Types of Frameworks

  • Regulatory vs Non-Regulatory

  • National vs International

  • Industry-Specific Frameworks

Industry Standard Frameworks

  • International Organization for Standardization (ISO)

  • National Institute of Standards and Technology (NIST)

  • Payment Card Industry Data Security Standard (PCI-DSS)

  • North American Electric Reliability Corporation (NERC)

  • Center for Internet Security (CIS)

  • Open Web Application Security Project (OWASP)

ISO/IEC 27002: 2013

  • Gives guidelines for organizational information security standards and information security management practices including the selection, implementation, and management of controls taking into consideration the organization's information security risk environment(s).

  • It is designed to be used by organizations that intend to:

    • Select controls within the process of implementing an Information Security Management System based on ISO/IEC 27001.

    • Implement commonly accepted information controls.

    • Develop their own information security management guidelines.

ISO/IEC 27002: 2013 - Topics

  • Information Security Policies

  • Organization of Information Security

  • Human Resource Security

  • Asset Management

  • Access Control

  • Cryptography

  • Physical and Environmental Security

  • Operation Security: Procedures and Responsibilities

  • Communication Security

  • System Acquisition, Development, and Maintenance

  • Supplier Relationships

  • Incident Management

  • Business Continuity Management

ISO/IEC 27017: 2015

  • Gives guidelines for information security controls applicable to the provision and use of cloud services by providing:

    • Additional implementation guidance for relevant controls specified in the ISO/IEC 27002.

    • Additional controls with implementation guidance that specifically relate to cloud services.

  • This recommendation provides controls and implementation guidance for both cloud service providers and cloud service customers.

National Institute of Standards and Technology (NIST)

  • U.S. National Standards

  • The Computer Security Resource Center (CSRC) provides NIST's cybersecurity and information security related projects, publications, news, and events.

  • The NIST Cybersecurity Framework (NIST CSF) is a group of related standards that are designed to provide guidance on cybersecurity.

  • Each standard is published as a NIST SP (Special Publication).

NIST Special Publications 800 Series (SP800)

  • SP 800-30 - Guide for Conducting Risk Assessments

  • SP 800-35 - Guide to Information Technology Security Services

  • SP 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

  • SP 800-53A - Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans

Payment Card Industry Data Security Standard (PCI-DSS)

  • Used by Visa, Mastercard, American Express, and Discover to create common security controls for the protection of Card Holder Data (CHD).

  • Any organization processing credit cards must be compliant.

  • Levels of compliance differ.

  • PCI-DSS control objectives:

    • Build and maintain a secure network.

    • Protect cardholder data.

    • Maintain a vulnerability management program.

    • Regularly monitor and test networks.

    • Maintain a vulnerability management program.

Benchmarks / Security Configuration Guides

  • IASE - Information Assurance Support Environment

  • DoD Security Technical Implementation Guides (STIGs)

    • Contain technical guidance to lock down information systems and software that might otherwise be vulnerable to malicious attacks.

  • Center for Internet Security Benchmarks

    • CIS Benchmarks are best practices for the secure configuration of a target system. Available for more than 150 technologies, CIS Benchmarks are developed through a unique consensus-based process comprised of cybersecurity professionals and subject matter experts around the world.

  • Platform / Vendor-Specific Guides

    • Network

      • Cisco

    • Operating Systems

      • Microsoft TechNet

    • Web Server

      • Microsoft IIS

      • Apache

Defense in Depth / Layered Security

  • Defense in Depth - The coordinated use of multiple security countermeasures to information assets.

  • Segmentation - The act or practice of splitting a computer network into zones or subnetworks absed on business function or security needs.

    • Uses the following:

      • Physical devices such as routers or switches.

      • Virtual Local Area Networks (VLANs)

      • Air Gaps

  • Control Diversity - Addressing a security concern using multiple controls that don't depend on one another.

    • Administrative / Process

    • Technical

  • Vendor Diversity - Addressing a security concern using multiple vendor products that don't depend on one another.

  • User Training - Reduces the impact of threats & vulnerabilities.