SlideShare a Scribd company logo

Standards & Framework.pdf

K
karthikvcyber

framework

Education
1 of 20
Download to read offline
by Erlan Bakiev, Ph.D. Cyber security standards and Controls
 Cybersecurity standards are techniques generally set forth in published materials that attempt to protect the cyber environment of a user or organization.  This environment includes:  users themselves  networks  devices  all software  processes  information in storage or transit  applications  services  systems that can be connected directly or indirectly to networks Cybersecurity standards
 The principal objective:  to reduce the risks  including prevention or mitigation of cyber-attacks. These published materials consist of collections of:  tools,  Policies  security concepts  security safeguards  guidelines,  risk management approaches,  actions,  training,  best practices,  assurance and technologies. Cybersecurity standards cont.
 Cyber security frameworks are sets of documents describing guidelines, standards, and best practices designed for cyber security risk management. The frameworks exist to reduce an organization's exposure to weaknesses and vulnerabilities that hackers and other cyber criminals may exploit. What is a Cyber Security Framework?
 The NIST Cybersecurity Framework (NIST CSF) provides a policy framework of computer security guidance for how private sector organizations in the US can assess and improve their ability to prevent, detect, and respond to cyber attacks.  It provides a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes.  It is intended to help private sector organizations that provide critical infrastructure with guidance on how to protect it, along with relevant protections for privacy and civil liberties. NIST Cybersecurity Framework (NIST CSF)
 SO/IEC 27001, part of the growing ISO/IEC 27000 family of standards, is an information security management system (ISMS) standard, of which the last revision was published in October 2013 by the International Organization for Standardization (ISO) and the International Electro technical Commission (IEC).  Its full name is ISO/IEC 27001:2013 – Information technology – Security techniques – Information security management systems – Requirements.  ISO/IEC 27001 formally specifies a management system that is intended to bring information security under explicit management control. ISO/IEC 27001 and 27002
 ISO/IEC 27002 incorporates mainly part 1 of the BS 7799 good security management practice standard.  The latest versions of BS 7799 is BS 7799-3.  ISO/IEC 27002 is a high level guide to cybersecurity.  It is most beneficial as explanatory guidance for the management of an organization to obtain certification to the ISO/IEC 27001 standard.  The certification once obtained lasts three years.  Depending on the auditing organization, no or some intermediate audits may be carried out during the three years. ISO/IEC 27001 and 27002 Cont.
 The Payment Card Industry Data Security Standard (PCI DSS) is a global framework for any organization that processes, stores, or transmits cardholder information. Launched in 2004 by major credit card companies American Express, Discover, JCB, MasterCard, and VISA, the framework aims to keep cardholder information safe and reduce fraud.  To do this, PCI DSS outlines four compliance levels, depending on the organization’s transactions per annum, and 12 required steps that meet security best practices. PCI DSS
 HIPAA cybersecurity frameworks for patients’ protected health information (PHI).  The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal legislation for healthcare compliance. An act of the US Congress created by lawyers and lawmakers, HIPAA applies to “covered entities,” including health providers, health plans and insurance companies, and health clearinghouses. Although there’s no official certification, HIPAA compliance is enforced by the US Department of Health and Human Services’ Office for Civil Rights (OCR). HIPPA
 The Sarbane-Oxley IT General Controls (SOX ITGC) is a subset of the broader Sarbane-Oxley Act and sets financial report requirements for all companies preparing for an initial public offering (IPO) or publicly traded companies across all industries.  SOX ITGC attests to the integrity of the data and processes of internal financial reporting controls, including applications, operating systems, databases, and the supporting IT infrastructure. Controls in this framework encompass access to programs and data, program changes, computer operations, and program development. SOX
 The General Data Protection Regulation (GDPR) is a framework passed by the European Union (EU) to protect the data privacy and security of its citizens. Enacted in 2016, the GDPR impacts all organizations that collect and process the data of EU citizens, regardless of where the company is located. GDPR
 Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. Security controls
 According to the time that they act, relative to a security incident:  Before the event, preventive controls are intended to prevent an incident from occurring e.g. by locking out unauthorized intruders;  During the event, detective controls are intended to identify and characterize an incident in progress e.g. by sounding the intruder alarm and alerting the security guards or police;  After the event, corrective controls are intended to limit the extent of any damage caused by the incident e.g. by recovering the organization to normal working status as efficiently as possible. Classification of Security controls
 According to their nature:  Physical controls e.g. fences, doors, locks and fire extinguishers;  Procedural controls e.g. incident response processes, management oversight, security awareness and training;  Technical controls e.g. user authentication (login) and logical access controls, antivirus software, firewalls;  Legal and regulatory or compliance controls e.g. privacy laws, policies and clauses. Classification of Security controls Cont.
 ISO/IEC 27001 specifies 114 controls in 14 groups:  A.5: Information security policies  A.6: How information security is organized  A.7: Human resources security - controls that are applied before, during, or after employment.  A.8: Asset management  A.9: Access controls and managing user access  A.10: Cryptographic technology  A.11: Physical security of the organization's sites and equipment  A.12: Operational security  A.13: Secure communications and data transfer  A.14: Secure acquisition, development, and support of information systems  A.15: Security for suppliers and third parties  A.16: Incident management  A.17: Business continuity/disaster recovery (to the extent that it affects information security)  A.18: Compliance - with internal requirements, such as policies, and with external requirements, such as laws. International information security standards
 From NIST Special Publication SP 800-53 revision 4.  AC Access Control.  AT Awareness and Training.  AU Audit and Accountability.  CA Security Assessment and Authorization. (historical abbreviation)  CM Configuration Management.  CP Contingency Planning.  IA Identification and Authentication.  IR Incident Response.  MA Maintenance.  MP Media Protection.  PE Physical and Environmental Protection.  PL Planning.  PS Personnel Security.  RA Risk Assessment.  SA System and Services Acquisition.  SC System and Communications Protection.  SI System and Information Integrity.  PM Program Management. U.S. Federal Government information security standards
Thank you

Recommended

S nandakumar
S nandakumarS nandakumar
S nandakumar
IPPAI
 
S nandakumar_banglore
S nandakumar_bangloreS nandakumar_banglore
S nandakumar_banglore
IPPAI
 
Cyber Families - Incident Response.pptx
Cyber Families - Incident Response.pptxCyber Families - Incident Response.pptx
Cyber Families - Incident Response.pptx
Kinetic Potential
 
Compare and Contrast Security Controls and Framework Types
Compare and Contrast Security Controls and Framework TypesCompare and Contrast Security Controls and Framework Types
Compare and Contrast Security Controls and Framework Types
LearningwithRayYT
 
5 Standards And Recommendations For Information Security On Internet
5 Standards And Recommendations For Information Security On Internet5 Standards And Recommendations For Information Security On Internet
5 Standards And Recommendations For Information Security On Internet
Ana Meskovska
 
The IT Analysis Paralysis
The IT Analysis Paralysis The IT Analysis Paralysis
The IT Analysis Paralysis
PYA, P.C.
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
Anil
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
Anil
 

Recommended

S nandakumar
S nandakumarS nandakumar
S nandakumar
IPPAI
 
S nandakumar_banglore
S nandakumar_bangloreS nandakumar_banglore
S nandakumar_banglore
IPPAI
 
Cyber Families - Incident Response.pptx
Cyber Families - Incident Response.pptxCyber Families - Incident Response.pptx
Cyber Families - Incident Response.pptx
Kinetic Potential
 
Compare and Contrast Security Controls and Framework Types
Compare and Contrast Security Controls and Framework TypesCompare and Contrast Security Controls and Framework Types
Compare and Contrast Security Controls and Framework Types
LearningwithRayYT
 
5 Standards And Recommendations For Information Security On Internet
5 Standards And Recommendations For Information Security On Internet5 Standards And Recommendations For Information Security On Internet
5 Standards And Recommendations For Information Security On Internet
Ana Meskovska
 
The IT Analysis Paralysis
The IT Analysis Paralysis The IT Analysis Paralysis
The IT Analysis Paralysis
PYA, P.C.
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
Anil
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
Anil
 
Risk Management
Risk ManagementRisk Management
Risk Management
ijtsrd
 
2008: Web Application Security Tutorial
2008: Web Application Security Tutorial2008: Web Application Security Tutorial
2008: Web Application Security Tutorial
Neil Matatall
 
Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016
Leon Blum
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
Mark Conway
 
Legal and Ethical Implications of Cybersecurity.pptx
Legal and Ethical Implications of Cybersecurity.pptxLegal and Ethical Implications of Cybersecurity.pptx
Legal and Ethical Implications of Cybersecurity.pptx
soulscout02
 
Automatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security StandardsAutomatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security Standards
automatskicorporation
 
CCA study group
CCA study groupCCA study group
CCA study group
IIBA UK Chapter
 
ISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochureISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochure
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
Chapter 1 Best Practices, Standards, and a Plan of Action.pptxChapter 1 Best Practices, Standards, and a Plan of Action.pptx
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
kevlekalakala
 
What operational technology cyber security is?
What operational technology cyber security is?What operational technology cyber security is?
What operational technology cyber security is?
sohailAhmad304
 
Information Security
Information SecurityInformation Security
Information Security
chenpingling
 
Is iso 27001-an-answer-to-security
Is iso 27001-an-answer-to-securityIs iso 27001-an-answer-to-security
Is iso 27001-an-answer-to-security
Ramana K V
 
Is iso 27001, an answer to security
Is iso 27001, an answer to securityIs iso 27001, an answer to security
Is iso 27001, an answer to security
Raghunath G
 
Running Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxRunning Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docx
toltonkendal
 
ISO/IEC 27001.pdf
ISO/IEC 27001.pdfISO/IEC 27001.pdf
ISO/IEC 27001.pdf
LiiewaOfficial
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
PECB
 
Data Integrity Protection
Data Integrity ProtectionData Integrity Protection
Data Integrity Protection
proitsolutions
 
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdfpdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
Elyes ELEBRI
 
1.1 Data Security Presentation.pdf
1.1 Data Security Presentation.pdf1.1 Data Security Presentation.pdf
1.1 Data Security Presentation.pdf
ChunLei(peter) Che
 
The FDA - Mobile, and Fixed Medical Devices Cybersecurity Guidance
The FDA - Mobile, and Fixed Medical Devices Cybersecurity GuidanceThe FDA - Mobile, and Fixed Medical Devices Cybersecurity Guidance
The FDA - Mobile, and Fixed Medical Devices Cybersecurity Guidance
Valdez Ladd MBA, CISSP, CISA,
 
Security Incident machnism Security Incident machnismSecurity Incident machni...
Security Incident machnism Security Incident machnismSecurity Incident machni...Security Incident machnism Security Incident machnismSecurity Incident machni...
Security Incident machnism Security Incident machnismSecurity Incident machni...
karthikvcyber
 
Security Information Event Management Security Information Event Management
Security Information Event Management Security Information Event ManagementSecurity Information Event Management Security Information Event Management
Security Information Event Management Security Information Event Management
karthikvcyber
 

More Related Content

Similar to Standards & Framework.pdf

Risk Management
Risk ManagementRisk Management
Risk Management
ijtsrd
 
Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016
Leon Blum
 
Legal and Ethical Implications of Cybersecurity.pptx
Legal and Ethical Implications of Cybersecurity.pptxLegal and Ethical Implications of Cybersecurity.pptx
Legal and Ethical Implications of Cybersecurity.pptx
soulscout02
 
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
Chapter 1 Best Practices, Standards, and a Plan of Action.pptxChapter 1 Best Practices, Standards, and a Plan of Action.pptx
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
kevlekalakala
 
Information Security
Information SecurityInformation Security
Information Security
chenpingling
 
Running Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxRunning Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docx
toltonkendal
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
PECB
 
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdfpdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
Elyes ELEBRI
 

Similar to Standards & Framework.pdf (20)

Risk Management
Risk ManagementRisk Management
Risk Management
 
2008: Web Application Security Tutorial
2008: Web Application Security Tutorial2008: Web Application Security Tutorial
2008: Web Application Security Tutorial
 
Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
 
Legal and Ethical Implications of Cybersecurity.pptx
Legal and Ethical Implications of Cybersecurity.pptxLegal and Ethical Implications of Cybersecurity.pptx
Legal and Ethical Implications of Cybersecurity.pptx
 
Automatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security StandardsAutomatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security Standards
 
CCA study group
CCA study groupCCA study group
CCA study group
 
ISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochureISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochure
 
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
Chapter 1 Best Practices, Standards, and a Plan of Action.pptxChapter 1 Best Practices, Standards, and a Plan of Action.pptx
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
 
What operational technology cyber security is?
What operational technology cyber security is?What operational technology cyber security is?
What operational technology cyber security is?
 
Information Security
Information SecurityInformation Security
Information Security
 
Is iso 27001-an-answer-to-security
Is iso 27001-an-answer-to-securityIs iso 27001-an-answer-to-security
Is iso 27001-an-answer-to-security
 
Is iso 27001, an answer to security
Is iso 27001, an answer to securityIs iso 27001, an answer to security
Is iso 27001, an answer to security
 
Running Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxRunning Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docx
 
ISO/IEC 27001.pdf
ISO/IEC 27001.pdfISO/IEC 27001.pdf
ISO/IEC 27001.pdf
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
 
Data Integrity Protection
Data Integrity ProtectionData Integrity Protection
Data Integrity Protection
 
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdfpdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
 
1.1 Data Security Presentation.pdf
1.1 Data Security Presentation.pdf1.1 Data Security Presentation.pdf
1.1 Data Security Presentation.pdf
 
The FDA - Mobile, and Fixed Medical Devices Cybersecurity Guidance
The FDA - Mobile, and Fixed Medical Devices Cybersecurity GuidanceThe FDA - Mobile, and Fixed Medical Devices Cybersecurity Guidance
The FDA - Mobile, and Fixed Medical Devices Cybersecurity Guidance
 

More from karthikvcyber

Security Information Event Management Security Information Event Management
Security Information Event Management Security Information Event ManagementSecurity Information Event Management Security Information Event Management
Security Information Event Management Security Information Event Management
karthikvcyber
 
cybersecuritycybersecuritycybersecuritycybersecurity
cybersecuritycybersecuritycybersecuritycybersecuritycybersecuritycybersecuritycybersecuritycybersecurity
cybersecuritycybersecuritycybersecuritycybersecurity
karthikvcyber
 

More from karthikvcyber (20)

Security Incident machnism Security Incident machnismSecurity Incident machni...
Security Incident machnism Security Incident machnismSecurity Incident machni...Security Incident machnism Security Incident machnismSecurity Incident machni...
Security Incident machnism Security Incident machnismSecurity Incident machni...
 
Security Information Event Management Security Information Event Management
Security Information Event Management Security Information Event ManagementSecurity Information Event Management Security Information Event Management
Security Information Event Management Security Information Event Management
 
cybersecuritycybersecuritycybersecuritycybersecurity
cybersecuritycybersecuritycybersecuritycybersecuritycybersecuritycybersecuritycybersecuritycybersecurity
cybersecuritycybersecuritycybersecuritycybersecurity
 
Standards & Framework.ppt
Standards & Framework.pptStandards & Framework.ppt
Standards & Framework.ppt
 
OSINT.pptx
OSINT.pptxOSINT.pptx
OSINT.pptx
 
Encrypto.pptx
Encrypto.pptxEncrypto.pptx
Encrypto.pptx
 
PID-PPID.pptx
PID-PPID.pptxPID-PPID.pptx
PID-PPID.pptx
 
Authentication.pptx
Authentication.pptxAuthentication.pptx
Authentication.pptx
 
SIEM.pptx
SIEM.pptxSIEM.pptx
SIEM.pptx
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptx
 
cryptography-Final.pptx
cryptography-Final.pptxcryptography-Final.pptx
cryptography-Final.pptx
 
fileanddirectory-PID.pptx
fileanddirectory-PID.pptxfileanddirectory-PID.pptx
fileanddirectory-PID.pptx
 
CS_Tuto.ppt
CS_Tuto.pptCS_Tuto.ppt
CS_Tuto.ppt
 
Vuln.ppt
Vuln.pptVuln.ppt
Vuln.ppt
 
IP_Subnet training.pptx
IP_Subnet training.pptxIP_Subnet training.pptx
IP_Subnet training.pptx
 
Authorisation.pptx
Authorisation.pptxAuthorisation.pptx
Authorisation.pptx
 
IPS NAT and VPN.pptx
IPS NAT and VPN.pptxIPS NAT and VPN.pptx
IPS NAT and VPN.pptx
 
CCNP.ppt
CCNP.pptCCNP.ppt
CCNP.ppt
 
subnet.pptx
subnet.pptxsubnet.pptx
subnet.pptx
 
OSI TCP-IP.pptx
OSI TCP-IP.pptxOSI TCP-IP.pptx
OSI TCP-IP.pptx
 

Recently uploaded

QUATER-1-PE-HEALTH-LC2- this is just a sample of unpacked lesson
QUATER-1-PE-HEALTH-LC2- this is just a sample of unpacked lessonQUATER-1-PE-HEALTH-LC2- this is just a sample of unpacked lesson
QUATER-1-PE-HEALTH-LC2- this is just a sample of unpacked lesson
httgc7rh9c
 

Recently uploaded (20)

UGC NET Paper 1 Unit 7 DATA INTERPRETATION.pdf
UGC NET Paper 1 Unit 7 DATA INTERPRETATION.pdfUGC NET Paper 1 Unit 7 DATA INTERPRETATION.pdf
UGC NET Paper 1 Unit 7 DATA INTERPRETATION.pdf
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
OSCM Unit 2_Operations Processes & Systems
OSCM Unit 2_Operations Processes & SystemsOSCM Unit 2_Operations Processes & Systems
OSCM Unit 2_Operations Processes & Systems
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptx
 
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
QUATER-1-PE-HEALTH-LC2- this is just a sample of unpacked lesson
QUATER-1-PE-HEALTH-LC2- this is just a sample of unpacked lessonQUATER-1-PE-HEALTH-LC2- this is just a sample of unpacked lesson
QUATER-1-PE-HEALTH-LC2- this is just a sample of unpacked lesson
 
OS-operating systems- ch05 (CPU Scheduling) ...
OS-operating systems- ch05 (CPU Scheduling) ...OS-operating systems- ch05 (CPU Scheduling) ...
OS-operating systems- ch05 (CPU Scheduling) ...
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
 
FICTIONAL SALESMAN/SALESMAN SNSW 2024.pdf
FICTIONAL SALESMAN/SALESMAN SNSW 2024.pdfFICTIONAL SALESMAN/SALESMAN SNSW 2024.pdf
FICTIONAL SALESMAN/SALESMAN SNSW 2024.pdf
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
 
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptxOn_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
 
Details on CBSE Compartment Exam.pptx1111
Details on CBSE Compartment Exam.pptx1111Details on CBSE Compartment Exam.pptx1111
Details on CBSE Compartment Exam.pptx1111
 
Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptx
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
Our Environment Class 10 Science Notes pdf
Our Environment Class 10 Science Notes pdfOur Environment Class 10 Science Notes pdf
Our Environment Class 10 Science Notes pdf
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
Introduction to TechSoup’s Digital Marketing Services and Use Cases
Introduction to TechSoup’s Digital Marketing Services and Use CasesIntroduction to TechSoup’s Digital Marketing Services and Use Cases
Introduction to TechSoup’s Digital Marketing Services and Use Cases
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 

Standards & Framework.pdf

  • 1. by Erlan Bakiev, Ph.D. Cyber security standards and Controls
  • 2.  Cybersecurity standards are techniques generally set forth in published materials that attempt to protect the cyber environment of a user or organization.  This environment includes:  users themselves  networks  devices  all software  processes  information in storage or transit  applications  services  systems that can be connected directly or indirectly to networks Cybersecurity standards
  • 3.  The principal objective:  to reduce the risks  including prevention or mitigation of cyber-attacks. These published materials consist of collections of:  tools,  Policies  security concepts  security safeguards  guidelines,  risk management approaches,  actions,  training,  best practices,  assurance and technologies. Cybersecurity standards cont.
  • 4.  Cyber security frameworks are sets of documents describing guidelines, standards, and best practices designed for cyber security risk management. The frameworks exist to reduce an organization's exposure to weaknesses and vulnerabilities that hackers and other cyber criminals may exploit. What is a Cyber Security Framework?
  • 5.  The NIST Cybersecurity Framework (NIST CSF) provides a policy framework of computer security guidance for how private sector organizations in the US can assess and improve their ability to prevent, detect, and respond to cyber attacks.  It provides a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes.  It is intended to help private sector organizations that provide critical infrastructure with guidance on how to protect it, along with relevant protections for privacy and civil liberties. NIST Cybersecurity Framework (NIST CSF)
  • 6.  SO/IEC 27001, part of the growing ISO/IEC 27000 family of standards, is an information security management system (ISMS) standard, of which the last revision was published in October 2013 by the International Organization for Standardization (ISO) and the International Electro technical Commission (IEC).  Its full name is ISO/IEC 27001:2013 – Information technology – Security techniques – Information security management systems – Requirements.  ISO/IEC 27001 formally specifies a management system that is intended to bring information security under explicit management control. ISO/IEC 27001 and 27002
  • 7.  ISO/IEC 27002 incorporates mainly part 1 of the BS 7799 good security management practice standard.  The latest versions of BS 7799 is BS 7799-3.  ISO/IEC 27002 is a high level guide to cybersecurity.  It is most beneficial as explanatory guidance for the management of an organization to obtain certification to the ISO/IEC 27001 standard.  The certification once obtained lasts three years.  Depending on the auditing organization, no or some intermediate audits may be carried out during the three years. ISO/IEC 27001 and 27002 Cont.
  • 8.  The Payment Card Industry Data Security Standard (PCI DSS) is a global framework for any organization that processes, stores, or transmits cardholder information. Launched in 2004 by major credit card companies American Express, Discover, JCB, MasterCard, and VISA, the framework aims to keep cardholder information safe and reduce fraud.  To do this, PCI DSS outlines four compliance levels, depending on the organization’s transactions per annum, and 12 required steps that meet security best practices. PCI DSS
  • 9.  HIPAA cybersecurity frameworks for patients’ protected health information (PHI).  The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal legislation for healthcare compliance. An act of the US Congress created by lawyers and lawmakers, HIPAA applies to “covered entities,” including health providers, health plans and insurance companies, and health clearinghouses. Although there’s no official certification, HIPAA compliance is enforced by the US Department of Health and Human Services’ Office for Civil Rights (OCR). HIPPA
  • 10.  The Sarbane-Oxley IT General Controls (SOX ITGC) is a subset of the broader Sarbane-Oxley Act and sets financial report requirements for all companies preparing for an initial public offering (IPO) or publicly traded companies across all industries.  SOX ITGC attests to the integrity of the data and processes of internal financial reporting controls, including applications, operating systems, databases, and the supporting IT infrastructure. Controls in this framework encompass access to programs and data, program changes, computer operations, and program development. SOX
  • 11.  The General Data Protection Regulation (GDPR) is a framework passed by the European Union (EU) to protect the data privacy and security of its citizens. Enacted in 2016, the GDPR impacts all organizations that collect and process the data of EU citizens, regardless of where the company is located. GDPR
  • 12.  Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. Security controls
  • 13.  According to the time that they act, relative to a security incident:  Before the event, preventive controls are intended to prevent an incident from occurring e.g. by locking out unauthorized intruders;  During the event, detective controls are intended to identify and characterize an incident in progress e.g. by sounding the intruder alarm and alerting the security guards or police;  After the event, corrective controls are intended to limit the extent of any damage caused by the incident e.g. by recovering the organization to normal working status as efficiently as possible. Classification of Security controls
  • 14.  According to their nature:  Physical controls e.g. fences, doors, locks and fire extinguishers;  Procedural controls e.g. incident response processes, management oversight, security awareness and training;  Technical controls e.g. user authentication (login) and logical access controls, antivirus software, firewalls;  Legal and regulatory or compliance controls e.g. privacy laws, policies and clauses. Classification of Security controls Cont.
  • 15.  ISO/IEC 27001 specifies 114 controls in 14 groups:  A.5: Information security policies  A.6: How information security is organized  A.7: Human resources security - controls that are applied before, during, or after employment.  A.8: Asset management  A.9: Access controls and managing user access  A.10: Cryptographic technology  A.11: Physical security of the organization's sites and equipment  A.12: Operational security  A.13: Secure communications and data transfer  A.14: Secure acquisition, development, and support of information systems  A.15: Security for suppliers and third parties  A.16: Incident management  A.17: Business continuity/disaster recovery (to the extent that it affects information security)  A.18: Compliance - with internal requirements, such as policies, and with external requirements, such as laws. International information security standards
  • 16.  From NIST Special Publication SP 800-53 revision 4.  AC Access Control.  AT Awareness and Training.  AU Audit and Accountability.  CA Security Assessment and Authorization. (historical abbreviation)  CM Configuration Management.  CP Contingency Planning.  IA Identification and Authentication.  IR Incident Response.  MA Maintenance.  MP Media Protection.  PE Physical and Environmental Protection.  PL Planning.  PS Personnel Security.  RA Risk Assessment.  SA System and Services Acquisition.  SC System and Communications Protection.  SI System and Information Integrity.  PM Program Management. U.S. Federal Government information security standards
  • 17.
  • 18.
  • 19.