulated attack exercises to gauge an organisation’s security capabilities)
CSA
The Cloud Security Alliance provides security guidance to any organisation that uses cloud computing or wants to assess the overall security risk of a cloud provider.
CCM
The Cloud Control Matrix is a cybersecurity control framework that maps cloud-specific security controls to leading standards, best practices and regulations. It is composed of 197 control objectives that are structured in 17 domains covering all aspects of cloud technology, including governance and risk management, human resources and mobile security.
The CCM is considered a de-facto standard for cloud security assurance and compliance.
SSAE
Statement on Standards for Attestation Engagements.
This is an independent audit of an organization’s reporting controls as they relate to the security, availability, processing integrity, confidentiality and privacy of a system. An attestation report will confirm that controls are in place at a specific point in time (Type I) or managed over a period of at least six months (Type II). These reports provide assurance to a client organisation that there are controls in place and operating to protect sensitive data.
CMMC
Cybersecurity Maturity Model Certification.
This certification is aimed at any organisations providing a service to the U.S. Department of Defense (DoD) and verifies that these organisations have adequate cybersecurity practices and processes in place to ensure ‘basic’ cyber hygiene at a minimum.
The CMMC establishes five certification levels that range from ‘basic cyber hygiene practices’ to ‘enhanced practices that provide more sophisticated capabilities to detect and respond to APTs.’ It is likely that service providers will have to achieve the appropriate CMMC requirement in order to be considered for a DoD contract award.