User:Shawndouglas/sandbox/sublevel3

From LIMSWiki
Jump to navigationJump to search

What are cybersecurity standards? CGI, Inc. calls them "critical means by which the direction described in an enterprise’s cybersecurity strategy and policies are translated into actionable and measurable criteria." They contain a set of statements about what processes must be followed to achieve the security outcomes expected by the organization.[1] Sometimes those standards get placed within a framework, which adds additional policy, procedure, and process to the set of statements laid out in the standards. This resulting cybersecurity standards framework acts as a defined, collective approach to how the information system, data, and services are managed within the organization.

Some experts further differentiate between frameworks. Frank Kim, founder of security consulting firm ThinkSec and curriculum director at the SANS Institute, splits frameworks into three categories: control, program, and risk frameworks. Control frameworks provide a baseline set of controls for assessing technical capability, prioritizing implementation, and developing a cybersecurity plan. Program frameworks offer a more program-based approach, allowing organizations to broadly assess the current state of their cybersecurity program and further develop it. Risk frameworks "allow cybersecurity professionals to ensure they are managing their program in a way that is useful to stakeholders throughout the organization, and help determine how to prioritize security activities."[2] Data communications and security specialist Robert Slade does something similar using slightly different terminology. Checklist frameworks are the equivalent of Kim's control frameworks, governance frameworks appear to be Kim's program frameworks, and risk management frameworks represent Kim's risk frameworks. Slade adds a fourth category, however: audit and assurance.[3]

Numerous cybersecurity standards frameworks exist, some based in specific countries, others based on specific industries. According to at least one authority, the top four cybersecurity standards frameworks being leveraged by organizations are the Payment Card Industry Data Security Standards (PCI DSS), ISO/IEC 27001:2013, Center for Internet Security (CIS) Controls, and the NIST Cybersecurity Framework.[4] These and a selection of additional cybersecurity standards frameworks and standards are shown in Table 2:

Table 2. Examples of cybersecurity standards frameworks and standards
Name Developer Framework type Industry
ANSI/ISA 62443 Standards[5] ISA Control and Program Industrial automation and control systems
Baseline Cyber Security Controls for Small and Medium Organizations[6] Canadian Centre for Cyber Security Control Industry-neutral; small and medium organizations
Center for Internet Security (CIS) Controls[7] Center for Internet Security Control Industry-neutral
Cloud Controls Matrix[8] Cloud Security Alliance Control Cloud services and implementation
Code Quality Standards[9] Consortium for Information & Software Quality Control Software development
Control Objectives for Information and Related Technologies (COBIT)[10] Information Systems Audit and Control Association Program Industry-neutral
Critical Infrastructure Protection (CIP) Standards[11] North American Electric Reliability Corporation Control Utilities
Cybersecurity Assessment Tool[12] Federal Financial Institutions Examination Council Control Financial services
Essential Cybersecurity Controls (ECC - 1: 2018)[13] National Cybersecurity Authority of Saudi Arabia Control Industry-neutral
ETSI TR 103 305 V1.1.1[14] European Telecommunications Standards Institute Control Telecommunications
Federal Information Processing Standards (FIPS)[15] National Institute of Standards and Technology Control Industry-neutral
HISO 10029:2015 Health Information Security Framework[16] New Zealand Ministry of Health Control Healthcare
HITRUST CSF[17] HITRUST Alliance Risk Industry-neutral
ISO/IEC 15408-1:2009[18] International Organization for Standardization Program Industry-neutral
ISO/IEC 27001:2013[19] International Organization for Standardization Program Industry-neutral
NIST Cybersecurity Framework[20] National Institute of Standards and Technology Program Industry-neutral
NIST SP 800-53, Rev. 4 Security and Privacy Controls for Federal Information Systems and Organizations[21] National Institute of Standards and Technology Control Industry-neutral; U.S. federal information systems and organizations
NIST SP 800-171, Rev. 2 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations[22] National Institute of Standards and Technology Control Industry-neutral; U.S. non-federal information systems and organizations
OCTAVE Allegro[23] Software Engineering Institute Risk Industry-Neutral
Payment Card Industry Data Security Standards (PCI DSS) V3.2.1[24] PCI Security Standards Council, LLC Control "All entities involved in payment card processing"
Protective Security Requirements[25] New Zealand Security Intelligence Service Program Industry-neutral
Secure Controls Framework[26] Secure Controls Framework Council, LLC Control Industry-neutral
Sherwood Applied Business Security Architecture (SABSA)[27] The SABSA Institute C.I.C. Program and Risk Enterprise-level business
Standard of Good Practice for Information Security 2018[28] Information Security Forum Ltd. Control Industry-neutral
System and Organization Controls for Cybersecurity (SOC-C)[29] Association of International Certified Professional Accountants Control Industry-neutral
Water Sector Cybersecurity Risk Management Guidance v3.0[30] American Water Works Association Risk Water and wastewater

Choosing the appropriate frameworks requires consideration and research. For the purposes of this guide, NIST SP 800-53, Rev. 4 and, to a lesser degree, the NIST Cybersecurity Framework receive the most focus. That is not meant to dissuade organizations from using other frameworks. For example, the PCI DSS is heavily geared to the financial services industry and is industry-appropriate for those working with credit card transactions. However, additional controls from other frameworks may also be of use. In fact, more than 40 percent of organizations work with more than one set of cybersecurity controls when developing their cybersecurity plan.[4] NIST SP 800-53, Rev. 4 and the NIST Cybersecurity Framework are particularly appealing though, having been developed with thousands of stakeholders giving feedback, and in such a way that the controls remain "intuitive and accessible to a wide range of practitioners."[31][32]

References

  1. "Understanding Cybersecurity Standards" (PDF). CGI, Inc. April 2019. https://www.cgi.com/sites/default/files/2019-08/cgi-understanding-cybersecurity-standards-white-paper.pdf. Retrieved 23 July 2020. 
  2. Rayome, A.D. (7 March 2019). "How to choose the right cybersecurity framework". TechRepublic. CBS Interactive. https://www.techrepublic.com/article/how-to-choose-the-right-cybersecurity-framework/. Retrieved 23 July 2020. 
  3. Slade, R.M. (2011). "Security Frameworks" (PDF). Illinois Institute of Technology. http://itm.iit.edu/netsecure11/RobertSlade_SecFrameworks.pdf. Retrieved 23 July 2020. 
  4. 4.0 4.1 Watson, M. (17 January 2019). "Top 4 cybersecurity frameworks". IT Governance USA Blog. GRC International Group plc. https://www.itgovernanceusa.com/blog/top-4-cybersecurity-frameworks. Retrieved 23 July 2020. 
  5. "The 62443 series of standards" (PDF). ISA. December 2016. https://cdn2.hubspot.net/hubfs/3415072/Resources/The%2062443%20Series%20of%20Standards.pdf. Retrieved 23 July 2020. 
  6. "Baseline Cyber Security Controls for Small and Medium Organizations". Canadian Centre for Cyber Security. 20 November 2019. https://cyber.gc.ca/en/guidance/baseline-cyber-security-controls-small-and-medium-organizations. Retrieved 23 July 2020. 
  7. "The 20 CIS Controls & Resources". CIS Controls. 2019. https://www.cisecurity.org/controls/cis-controls-list/. Retrieved 23 July 2020. 
  8. "Cloud Controls Matrix (CCM)". Cloud Security Alliance. https://cloudsecurityalliance.org/research/cloud-controls-matrix/. Retrieved 23 July 2020. 
  9. "Code Quality Standards". Consortium for Information & Software Quality. 2019. https://www.it-cisq.org/standards/code-quality-standards/index.htm. Retrieved 23 July 2020. 
  10. "COBIT 4.1: Framework for IT Governance and Control". Information Systems Audit and Control Association. 2019. Archived from the original on 21 January 2020. https://web.archive.org/web/20200121085305/http://www.isaca.org/knowledge-center/cobit/Pages/Overview.aspx. Retrieved 23 July 2020. 
  11. "CIP Standards". North American Electric Reliability Corporation. 2017. https://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx. Retrieved 23 July 2020. 
  12. "Cybersecurity Assessment Tool". Federal Financial Institutions Examination Council. May 2017. https://www.ffiec.gov/cyberassessmenttool.htm. Retrieved 23 July 2020. 
  13. "Essential Cybersecurity Controls (ECC - 1: 2018)" (PDF). National Cybersecurity Authority of Saudi Arabia. 2018. https://itig-iraq.iq/wp-content/uploads/2019/08/Essential-Cybersecurity-Controls-2018.pdf. Retrieved 23 July 2020. 
  14. "Critical Security Controls for Effective Cyber Defence" (PDF). European Telecommunications Standards Institute. May 2015. https://www.etsi.org/deliver/etsi_tr/103300_103399/103305/01.01.01_60/tr_103305v010101p.pdf. Retrieved 23 July 2020. 
  15. "Compliance FAQs: Federal Information Processing Standards (FIPS)". Standards.gov. National Institute of Standards and Technology. 15 November 2019. https://www.nist.gov/standardsgov/compliance-faqs-federal-information-processing-standards-fips. Retrieved 23 July 2020. 
  16. "HISO 10029:2015 Health Information Security Framework". New Zealand Ministry of Health. 21 June 2019. https://www.health.govt.nz/publication/hiso-100292015-health-information-security-framework. Retrieved 23 July 2020. 
  17. "HITRUST CSF". HITRUST Alliance. 2019. https://hitrustalliance.net/hitrust-csf/. Retrieved 23 July 2020. 
  18. "ISO/IEC 15408-1:2009 Information technology — Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general model". International Organization for Standardization. January 2014. https://www.iso.org/standard/50341.html. Retrieved 23 July 2020. 
  19. "ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements". International Organization for Standardization. 3 June 2019. https://www.iso.org/standard/54534.html. Retrieved 23 July 2020. 
  20. "Cybersecurity Framework". Cybersecurity Framework. National Institute of Standards and Technology. 2019. https://www.nist.gov/cyberframework. Retrieved 23 July 2020. 
  21. "NIST SP 800-53, Rev. 4 Security and Privacy Controls for Federal Information Systems and Organizations". Computer Security Resource Center. National Institute of Standards and Technology. 22 January 2015. https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final. Retrieved 23 July 2020. 
  22. "NIST SP 800-171, Rev. 2 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations". Computer Security Resource Center. National Institute of Standards and Technology. February 2020. https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final. Retrieved 23 July 2020. 
  23. Caralli, R.A.; Stevens, J.F.; Young, L.R. et al. (2007). "Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process". Software Engineering Institute. https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=8419. Retrieved 23 July 2020. 
  24. "Payment Card Industry Data Security Standard - Requirements and Security Assessment Procedures". PCI Security Standards Council, LLC. May 2018. https://www.pcisecuritystandards.org/document_library. Retrieved 23 July 2020. 
  25. "Protective Security Requirements". New Zealand Security Intelligence Service. August 2019. https://www.protectivesecurity.govt.nz/. Retrieved 23 July 2020. 
  26. "Secure Controls Framework (SCF)". Secure Controls Framework Council, LLC. 2019. https://www.securecontrolsframework.com/secure-controls-framework. Retrieved 23 July 2020. 
  27. "SABSA Executive Summary". The SABSA Institute C.I.C. 2018. https://sabsa.org/sabsa-executive-summary/. Retrieved 23 July 2020. 
  28. "The ISF Standard of Good Practice for Information Security 2018". Information Security Forum Ltd. 2018. https://www.securityforum.org/tool/the-isf-standard-good-practice-information-security-2018/. Retrieved 23 July 2020. 
  29. "SOC for Cybersecurity". Association of International Certified Professional Accountants. 2019. https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/aicpacybersecurityinitiative.html. Retrieved 23 July 2020. 
  30. West Yost Associates (4 September 2019). "Water Sector Cybersecurity Risk Management Guidance". American Water Works Association. https://www.awwa.org/Resources-Tools/Resource-Topics/Risk-Resilience/Cybersecurity-Guidance. Retrieved 23 July 2020. 
  31. "NIST Marks Fifth Anniversary of Popular Cybersecurity Framework". National Institute of Standards and Technology. 12 February 2019. https://www.nist.gov/news-events/news/2019/02/nist-marks-fifth-anniversary-popular-cybersecurity-framework. Retrieved 23 July 2020. 
  32. Perry, J. (16 April 2019). "Explaining the Breakout Success of the NIST Cybersecurity Framework". Infosecurity Magazine. Reed Exhibitions Limited. https://www.infosecurity-magazine.com/opinions/breakout-nist-cybersecurity-1-1/. Retrieved 23 July 2020.