Security Control Frameworks with full details


Security Control Frameworks

In formalizing its security governance, an organization might implement a security control framework; this is a notional construct outlining the organization’s approach to security, including a list of specific security processes, procedures, and solutions used by the organization. The framework is often used by the organization to describe its security efforts, for both internal tracking purposes and for demonstration to external entities such as regulators and auditors. There are a variety of security frameworks currently popular in the industry, each offering benefits and capabilities, usually designed for a certain industry, type of organization, or approach to security. The following list of framework examples is by no means exhaustive or intended to be exclusive; the security practitioner should have a working familiarity with the frameworks on this list, as well as whatever framework is used by their own organization (if any). Some of these frameworks will be discussed in more detail later in the course.

ISO 27001/27002

The International Standards Organization (ISO) is recognized globally, and it is probably the most pervasive and used source of security standards outside the United States (American organizations often use standards from other sources).

ISO 27001 is known as the information security management system (ISMS) and is a comprehensive, holistic view of security governance within an organization, mostly focused on policy. ISO 27002 is a comprehensive list of security controls that can be applied to an organization; the organization uses ISO 27002 to select the controls appropriate to its own ISMS, which the organization designs according to ISO 27001. ISO standards are notably thorough, well-recognized in the industry, and expensive relative to other standards. Use of ISO standards can allow an organization to seek and acquire specific standards-based certification from authorized auditors.

COBIT

Created and maintained by ISACA, the COBIT framework (currently COBIT 5) is designed as a way to manage and document enterprise IT and IT security functions for an organization. COBIT widely uses a governance and process perspective for resource management and is intended to address IT performance, security operations, risk management, and regulatory compliance.

ITIL

An IT service delivery set of best practices managed by Axelos, a joint venture between the British government and a private firm. ITIL (formerly the Information Technology Infrastructure Library, now simply the proper name of the framework) concentrates on how an organization’s IT environment should enhance and benefit its business goals. ITIL is also mapped to the ISO 20000 standard, perhaps the only non-ISO standard to have this distinction. This framework also offers the possibility for certification, for organizations that find certification useful.

RMF

NIST, the U.S. National Institute of Standards and Technology, publishes two methods that work in concert (similar to how ISO 27001 and 27002 function); the Risk Management Framework (RMF), and the applicable list of security and privacy controls that goes along with it (respectively, these documents are Special Publications (SPs) 800-37 and 800-53). While the NIST SP series is only required to be followed by federal agencies in the United States, it can easily be applied to any kind of organization as the methods and concepts are universal. Also, like all American government documents, it is in the public domain; private organizations do not have to pay to adopt and use this framework. However, there is no private certification for the NIST framework.

CSA STAR

The Cloud Security Alliance (CSA) is a volunteer organization with participant members from both public and private sectors, concentrating—as the name suggests—on security aspects of cloud computing. The CSA publishes standards and tools for industry and practitioners, at no charge. The CSA also hosts the Security, Trust, and Assurance Registry (STAR), which is a voluntary list of all cloud service providers who comply with the STAR program framework and agree to publish documentation on the STAR website attesting to compliance. Customers and potential customers can review and consider cloud vendors at no cost by accessing the STAR website. The STAR framework is a composite of various standards, regulations, and statutory requirements from around the world, covering a variety of subjects related to IT and data security; entities that choose to subscribe to the STAR program are required to complete and publish a questionnaire (the Consensus Assessments Initiative Questionnaire (CAIQ), colloquially pronounced “cake”) published by CSA. The STAR program has three tiers, 1–3, in ascending order of complexity. Tier 1 only requires the vendor self-assessment, using the CAIQ. Tier 2 is an assessment of the organization by an external auditor certified by CSA to perform CAIQ audits. Tier 3 is in draft form as of the time of publication of this CBK; it will require continuous monitoring of the target organization by independent, certified entities.

Due Care/Due Diligence

Due care is a legal concept pertaining to the duty owed by a provider to a customer. In essence, a vendor has to engage in a reasonable manner so as not to endanger the customer: the vendor’s products/services should deliver what the customer expects, without putting the customer at risk of undue harm. An example to clarify the concept: if a customer buys a car from the vendor, the vendor should have designed and constructed the car in a way so that the car can be operated in a normal, expected manner without some defect harming the customer. If the user is driving the car normally on a road and a wheel falls off, the vendor may be culpable for any resulting injuries or damage if the loss of the wheel is found to be the result of insufficient care on the part of the vendor (if, say, the wheel mount was poorly designed, or the bolts holding the wheel were made from a material of insufficient strength, or the workers assembling the car did so in a careless or negligent way). This duty is only required for reasonable situations; if, for instance, the customer purposefully drove the car into a body of water, the vendor does not owe the customer any assurance that the car would protect the customer, or even that the car would function properly in that circumstance.

NOTE: There is a joke regarding the standard of reasonableness that lawyers use—“Who is a reasonable person? The court. The court is a reasonable person.” Meaning that the “standard” is actually quite ambiguous and arbitrary: the outcome of a case hinging on a determination of “reasonable” action is wholly dependent on a specific judge on a specific day, and judges are only people with opinions. Due diligence, then, is any activity used to demonstrate or provide due care. Using the previous example, the car vendor might engage in due diligence activities such as quality control testing (sampling cars that come off the production line for construction/assembly defects), subjecting itself to external safety audit, prototype and regular safety testing of its vehicles to include crash testing, using only licensed and trained engineers to design their products, and so forth. All of these actions, and documentation of these actions, can be used to demonstrate that the vendor provided due care by performing due diligence. In the IT and IT security arena, due diligence can also take the form of reviewing vendors and suppliers for adequate provision of security measures; for instance, before an organization uses an offsite storage vendor, the organization should review the vendor’s security governance, and perhaps even perform a security audit of the vendor to ensure that the security provided by the vendor is at least equivalent to the security the organization itself provides to its own customers. Another form of due diligence for security purposes could be proper review of personnel before granting them access to the organization’s data, or even before hiring; this might include background checks and personnel assurance activities. (Personnel security measures, which provide a measure of due diligence, will be discussed in more detail later in this domain.)

NOTE: In recent years, regulators and courts (both of which are often tasked with determining sufficient provision of due care) have found certain activities to be insufficient for the purpose of ensuring due diligence, even though those activities were previously sufficient. Specifically, publishing a policy is an insufficient form of due diligence; to meet the legal duty, an organization must also have a documented monitoring and enforcement capability in place and active to ensure the organization is adhering to the policy.

Comments

Post a Comment

Popular posts from this blog

Concepts of (CIA) confidentiality, integrity and availability

Image
  CIA Triad explanation: As a security professional or a trainee you need to know CIA (Confidentiality, integrity and availability) down to its core. We will focus on the three key principles as we will now refer them as CIA triad. In the field of information security , we have assets which can be tangible (something you can touch) for example your organization computers, servers, employees, data etc. and non-tangible (something you cannot touch) for example your reputation, your market share, your share or stock value etc. all of these assets requires security and the first thing as a security practitioner you will do is to utilize the CIA principle to assess what level of security you need to apply as per your business, security and compliance requirements. This is true even for data that is stored in any form, be it electronically or in printed hardcopy. It also applies to any systems, mechanisms, techniques used to process/manipulate/store/transmits that data. For CIA examples...
Read more

Organizational Processes and their impact to security

Security governance is a process which defines how a decision is made within an organization. This task is accomplished in different ways as per organization culture, management style and other variety of factors. Inn large organizations the task is much more organized and at times can be more complicated as there are multiple levels of decision makers which are required to be involved. IN small private business and or organizations the decision making process may be as simple as one or two person, who at the end of the day make a decision based on consultation or derived from a personal experience of the decision makers. In government or public organizations there is a chartered legislative body or a corporation which makes strategic decision based defined policies, procedures, board of directors etc. Each organization will have its own process for making decision, based on a defined structure, goals, nature of the industry, regulations. Some companies/organizations create a govern...
Read more