Contains a series of documents designed to describe the organization's security program Information security policy framework
Information security policy frameworks generally include four different types of documents, what are they? Policies - High-level statements of management intent - Common document that is often apart of an organization's information security policy library Information security policy - Common document that is often apart of
an organization's information security policy library - Common document that is often apart of an organization's information security policy library - Common
document that is often apart of an organization's information security policy library Data classification policy - Common document that is often apart of an organization's
information security policy library - Common document that is often apart of an organization's information security policy library Account management policy - Common document that is often apart of an organization's information security policy library - Provides mandatory requirements describing how an organization will
carry out its information security policies Provide examples of standards - Devices must have secure configuration in place prior to deployment - Are detailed step-by-step processes that individuals and organizations must follow in specific circumstances - Common procedure doc - Common procedure doc Evidence production procedures - Common procedure doc -
Provides best practices and recommendations related to a given concept, technology, or task What happens when an organization must deviate from a policy? The policy framework should lay out the specific requirements for receiving an exception and the individual or committee with authority to approve exceptions Security and privacy rules that affect Healthcare Providers, Health insurances, and Health Information clearing house The Health Insurance Portability and Accountability Act (HIPAA) - Provide detailed rules about the storage, processing, and transmission of credit and debit card information The Payment Card Industry Data Security Standard (PCI DSS) - Covers financial institutions, broadly defined. It requires that those institutions have a formal security program and designate an individual as having overall responsibility for that program. The Gramm Leach Bliley Act (GLBA) Applies to the financial records of publicly traded companies and requires that those companies have a strong degree of assurance around the IT systems that store and process those records The Sarbanes-Oxley (SOX) Act Requires that educational institutions implement security and privacy controls for student educational records The Family Educational Rights and Privacy Act (FERPA) Describe the requirements that individual states place on organizations that suffer data breaches regarding notification of individuals affected by the breach Various data breach notification laws Responsible for developing cyber security standards across the US federal government The National Institute for Standards and Technology (NIST) The NIST framework includes what three components? 1. The Framework Core - NIST framework - NIST framework The Framework Implementation Tiers - NIST framework - Once the most commonly used information security standard but is now declining in popularity outside of
highly regulated industries that require compliance International Organization for standardization (ISO 27001) Is a set of best practices for IT governance developed by the Information Systems Audit and Control Association (ISACA) The Control Objectives for Information and Related Technologies (COBIT) COBIT divides Information Technology activities into what four domains? 1. Plan and Organize COBIT addresses each of the four domains of Technology by providing what five framework components? 1. COBIT framework Offers an alternative model for approaching security architecture from a variety of different perspectives that map to architectural layers The Sherwood Applied Business Security Architecture (SABSA) framework - SABSA
architectural layers - SABSA architectural layers - SABSA architectural layers - SABSA architectural layers - SABSA architectural layers Widely adapted approach to enterprise architecture The Open Group Architecture Framework (TOGAF)
The Open Group Architecture Framework (TOGAF) divides architecture into four domains: what are they? - Business architecture - One of The Open Group Architecture Framework (TOGAF) domains - One of The Open Group Architecture Framework (TOGAF) domains Applications architecture - One of The Open Group Architecture Framework (TOGAF) domains - One of The Open Group Architecture Framework (TOGAF) domains Framework that offers a comprehensive approach to IT service management (ITSM) within the modern enterprise The Information Technology Infrastructure Library (ITIL) The Information Technology Infrastructure Library (ITIL) covers what five core activities? - Service strategy Specific measures that fulfill the security objectives of an organization Are security controls that impact the physical world - Technical controls that enforce confidentiality, integrity, and availability in the digital space - Procedural mechanisms that an organization follows to implement sound security management
practices Are formal reviews of an organization's security program or specific compliance issues conducted on behalf of a third party Less formal reviews of security controls that are typically requested by the security organization itself and an effort to engage in process Improvement What are the components of cybersecurity framework?What are the core components of a cybersecurity framework?. Identify and document cybersecurity goals. This component is used to identify the cybersecurity goals an organization wants to achieve. ... . Set guidelines designed to achieve cybersecurity goals. ... . Implement cybersecurity processes. ... . Monitor and communicate results.. What is cyber security management framework?What is a cybersecurity framework? A cybersecurity framework provides a common language and set of standards for security leaders across countries and industries to understand their security postures and those of their vendors.
What is an example of a cyber security framework?In addition to PCI DSS, popular frameworks include: The US National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (NIST CSF) The Center for Internet Security Critical Security Controls (CIS)
What are the two important control frameworks used in cybersecurity?The two most common cybersecurity frameworks are the NIST Cybersecurity Framework and ISO-27000, although there are dozens of different frameworks that serve the needs of different industries. Some frameworks are focused around specific industries while others just vary in wording and controls.
|