1.3 IT Security Management Framework

ISO/IEC 27000

also called the ISO cybersecurity model. a series of information security standards or best practices to help organizations improve their information security. these standards set out comprehensive information security management system (ISMS) requirements

information security management system (ISMS)

consists of all the administrative, technical, and operational controls that address information security within an organization

risk assessment

domain of the ISO 27000 standard. first step in the risk management process. determines the quantitative and qualitative value of risk related to a specific situation or threat

security policy

domain of the ISO 27000 standard. this document addresses the constraints and behaviors of individuals within an organization and often specifies how data can be accessed, and what data is accessible by whom

organization of information security

domain of the ISO 27000 standard. this is the governance model set out by an organization for information security

asset management

domain of the ISO 27000 standard. this is an inventory of and classification scheme for information assets within an organization

human resources security

domain of the ISO 27000 standard. this refers to the security procedures in place that relate to employees joining, moving within, and leaving an organization

physical and environmental security

domain of the ISO 27000 standard. this refers to the physical protection of an organization’s facilities and information

communications and operations management

domain of the ISO 27000 standard. this refers to the management of technical security controls of an organization’s systems and networks

information systems acquisition, development, and maintenance

domain of the ISO 27000 standard. this refers to security as an integral part of an organization’s information systems

access control

domain of the ISO 27000 standard. this describes how an organization restricts access rights to networks, systems, applications functions, and data in order to prevent unauthorized user access

information security incident management

domain of the ISO 27000 standard. this describes an organization’s approach to the anticipation of and response to information security breaches

business continuity management

domain of the ISO 27000 standard. this describes the ability of an organization to protect, maintain, and recover business-critical activities following a disruption to information systems

compliance

domain of the ISO 27000 standard. this describes the process of ensuring conformance with information security policies, standards, and regulations

ISO 27001

control objectives that make up the 12 domains of ISO 27000. control objectives define the high level requirements for implementing a comprehensive information security management system within an organization, and usually provide a checklist to use during an ISMS audit. passing the audit indicates that an organization is compliant with this standard and provides partners with confidence in the security of the organization’s data and operations

ISO 27002

controls that make up the 12 domains of ISO 27000. controls set out how to accomplish an organization’s control objectives. they establish guidelines for implementing, maintaining, and improving the management of information security in an organization

national cybersecurity workforce framework

created by the national institute of standards and technologies (NIST), this organizes cybersecurity work into 7 categories

operate and maintain

a category of the national cybersecurity workforce framework. provides the support, administration, and maintenance required to ensure effective and efficient IT system performance and security

protect and defend

a category of the national cybersecurity workforce framework. identifies, analyzes, and mitigates threats to internal systems and networks

investigate

a category of the national cybersecurity workforce framework. investigates cybersecurity events and/or cyber attacks involving IT resources

collect and operate

a category of the national cybersecurity workforce framework. provides specialized denial and deception operations and collection of cybersecurity information

analyze

a category of the national cybersecurity workforce framework. performs highly specialized review and evaluation of incoming cybersecurity information to determine its usefulness for intelligence

oversee and govern

a category of the national cybersecurity workforce framework. provides leadership, management, direction or development, and advocacy so an organization may effectively conduct cybersecurity work

securely provision

a category of the national cybersecurity workforce framework. conceptualizes, designs, procures, or builds secure IT systems

CIS critical security controls

a set of critical security controls to help organizations with different levels of resources and expertise at their disposal to improve their cyber defenses

basic controls

outlines the controls organizations with limited resources and cybersecurity expertise available should implement. i.e. inventory and control of software and hardware assets, continuous vulnerability management, controlled use of administrative privileges, secure configurations for hardware and software, maintenance, monitoring, and analysis of audit logs

foundational controls

outlines the controls organizations with moderate resources and cybersecurity expertise available should implement. i.e. the basic controls, email and web browser protections, malware defense, limitation and control of network ports, protocols, and services, data recovery capabilities, secure configurations for network devices, boundary defense, data protections, controlled access based on the “need to know” principle, wireless access control, account monitoring and control

organizational controls

outlines the controls organizations with significant resources and cybersecurity expertise available should implement. i.e. basic and foundational controls, security awareness and training program, application software security, incident response and management, penetration tests and red team exercises

cloud security alliance (CSA)

provides security guidance to any organization that uses cloud computing or wants to assess the overall security risk of a cloud provider

cloud controls matrix (CCM)

developed by the cloud security alliance (CSA), this is a cybersecurity control framework that maps cloud-specific security controls to leading standards, best practices, and regulations. this is the de-facto standard for cloud security assurance and compliance

statement on standards for attestation engagements (SSAE) 18 service organization control (SOC) 2 audit

this is an independent audit of an organization’s reporting controls as they relate to the security, availability, processing integrity, confidentiality, and privacy of a system. an attestation report will confirm that controls are in place at a specific point in time (type I) or managed over a period of at least six months (Type II). these reports provide assurance to a client organization that there are controls in place and operating to protect sensitive data

cybersecurity maturity model certification (CMMC)

this is aimed at any organization providing a service to the U.S. department of defense (DoD) and verifies that these organizations have adequate cybersecurity practices and processes in place to ensure “basic” cyber hygiene at minimum. this establishes five levels that range from “basic cyber hygiene practices” to “enhanced practices that provide more sophisticated capabilities to detect and respond to APTs.”