What contains a series of documents designed to describe the organization’s cybersecurity framework.

Contains a series of documents designed to describe the organization's security program

Information security policy framework

Information security policy frameworks generally include four different types of documents, what are they?

Policies
Standards
Procedures
Guidelines

- Common document that is often apart of an organization's information security policy library
- Provides high level of authority and guidance for the security program

Information security policy

- Common document that is often apart of an organization's information security policy library
- Describe the classification structure used by the organization and the process used to properly assign classifications to data

Data classification policy

- Common document that is often apart of an organization's information security policy library
- Describe the account life cycle from provisioning through active use and decommissioning

Account management policy

Provide examples of standards

- Devices must have secure configuration in place prior to deployment
- Any deviations from defined security configurations must be approved through a change management process and documented. a process must exist to annually review deviations for continued relevance.
- A process messages to regular check configurations at devices in alert the resource custodian of any changes

- Common procedure doc
- Describes how the organization will respond to subpoenas, court orders, and other legitimate request to produce digital evidence

Evidence production procedures

What happens when an organization must deviate from a policy?

The policy framework should lay out the specific requirements for receiving an exception and the individual or committee with authority to approve exceptions

Security and privacy rules that affect Healthcare Providers, Health insurances, and Health Information clearing house

The Health Insurance Portability and Accountability Act (HIPAA)

- Provide detailed rules about the storage, processing, and transmission of credit and debit card information
- Not a law but a contractual obligation it applies to credit card merchants and service providers

The Payment Card Industry Data Security Standard (PCI DSS)

- Covers financial institutions, broadly defined. It requires that those institutions have a formal security program and designate an individual as having overall responsibility for that program.

The Gramm Leach Bliley Act (GLBA)

Applies to the financial records of publicly traded companies and requires that those companies have a strong degree of assurance around the IT systems that store and process those records

The Sarbanes-Oxley (SOX) Act

Requires that educational institutions implement security and privacy controls for student educational records

The Family Educational Rights and Privacy Act (FERPA)

Describe the requirements that individual states place on organizations that suffer data breaches regarding notification of individuals affected by the breach

Various data breach notification laws

Responsible for developing cyber security standards across the US federal government

The National Institute for Standards and Technology (NIST)

The NIST framework includes what three components?

1. The Framework Core
2. The Framework Implementation Tiers
3. The Framework Profiles

- NIST framework
- Assesses how an organization is position to meet cyber security objectives
- Example is there a maturity model that describes the current and desired positioning of an organization along a continuum of progress

The Framework Implementation Tiers

- Once the most commonly used information security standard but is now declining in popularity outside of highly regulated industries that require compliance
- Includes control objectives covering 14 categories

International Organization for standardization (ISO 27001)

Is a set of best practices for IT governance developed by the Information Systems Audit and Control Association (ISACA)

The Control Objectives for Information and Related Technologies (COBIT)

COBIT divides Information Technology activities into what four domains?

1. Plan and Organize
2. Acquire and Implement
3. Deliver and Support
4. Monitor and Evaluate

COBIT addresses each of the four domains of Technology by providing what five framework components?

1. COBIT framework
2. Process descriptions
3. Control objectives
4. Management guidelines
5. Maturity models

Offers an alternative model for approaching security architecture from a variety of different perspectives that map to architectural layers

The Sherwood Applied Business Security Architecture (SABSA) framework

Widely adapted approach to enterprise architecture

The Open Group Architecture Framework (TOGAF)

The Open Group Architecture Framework (TOGAF) divides architecture into four domains: what are they?

- Business architecture
- Applications architecture
- Data architecture
- Technical architecture

- One of The Open Group Architecture Framework (TOGAF) domains
- Includes the applications and systems that an organization deploys, the interactions between those systems and their relation to business processes

Applications architecture

Framework that offers a comprehensive approach to IT service management (ITSM) within the modern enterprise

The Information Technology Infrastructure Library (ITIL)

The Information Technology Infrastructure Library (ITIL) covers what five core activities?

- Service strategy
- Service design
- Service transition
- Service operation
- Continual service improvement