Standards & Framework.ppt

by Erlan Bakiev, Ph.D.
Cyber security standards
and
Controls

 Cybersecurity standards are techniques generally set forth in published
materials that attempt to protect the cyber environment of a user or
organization.
 This environment includes:
 users themselves
 networks
 devices
 all software
 processes
 information in storage or transit
 applications
 services
 systems that can be connected directly or indirectly to networks
Cybersecurity standards

 The principal objective:
 to reduce the risks
 including prevention or mitigation of cyber-attacks.
These published materials consist of collections of:
 tools,
 Policies
 security concepts
 security safeguards
 guidelines,
 risk management approaches,
 actions,
 training,
 best practices,
 assurance and technologies.
Cybersecurity standards cont.

 Cyber security frameworks are sets of documents describing guidelines, standards,
and best practices designed for cyber security risk management. The frameworks
exist to reduce an organization's exposure to weaknesses and vulnerabilities that
hackers and other cyber criminals may exploit.
What is a Cyber Security Framework?

 The NIST Cybersecurity Framework (NIST CSF) provides a
policy framework of computer security guidance for how private
sector organizations in the US can assess and improve their ability to
prevent, detect, and respond to cyber attacks.
 It provides a high level taxonomy of cybersecurity outcomes and a
methodology to assess and manage those outcomes.
 It is intended to help private sector organizations that provide critical
infrastructure with guidance on how to protect it, along with relevant
protections for privacy and civil liberties.
NIST Cybersecurity
Framework (NIST CSF)

 SO/IEC 27001, part of the growing ISO/IEC 27000 family of standards,
is an information security management system (ISMS) standard, of
which the last revision was published in October 2013 by
the International Organization for Standardization (ISO) and
the International Electro technical Commission (IEC).
 Its full name is ISO/IEC 27001:2013 – Information technology – Security
techniques – Information security management systems –
Requirements.
 ISO/IEC 27001 formally specifies a management system that is
intended to bring information security under explicit management
control.
ISO/IEC 27001 and 27002

 ISO/IEC 27002 incorporates mainly part 1 of the BS 7799 good
security management practice standard.
 The latest versions of BS 7799 is BS 7799-3.
 ISO/IEC 27002 is a high level guide to cybersecurity.
 It is most beneficial as explanatory guidance for the
management of an organization to obtain certification to the
ISO/IEC 27001 standard.
 The certification once obtained lasts three years.
 Depending on the auditing organization, no or some
intermediate audits may be carried out during the three years.
ISO/IEC 27001 and 27002 Cont.

 The Payment Card Industry Data Security Standard (PCI DSS) is a
global framework for any organization that processes, stores, or
transmits cardholder information. Launched in 2004 by major credit
card companies American Express, Discover, JCB, MasterCard, and
VISA, the framework aims to keep cardholder information safe and
reduce fraud.
 To do this, PCI DSS outlines four compliance levels, depending on
the organization’s transactions per annum, and 12 required steps
that meet security best practices.
PCI DSS

 HIPAA cybersecurity frameworks for patients’ protected health
information (PHI).
 The Health Insurance Portability and Accountability Act of 1996
(HIPAA) is a federal legislation for healthcare compliance. An act
of the US Congress created by lawyers and lawmakers, HIPAA
applies to “covered entities,” including health providers, health
plans and insurance companies, and health clearinghouses.
Although there’s no official certification, HIPAA compliance is
enforced by the US Department of Health and Human Services’
Office for Civil Rights (OCR).
HIPPA

 The Sarbane-Oxley IT General Controls (SOX ITGC) is a subset of
the broader Sarbane-Oxley Act and sets financial report
requirements for all companies preparing for an initial public
offering (IPO) or publicly traded companies across all industries.
 SOX ITGC attests to the integrity of the data and processes of
internal financial reporting controls, including applications,
operating systems, databases, and the supporting IT
infrastructure. Controls in this framework encompass access to
programs and data, program changes, computer operations, and
program development.
SOX

 The General Data Protection Regulation (GDPR) is a framework
passed by the European Union (EU) to protect the data privacy
and security of its citizens. Enacted in 2016, the GDPR impacts all
organizations that collect and process the data of EU citizens,
regardless of where the company is located.
GDPR

 Security controls are safeguards or countermeasures to
avoid, detect, counteract, or minimize security risks to
physical property, information, computer systems, or other
assets.
Security controls

 According to the time that they act, relative to a security
incident:
 Before the event, preventive controls are intended to prevent
an incident from occurring e.g. by locking out unauthorized
intruders;
 During the event, detective controls are intended to identify
and characterize an incident in progress e.g. by sounding the
intruder alarm and alerting the security guards or police;
 After the event, corrective controls are intended to limit the
extent of any damage caused by the incident e.g. by recovering
the organization to normal working status as efficiently as
possible.
Classification of Security controls

 According to their nature:
 Physical controls e.g. fences, doors, locks and fire
extinguishers;
 Procedural controls e.g. incident response processes,
management oversight, security awareness and training;
 Technical controls e.g. user authentication (login) and logical
access controls, antivirus software, firewalls;
 Legal and regulatory or compliance controls e.g. privacy laws,
policies and clauses.
Classification of Security controls
Cont.

 ISO/IEC 27001 specifies 114 controls in 14 groups:
 A.5: Information security policies
 A.6: How information security is organized
 A.7: Human resources security - controls that are applied before, during, or after
employment.
 A.8: Asset management
 A.9: Access controls and managing user access
 A.10: Cryptographic technology
 A.11: Physical security of the organization's sites and equipment
 A.12: Operational security
 A.13: Secure communications and data transfer
 A.14: Secure acquisition, development, and support of information systems
 A.15: Security for suppliers and third parties
 A.16: Incident management
 A.17: Business continuity/disaster recovery (to the extent that it affects information
security)
 A.18: Compliance - with internal requirements, such as policies, and with external
requirements, such as laws.
International information
security standards

 From NIST Special Publication SP 800-53 revision 4.
 AC Access Control.
 AT Awareness and Training.
 AU Audit and Accountability.
 CA Security Assessment and Authorization. (historical abbreviation)
 CM Configuration Management.
 CP Contingency Planning.
 IA Identification and Authentication.
 IR Incident Response.
 MA Maintenance.
 MP Media Protection.
 PE Physical and Environmental Protection.
 PL Planning.
 PS Personnel Security.
 RA Risk Assessment.
 SA System and Services Acquisition.
 SC System and Communications Protection.
 SI System and Information Integrity.
 PM Program Management.
U.S. Federal Government
information security standards

Standards & Framework.ppt

More Related Content

What's hot (20)

Similar to Standards & Framework.ppt (20)

More from karthikvcyber (20)

Recently uploaded (20)

Standards & Framework.ppt