Control frameworks

- [Instructor] Security professionals have a wide variety of responsibilities, and they typically oversee the design, implementation, and management of many different controls that protect confidentiality, integrity, and availability. It's important to make sure that these controls provide adequate levels of protection and cover many different risks. It's quite a challenge to build a comprehensive security program. Fortunately, security professionals in an organization don't have to start with a blank piece of paper when they design their security programs. They can use security control frameworks to help ensure that they're covering all the bases and building controls that protect the organization against many foreseeable risks. There are many different control frameworks covering information security. We'll take a look at a few of the most common ones. The Control Objectives for Information Technology, or COBIT, is a security control framework developed by the Information Systems Audit and Control Association. This framework is very often used by auditors, and it has a strong focus on linking business goals with the functions of information security. COBIT is a very detailed document. It covers six different principles: meeting stakeholder needs, enabling a holistic approach, creating a dynamic governance system, separating governance from management, tailoring the governance system to enterprise needs, and covering the enterprise end to end. COBIT also contains implementation guidance to help organizations who are trying to implement the framework in their enterprise. The International Organization for Standardization also publishes a series of control frameworks covering security and privacy issues. The first of these, ISO 27001, covers information security management systems. It provides generalized control objectives that organizations might strive to achieve. ISO 27001 is a very commonly used standard, as many organizations follow ISO standards for a variety of their business functions. ISO 27002 provides additional detail, going beyond control objectives and describing the specific controls that organizations might use to achieve their goals. ISO 27701 provides guidance for managing privacy rather than security controls. Now when you see an ISO standard mentioned, be sure to look at the number carefully. It's easy to confuse ISO 27001, which covers security, with ISO 27701, which covers privacy. Finally, ISO 31000 provides guidance for risk management programs. Government agencies and contractors have a standard all their own. The National Institute for Standards and Technology publishes a document called the Security and Privacy Controls for Federal Information Systems and Organizations. It's known as NIST Special Publication 800-53, or more commonly just NIST 800-53. While this standard is mandatory for federal government agencies, many other organizations use this standard as well. Let's take a look at the detailed contents of NIST 800-53. It contains over 400 pages of information about building a security program for government agencies and other organizations. If we take a quick look at the Table of Contents, you'll see that after an introduction, it goes through the fundamentals of information security, talking about multi-tiered risk management, security control structures, baselines and designations, the use of external service providers, and how to assess assurance and trustworthiness for information systems. It then goes into the process of implementing security and privacy controls, talking about selecting an appropriate security control baseline, and then tailoring that baseline to the specific needs of the organization, creating overlays, and documenting the control selection process for both new development and legacy systems. NIST also publishes a Cybersecurity Framework that's free for anyone to use. The goal of this Framework is to provide a common language for understanding, managing, and describing cybersecurity risks. With this common language, organizations can have more productive conversations among themselves and with external partners, such as auditors and government agencies. The Framework is also designed to help organizations identify and prioritize the actions they might take to reduce cybersecurity risk and to manage any residual risk. Having a Framework also helps organizations align their security actions across control types. Now that said, the Framework may mean different things to different people, and that's okay. Some organizations may undertake the exercise of mapping all of their controls to the Framework and building their next-generation security program with the NIST Cybersecurity Framework in mind. Others may simply use the CSF as a reference to help identify whether they've missed any critical security controls. You can find the NIST Cybersecurity Framework on the web. It's a free download from the NIST website. Let's go ahead and take a look at the Cybersecurity Framework. Here's a high-level look at the Framework. It consists of five different Functions: Identify, Protect, Detect, Respond, and Recover. Now these are, in very, very broad terms, the things that we do in cybersecurity. The Framework then divides those Functions into Categories. They're not shown here on the screen yet. We'll take a look at those in a moment. Then each of these Categories is divided into Subcategories. And then the Framework provides references that have detail about each one of those Subcategories. As you can see, it's really just a framework where you can start plugging in the things that you're going to do to achieve each of the core cybersecurity Functions. Here's a look at a little more detail about the Framework. We're now taking the Functions and expanding it into the Categories. So we have five Functions, which are divided into 22 total Categories. So for example, for the Identify Function, the Cybersecurity Framework gives six Categories: Asset Management, Business Environment, Governance, Risk Assessment, Risk Management Strategy, and Supply Chain Risk Management. The Framework then goes into a much higher level of detail when you start breaking out the Subcategories. So in the Asset Management Category of the Identify Function, we have Subcategories that talk about things like an inventory of physical devices and systems, an inventory of software platforms and applications, mapping organizational communication and data flows, and so on. As you can see, we're getting into the real details of security here, and there are quite a few references to the other standards for each one of these Subcategories for people who are looking for more detail on how you might go about achieving these goals. Now remember, what you're looking at here is the detail for one Category of one Function. Remember that there are five different Functions and 22 total Categories. So this Cybersecurity Framework winds up being a lengthy document. Security control frameworks like this one play an important role in cybersecurity. While most organizations don't follow them letter for letter, these frameworks do provide a useful tool for designing appropriate controls for any organization.