Contains a series of documents designed to describe the organization's security program Information security policy framework
Information security policy frameworks generally include four different types of documents, what are they? Policies
Standards
Procedures
Guidelines
- High-level statements of management intent
- A statement of the importance of cybersecurity to an organization
- Requirement that all
staff and contracts take measures to protect the confidentiality, integrity, and availability of information and information systems
- Statement of ownership of information created and or possessed by the organization Designation of the chief information security officer (CISO) or other individual as an executive responsible for cyber security issues
- Delegation of authority granting the CISO the ability to create standards, procedures, and guidelines that implement the policy
- Common document that is often apart of an organization's information security policy library
- Provides high level of authority and guidance for the security program
Information security policy
- Common document that is often apart of
an organization's information security policy library
- Provides network and system users with clear direction on permissible uses of information resources
- Common document that is often apart of an organization's information security policy library
- Clearly states the ownership of information created or used by the organization
- Common
document that is often apart of an organization's information security policy library
- Describe the classification structure used by the organization and the process used to properly assign classifications to data
Data classification policy
- Common document that is often apart of an organization's
information security policy library
- Outlines what information organization will maintain and the length of time different categories of information will be retained prior to destruction
- Common document that is often apart of an organization's information security policy library
- Describe the account life cycle from provisioning through active use and decommissioning
Account management policy
- Common document that is often apart of an organization's information security policy library
- Set forth requirements for password length, complexity, reuse, and similar issues
- Provides mandatory requirements describing how an organization will
carry out its information security policies
- i.e. the specific configuration settings used for OS systems, controls put in place for highly sensitive information and etc
Provide examples of standards
- Devices must have secure configuration in place prior to deployment
- Any deviations from defined
security configurations must be approved through a change management process and documented. a process must exist to annually review deviations for continued relevance.
- A process messages to regular check configurations at devices in alert the resource custodian of any changes
- Are detailed step-by-step processes that individuals and organizations must follow in specific circumstances
- i.e. building new
systems, releasing code to the production environment, responding to security incidents, and etc…
- Common procedure doc
- Describes how the organization will perform security monitoring activities, including the possible use of continuous monitoring technology
- Common procedure doc
- Describes how the organization will respond to subpoenas, court
orders, and other legitimate request to produce digital evidence
Evidence production procedures
- Common procedure doc
- Describes the frequency in process of applying patches to applications and systems under the organization’s care
-
Provides best practices and recommendations related to a given concept, technology, or task
- Not mandatory and offered as helpful advice
What happens when an organization must deviate from a policy?
The policy framework should lay out the specific requirements for receiving an exception and the individual or committee with authority to approve exceptions
Security and privacy rules that affect Healthcare Providers, Health insurances, and Health Information clearing house
The Health Insurance Portability and Accountability Act (HIPAA)
- Provide detailed rules about the storage, processing, and transmission of credit and debit card information
- Not a law but a contractual obligation it applies to credit card merchants and service providers
The Payment Card Industry Data Security Standard (PCI DSS)
- Covers financial institutions, broadly defined. It requires that those institutions have a formal security program and designate an individual as having overall responsibility for that program.
The Gramm Leach Bliley Act (GLBA)
Applies to the financial records of publicly traded companies and requires that those companies have a strong degree of assurance around the IT systems that store and process those records
The Sarbanes-Oxley (SOX) Act
Requires that educational institutions implement security and privacy controls for student educational records
The Family Educational Rights and Privacy Act (FERPA)
Describe the requirements that individual states place on organizations that suffer data breaches regarding notification of individuals affected by the breach
Various data breach notification laws
Responsible for developing cyber security standards across the US federal government
The National Institute for Standards and Technology (NIST)
The NIST framework includes what three components?
1. The Framework Core
2. The Framework Implementation Tiers
3. The Framework Profiles
- NIST framework
- A set of five security functions that apply across all Industries and sectors; identify,
protect, detect, respond, and recover.
- The framework then divides the functions into categories, subcategories, and informative references
- NIST framework
- Assesses how an organization is position to meet cyber security objectives
- Example is there a maturity model that describes the current and desired positioning of an organization along a continuum of progress
The Framework Implementation Tiers
- NIST framework
- Describes how a specific organization might approach the security functions covered by the framework core
- Once the most commonly used information security standard but is now declining in popularity outside of
highly regulated industries that require compliance
- Includes control objectives covering 14 categories
International Organization for standardization (ISO 27001)
Is a set of best practices for IT governance developed by the Information Systems Audit and Control Association (ISACA)
The Control Objectives for Information and Related Technologies (COBIT)
COBIT divides Information Technology activities into what four domains?
1. Plan and Organize
2. Acquire and
Implement
3. Deliver and Support
4. Monitor and Evaluate
COBIT addresses each of the four domains of Technology by providing what five framework components?
1. COBIT framework
2. Process descriptions
3. Control objectives
4. Management guidelines
5. Maturity models
Offers an alternative model for approaching security architecture from a variety of different perspectives that map to architectural layers
The Sherwood Applied Business Security Architecture (SABSA) framework
- SABSA
architectural layers
- Contextual security architecture
- SABSA architectural layers
- Conceptual security architecture
- SABSA architectural layers
- Physical security architecture
- SABSA architectural layers
- Component security architecture
- SABSA architectural layers
- Security Service management architecture
Widely adapted approach to enterprise architecture
The Open Group Architecture Framework (TOGAF)
The Open Group Architecture Framework (TOGAF) divides architecture into four domains: what are they?
- Business architecture
- Applications architecture
- Data architecture
- Technical architecture
- One of The Open Group Architecture Framework (TOGAF) domains
- Defines governance and
organization and explains the interaction between Enterprise architecture and business strategy
- One of The Open Group Architecture Framework (TOGAF) domains
- Includes the applications and systems that an organization deploys, the interactions between those systems and their relation to business processes
Applications architecture
- One of The Open Group Architecture Framework (TOGAF) domains
- Provides the organization's approach to storing and managing information assets
- One of The Open Group Architecture Framework (TOGAF) domains
- Describes the infrastructure needed to support the other architectural
domains
Framework that offers a comprehensive approach to IT service management (ITSM) within the modern enterprise
The Information Technology Infrastructure Library (ITIL)
The Information Technology Infrastructure Library (ITIL) covers what five core activities?
- Service strategy
- Service design
- Service transition
- Service operation
- Continual service improvement
Specific measures that fulfill the security objectives of an organization
Are security controls that impact the physical world
- Technical controls that enforce confidentiality, integrity, and availability in the digital space
- i.e. firewall rules, Access Control lists, and choosing prevention systems, and encryption
- Procedural mechanisms that an organization follows to implement sound security management
practices
- i.e. user account reviews, employee background investigations, log reviews, and separation of duties policies
Are formal reviews of an organization's security program or specific compliance issues conducted on behalf of a third party
Less formal reviews of security controls that are typically requested by the security organization itself and an effort to engage in process Improvement