Frameworks

Types of Frameworks

  • Regulatory vs Non-Regulatory
  • National vs International
  • Industry-Specific Frameworks

Industry Standard Frameworks

  • International Organization for Standardization (ISO)
  • National Institute of Standards and Technology (NIST)
  • Payment Card Industry Data Security Standard (PCI-DSS)
  • North American Electric Reliability Corporation (NERC)
  • Center for Internet Security (CIS)
  • Open Web Application Security Project (OWASP)

ISO/IEC 27002: 2013

  • Gives guidelines for organizational information security standards and information security management practices including the selection, implementation, and management of controls taking into consideration the organization's information security risk environment(s).
  • It is designed to be used by organizations that intend to:
    • Select controls within the process of implementing an Information Security Management System based on ISO/IEC 27001.
    • Implement commonly accepted information controls.
    • Develop their own information security management guidelines.

ISO/IEC 27002: 2013 - Topics

  • Information Security Policies
  • Organization of Information Security
  • Human Resource Security
  • Asset Management
  • Access Control
  • Cryptography
  • Physical and Environmental Security
  • Operation Security: Procedures and Responsibilities
  • Communication Security
  • System Acquisition, Development, and Maintenance
  • Supplier Relationships
  • Incident Management
  • Business Continuity Management

ISO/IEC 27017: 2015

  • Gives guidelines for information security controls applicable to the provision and use of cloud services by providing:
    • Additional implementation guidance for relevant controls specified in the ISO/IEC 27002.
    • Additional controls with implementation guidance that specifically relate to cloud services.
  • This recommendation provides controls and implementation guidance for both cloud service providers and cloud service customers.

National Institute of Standards and Technology (NIST)

  • U.S. National Standards
  • The Computer Security Resource Center (CSRC) provides NIST's cybersecurity and information security related projects, publications, news, and events.
  • The NIST Cybersecurity Framework (NIST CSF) is a group of related standards that are designed to provide guidance on cybersecurity.
  • Each standard is published as a NIST SP (Special Publication).

NIST Special Publications 800 Series (SP800)

  • SP 800-30 - Guide for Conducting Risk Assessments
  • SP 800-35 - Guide to Information Technology Security Services
  • SP 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations
  • SP 800-53A - Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans

Payment Card Industry Data Security Standard (PCI-DSS)

  • Used by Visa, Mastercard, American Express, and Discover to create common security controls for the protection of Card Holder Data (CHD).
  • Any organization processing credit cards must be compliant.
  • Levels of compliance differ.
  • PCI-DSS control objectives:
    • Build and maintain a secure network.
    • Protect cardholder data.
    • Maintain a vulnerability management program.
    • Regularly monitor and test networks.
    • Maintain a vulnerability management program.

Benchmarks / Security Configuration Guides

  • IASE - Information Assurance Support Environment
  • DoD Security Technical Implementation Guides (STIGs)
    • Contain technical guidance to lock down information systems and software that might otherwise be vulnerable to malicious attacks.
  • Center for Internet Security Benchmarks
    • CIS Benchmarks are best practices for the secure configuration of a target system. Available for more than 150 technologies, CIS Benchmarks are developed through a unique consensus-based process comprised of cybersecurity professionals and subject matter experts around the world.
  • Platform / Vendor-Specific Guides
    • Network
      • Cisco
    • Operating Systems
      • Microsoft TechNet
    • Web Server
      • Microsoft IIS
      • Apache

Defense in Depth / Layered Security

  • Defense in Depth - The coordinated use of multiple security countermeasures to information assets.
  • Segmentation - The act or practice of splitting a computer network into zones or subnetworks absed on business function or security needs.
    • Uses the following:
      • Physical devices such as routers or switches.
      • Virtual Local Area Networks (VLANs)
      • Air Gaps
  • Control Diversity - Addressing a security concern using multiple controls that don't depend on one another.
    • Administrative / Process
    • Technical
  • Vendor Diversity - Addressing a security concern using multiple vendor products that don't depend on one another.
  • User Training - Reduces the impact of threats & vulnerabilities.
Copy link
On this page
Types of Frameworks
Industry Standard Frameworks
ISO/IEC 27002: 2013
ISO/IEC 27002: 2013 - Topics
ISO/IEC 27017: 2015
National Institute of Standards and Technology (NIST)
NIST Special Publications 800 Series (SP800)
Payment Card Industry Data Security Standard (PCI-DSS)
Benchmarks / Security Configuration Guides
Defense in Depth / Layered Security