From the course: Cybersecurity Foundations

Cybersecurity standards of good practice

From the course: Cybersecurity Foundations

Cybersecurity standards of good practice

- [Instructor] There are a number of industry standards of good practice which provide guidance on cybersecurity. The most well-known is the ISF Standard of Good Practice. It's essentially a risk and control framework for managing cybersecurity. The Standard of Good Practice is consistent with the major recognized information security standards such as ISO 27002, the NIST Cybersecurity Framework, COVIT and PCI DSS control standards. It also aligns with the controls required to satisfy Europe's General Data Privacy Regulations. It incorporates the ISF Risk Assessment Methodology or IRAM, which presents a risk management scheme with the three phases of business impact assessment, threat and vulnerability assessment and control selection. Let's have a look at what the ISF controls look like. The ISF standard of good practice structures its controls into categories, areas, and topics. Let's have a look at the security monitoring and improvement category. It has two areas and eight topics. The two areas are security audits, with its five topics and security improvement, with its three. If we dig down into security monitoring, topic S 12.1, it has a principle. The information security condition of the organization should be monitored regularly and reported to executive management. And an objective. To provide the executive management with an accurate, comprehensive, and coherent assessment of the information security condition of the organization. The standard of good practice is a comprehensive industry approach to security but only available to members of the Information Security Forum. The Central Bank of the Netherlands, DNB, has published a cybersecurity standard of good practice as guidance for the financial sector. This is freely available from their website. As we can see it takes a risk and testing perspective on controls. The standard is structured into categories with each having one or more controls. There are almost 60 controls detailed in the standard across these categories. The standard contains a maturity model in support of the process category. Here we see five levels of maturity, starting with initial and progressing through repeatable, defined, managed and measured to continuous improvement. Each level builds on the previous ones and adds more rigor to the process at each step. Here we see one of the controls. This is the DNB standard of good practice guidance on security and monitoring. The DNB standard isn't as well known as the ISF standard but it is free and it contains a lot of valuable guidance.

Contents