Chapter 1; Early Concepts in Computer Security
Chapter 2; Understanding the NIST Cybersecurity Framework
Chapter 3; Adopting the NIST Cybersecurity Framework
Chapter 4; Understanding The Basics of Cyber Risk
Chapter 5; Analyzing Cyber Threats And Controls
Chapter 6; Recording, Reporting, And The Risk Context
Chapter 7; An Advanced Risk Framework
Chapter 8; Managing Security With COBIT
Chapter 9; COBIT For Operational Security
Chapter 10; Introduction to Cybersecurity Controls
Chapter 11; Cybersecurity Control Framework
Chapter 12; Cybersecurity Standards of Good Practice
Chapter 1; Early Concepts in Computer Security
The era of trusted computing started in the 1980s with the publication of a series of books on the security requirements for systems used by the United States Department of Defense. These books were known as the Rainbow Series of books. The best known book in the Rainbow Series is the Orange book, which describe the security design of a computer that can be trusted to handle both unclassified and classified information, known as a multi-level secure, or trusted computer. The Orange book describes the security design and subsequent evaluation of security for an information system. It introduces four key concepts in information security. A reference monitor, which mediates access to system resources, a formal security model for reading and writing information. The idea of a trusted computing base as a subsystem containing all the security code and the testing required to achieve various levels of assurance. The reference monitor concept is an essential element of any system that provides multi-level secure computing facilities and controls. The reference monitor enforces access controls between subjects and objects of the system. The subject may be a user or a program module and the object may be a data file or a restricted system function. I'll just use the term user as the more common term for subject. The reference monitor has three essential characteristics. It must be tamper-proof, it must always be invoked, and it must be small enough to be completely analyzed and tested. The Orange book introduces the Bell-LaPadula scheme for managing multi-level information flows. Using this scheme, the book presents two approaches to security. Discretionary access control is used for applying security within the same classification of information to provide a means of restricting information access on a need-to-know basis. It requires an access control list to be maintained by an administrator who authorizes subjects to access objects. This is the normal folder and file control scheme we use today.
Mandatory access control is the Bell-LaPadula scheme in which each subject holds a certain level of access rights or clearance and an object is labeled at a certain level of sensitivity. The security labels which define the level of sensitivity in the Orange book include restricted, confidential-secret and top-secret. Mandatory access control has two rules. The first rule is the simple security rule, which states that a user at a certain clearance level cannot read anything which has a label at a higher sensitivity level, which by definition they do not have access to. The second rule is the star security rule, which states that a user at a certain clearance level cannot write down into a file which is labeled at a lower level, as this may expose sensitive information to subjects not clear to access it. The heart of a trusted computer system is its trusted computing base, which contains the elements of the system responsible for security, all within the security perimeter. The TCB includes hardware, firmware, and software critical to protection. It must be designed and implemented such that nothing outside the trusted computing base is sensitive or relevant to managing security. A TCB should be as simple as possible, consistent with the functions it has to perform, in order to enable adequate testing. The final and probably most important part of the Orange book is the classification scheme is introduced for evaluating assurance of systems. In short, the scheme provides for four levels of system assurance, within each level, there are one or more tiers. The levels are D1, C1 to C2, B1 to B3, and A1. We'll look further at security assurance
Chapter 2; Understanding the NIST Cybersecurity Framework
The inclusion of cyberspace international critical infrastructures was formally recognized at the 3rd Global Conference on Cyberspace held in Seoul in 2013, with the publication of the Seoul Framework for Commitment to Open and Secure Cyberspace. It states, the global and open nature of the internet is a driving force in accelerating progress towards development. Governments, businesses, organizations and individual owners and users of cyberspace must assume responsibility for and take steps to enhance the security of their information technologies. In response to this, in 2014, the US National Institute of Standards and Technology issued the "Framework for Improving Critical Infrastructure Cybersecurity." This NIST Framework has now become the de facto standard for cybersecurity. Let's take a look at it. The NIST Cybersecurity Framework is an action-oriented approach to security and consists of three elements. The Framework Core, the Framework Profile, and the Framework Implementation Tiers. The Framework Core provides a set of activities to achieve cybersecurity. Described in the five areas of Identify, Protect, Detect, Respond, and Recover. Each of these activities is decomposed into a total of 23 categories of security activities. For example, we can see that the Detect Group decomposes into the three categories of Anomalies and Events, Security Continuous Monitoring and Detection Processes. Going deeper, the categories are further decomposed into a set of controls. For example, the Detection Processes category is broken down into five subcategories. Roles and responsibilities, compliant with requirements, activities are tested, detection information is communicated, and continuous improvement. Each of these subcategories is referenced to the relevant NIST, ISO and COBIT standards. The NIST Cybersecurity Framework doesn't introduce its own set of controls. It provides a higher level framework which can be used to develop a contemporary cybersecurity profile for an organization. But it relies on existing control frameworks for its implementation.
And these are COBIT, ISA, otherwise known as IEC 62443, ISO 2700 and NIST SP 800-53. A draft of the Cybersecurity Framework version 2.0 has been released and this includes a sixth area called Govern. Into which a number of the existing categories in the five other areas have been moved. This change consolidates governance for the framework and adds a new category to explicitly call out a requirement for oversight. It also adds additional subcategory controls.
Chapter 3; Adopting the NIST Cybersecurity Framework
The second component of the NIST Cybersecurity Framework is the framework profile. This is used to align business outcomes and cybersecurity activities, providing a view of risks and a development plan to bridge the two. The third and final component of the NIST Cybersecurity Framework is a maturity model for cybersecurity known as the implementation tiers. The basic level of cybersecurity maturity is the partial implementation tier. This is characterized by enterprise risk management being somewhat ad hoc and reactive, where cybersecurity activities aren't based on risk objectives or business outcomes and where there's little external collaboration. At the next level of maturity, risk management practices are formalized but may not be adopted across the enterprise. There's informal sharing of cybersecurity information internally, but not externally. The third tier of maturity, repeatable, is where risk management is formalized and mandated as policy and processes exist to respond to changes in risk. Collaboration and information sharing exist both internally and externally. The highest maturity level, adaptive, extends the third level with the awareness and agility to apply continuous changes to cybersecurity activities as a result of changes to assets, threat, and vulnerabilities. When adopting the cybersecurity framework for an organization, NIST recommends establishing two profiles. The first should represent the current state of cybersecurity as assessed against the subset of enterprise-specific activities that have been selected as being required. This is what cybersecurity looks like now. The second should be the target state of cybersecurity, set as the acceptable level of risk against each of the enterprise-specific activities.
A security plan of prioritized projects can then be defined to close the gap between the current and the target state framework profiles. For an organization that's starting up its cybersecurity program, there are some key actions required to take advantage of the cybersecurity framework. The first is to identify the key business outcomes and then understand the threats and vulnerabilities to those outcomes. Create a profile, conduct a risk assessment, decide on the target profile, determine, analyze, and prioritize the gaps to create the action plan, and establish and execute a program to implement the plan.
Chapter 4; Understanding The Basics of Cyber Risk
Risk is an essential part of doing business, whether it's taking a risk on a merger or acquisition, taking a risk that purchasing new equipment will be a cost-effective investment, or whether there's sufficient plant protection to avoid injuries to workers.
Management needs to understand their level of risk exposure and make sure that it's within their risk appetite. Cybersecurity is at its heart, the management of risk related to internet connected businesses. This includes the threat of hackers and malicious software entering from the internet, the vulnerabilities of internet facing-IT systems and the attack countermeasures or controls, all of which affect how successful the business will be in meeting desired outcomes.
A standard approach to managing risk has been developed by the National Institute of Standards and Technology and its application is described in Special Publication 830, Guide for Conducting Risk Assessments. The International Standards Organization also provides guidance with its ISO 27005, Information Security Risk Management Publication. While there are minor terminology differences the intent of both documents is the same. Cyber risk focuses on the information technology assets we operate and the services we deliver. It starts with a threat event which must be analyzed to determine that the event will occur. This is done by considering the likely threat actors, their capabilities, and their resources. The intent or motivation needs to be considered. What is it that drives this threat actor to want to mount an attack? An attacker will only attack if the results outweigh the cost of attacking and that depends on the value of the target to the threat actor. This could be financial gain, obtaining intelligence, disrupting services or just peer recognition. Think about the scam emails you've received. Who is the likely threat actor? Might it be just a student looking for a couple of extra dollars or could it be an East European organized crime gang? Think about their capabilities and what it means for the sophistication of the attack.
The next risk issue to consider is the set of vulnerabilities in the information and processing assets, databases, workstations, servers and networks, which this event can exploit to cause damage. For instance, a data center in the basement of a building may be vulnerable to a flood event. A website may have a software vulnerability which can be exploited. A server without an uninterruptable power supply would be vulnerable to a power outage. However, not all vulnerabilities are equal. A flood may be catastrophic with the whole data center out of action for weeks, whereas an attack which exploits a website floor may just be a nuisance. Then we consider the impact to the business in the event the threat is realized. This is typically done by carrying out a business impact assessment to determine what systems will be affected, how this flows on to business processes and the cost of service degradation or failure to meet critical levels of performance. Being able to describe a security event as a business impact is a powerful way of gaining the attention and the respect of the business and being able to get a well-balanced business decision on what to do about the threat. Controls may have been put in place to protect the asset and their effectiveness needs to be considered for each of the feasible threat scenarios. This will then allow calculation of the overall risk.
Chapter 5; Analyzing Cyber Threats And Controls
The cybersecurity risk management program starts with sourcing threat intelligence. Let's have a look at some sources of threat intelligence. A useful catalog of threats can be found at Appendix E to the NIST Special Publication. This catalog provides representative examples of adversarial threat events expressed as tactics, techniques, and procedures, or TTPs, and non-adversarial threat events. Another useful source of TTPs is the Mitre ATT&CK site, which is used in Mitre's Cybersecurity Resiliency Framework.
This is a detailed source of information on who the threat actors are and how they carry out their cyber attacks. Many of the threats that have been turned into exploits and are being seen in cyber attacks are listed in the Exploit-DB database. For example, here we see the details of an exploit against the SmartRG Router. There are a number of companies that publish malware analysis reports, such as this one produced by VMRay. These are useful for gaining an insight into the contemporary techniques being used by attackers. There are four possible treatments once an assessment has identified the risk: risk acceptance, where the risk is within the business's appetite, risk avoidance, where it's better to stop doing that line of business than take the risk, risk transfer, where a third party takes the risk, such as insurance to cover the risk should it eventuate, and risk mitigation, where controls are implemented to reduce risk. Risk mitigation, and the protection of business outcomes which they provide means implementing controls in the form of cybersecurity policies, processes, and technical solutions. We'll cover controls shortly.
Chapter; 6 Recording, Reporting, And The Risk Context
A key part of risk management is maintaining a record of the risks that have been identified, and where relevant, tracking the progress of work to reduce the risk. The normal way to record risks is in a risk register. This could be a manual record, but more usually it's automated. The basic form of automation is using a spreadsheet. Larger organizations may use the more sophisticated governance risk and controls, or GRC solutions, although the principle as far as managing risk is the same. The risk register contains the basic risk information, such as an ID and name, classification information, and the risk owner. It also contains a summary of the consequences of a risk being realized. The risk information is usually presented in two ways. The first is the inherent risk, assuming no controls are in place. This is useful to know because it determines how strong the controls need to be.
The higher the risk, the stronger the control. Then the control details are provided and a residual risk is calculated to show the current risk that is being experienced by the business. Take a few minutes to set up your own spreadsheet risk register as we've just discussed, and add an entry, malware infection. Think about your own situation. What could be the root cause, the consequence, and the inherent risk level? What controls do you have in place, and what is the residual level of risk?
Risks can be shown as bubbles on what's known as a risk heat map, where individual risks are charted in the cell which exists at the intersection of the likelihood row and the impact column. This is sometimes called a risk bubble chart. A typical approach to managing risks is to accept any very low risks which appear in the green area. Low risks shown in the gold area are accepted but monitored to ensure they don't increase. Medium risks in the yellow area are scheduled for routine remediation work, and high and very high risks are shown together here in the red area and require immediate remediation. This form of risk chart is very common and it provides a succinct way to present a high-level picture of the risks. Sometimes the bubble chart is enhanced to show the plan progress of mitigations using an arrow and a bubble to identify the final expected risk level after mitigation. This is a powerful way to show the work being done to reduce risk. The term "risk context" refers to the risk bubble chart in the tables used to determine likelihood and impact. Here we can see the tables representing the five levels of likelihood, which make up the vertical axis on the heat map and the multiple tables representing different perspectives on impact, which together make up the horizontal axis. These tables are typically developed specifically for the business by their risk officer. The risk context should also include guidance on the actions required to be taken at each risk level, reflecting more urgent action and more intense oversight at the higher levels of business risk.
Chapter 7; An Advanced Risk Framework
NIST, in December 2018, issued revision 2 to their original special publication on risk: SP 800-37: Risk Management Framework. The Risk Management Framework provides a disciplined, structured, and flexible process for managing security and privacy risk. It covers information security categorization, control selection, implementation, and assessment, system and common control authorizations, and continuous monitoring of risks. The Risk Management Framework considers risk at three levels: information systems risk, mission or business process risk, and whole of business risk. The risk management process involves preparation of the necessary risk material needed to carry out risk management.
And then a six-stage process of categorization, selection, implementation, assessment, authorization, and monitoring. The prepare stage of the framework involves seven actions, three of which are risk-related and four controls-related. They are: assign people to risk management roles; prepare the risk management context, also known as the risk strategy; complete an organization-wide risk assessment; establish control baselines according to the standards relevant to the organization; identify common controls and prioritize them according to the potential impact of an attack; and develop the plan for monitoring control effectiveness.
The categorize phase overlaps somewhat with the prepare phase, as it requires a full review of the IT systems in use, particularly identifying the system characteristics and the information they process and store. The next step is to determine the impact levels to confidentiality, availability, and integrity. And the final step is to get business endorsement or authorization of the three impact classification levels. The select stage requires that controls are selected and tailored to the specific system environment, to mitigate all risks to the system that are beyond risk appetite. This is judged by determining the risk level, and then now identifying from the risk context whether controls are required. The steps in the select stage are: control selection, either by adopting a baseline set of controls, by a custom set of controls driven by the risk assessments, or by a combination of both; control tailoring to suit the operating environment; control allocation to systems, ensuring that the specific business requirements for security in that system are met across people, process, and technology; documenting the controls for each system in a system security plan; developing and implementing the approach to continuous monitoring of control effectiveness; and gain business approval of the system security plans and continuous monitoring process. The next stage is to implement the controls that have been identified for the system, and maintain the system security plans accordingly. The assess stage is about through-life assessment of the system to ensure that controls are effective, and there is no evidence of a breach.
There are seven steps in this stage of the risk management life cycle: assess a selection based on candidate qualifications and target knowledge; develop the plan for the assessment; and carry out the assessment plan for the controls; report on the control effectiveness, providing findings and recommendations; remediate any findings that can be immediately rectified; and develop an overall plan of action for findings that can't be immediately rectified. The purpose of the authorize stage is to provide organizational accountability, by requiring a senior manager to determine if the security and privacy risk represented by the overall set of risk management activities and plans is acceptable. This stage has five steps: for developing the submission, management review additional risk management response to any issues raised; approval of decisions for each system; and an authorization report. The final stage is monitoring. This is a key stage of the framework which provides the ongoing situational awareness about the security and privacy posture of the information system and the organization in support of risk management decisions, and includes some of the above stages. It has seven steps: the systems and environment are monitored for any changes that might occur, in-flight assessments are performed as required, any issues identified are responded to, risk management documents are maintained, and security and privacy risks are reported regularly, authorizations are given to systems as required, and systems are securely disposed of when no longer required.
Chapter 8; Managing Security With COBIT
One of the more important IT frameworks for the enterprise is COBIT, the Control Objectives for IT. COBIT is published by the Information Systems' Audit and Control Association, ISACA, and its purpose is to ensure that enterprises have in place an effective and auditable set of governance and management processes for IT, which deliver value for its stakeholders. COBIT is designed around a set of processes. These are grouped into the four areas of plan, build, deliver, and monitor. We can see at the top left the Plan group, known in full as a Align, Plan and Organize, with its 14 APO processes. Below that is the Build, Acquire, and Implement group. It has 11 processes. At the bottom of the diagram are the six processes in the Deliver, Service and Support group. And to the right is the Monitor, Evaluate and Assess group with its four processes.
The COBIT framework is used by the financial sector for carrying out IT general controls external audits. Consequently, having a COBIT aligned security framework is the first step in putting in place an IT environment which will meet regulatory obligations. From a cybersecurity perspective, there are two key processes for security. APO13, Managed Security, in the Plan group, and DSS05, Managed Security Services in the Deliver group. Of course, there are many other processes in which security plays a part. For example, security incident management is an important activity but this falls within the overall IT process of DSS02, Managed Service Requests and Incidents. Let's take a look into APO13 Managed Security which defines the requirement for security management. The process description is define, operate and monitor a system for information security management. And it has five goals: support IT and business compliance, support the management of IT and enterprise risk. Contribute to the transparency of IT costs and benefits. Ensure the security of information, infrastructure, and applications and provide reliable information for decision making. APO13 consists of three control objectives. APO13.01, establish and maintain an Enterprise Information Security Management System. APO13.02, define and manage a security plan which establishes a set of objectives to progress towards the desired security posture and APO13.03, monitor and review the ISMS. The Enterprise Information Security Management System, or ISMS, defines the approach taken to ensuring information security is effective. And this is often aligned to the set of requirements outlined in the international standard ISO 27001, information security management systems requirements. While IPO 1301 is a single control objective, to satisfy it involves putting in place a number of lower level controls from the ISO 27000 series of standards.
Chapter 9; COBIT For Operational Security
Let's look now at the second security-focused process, DSS05-Managed Security Services. The description of this process is to protect enterprise information to maintain the level of information security risk acceptable to the enterprise in accordance with the security policy, establish and maintain information security roles and access privileges, and perform security monitoring. Essentially, DSS05 defines the requirements of operational security. DSS05 provides operational processes to satisfy three of the five APO13 goals, support IT and business compliance, support the management of IT and enterprise risk, and ensure the security of information, infrastructure, and applications. There are seven operational security control objectives in DSS05, which provide the foundation for a defensive cybersecurity program. Let's take a look at what's in each of them. The first control objective is protect against malware. Malware is one of the main challenges in cybersecurity today, and protecting against it involves a number of activities and controls. These include antivirus, security patching, security information awareness, and in contemporary terms, cyber threat intelligence, change management, security filtering of email and web traffic, and security training. The second control objective is manage network and connectivity security. This includes establishing and enforcing policy on network connections, enforcement of password entry, the configuration and use of firewalls and intrusion detection systems, network security protocols and communications encryption, network configuration, security mechanisms to ensure trusted transmission and receipt, network security control testing and penetration testing. A critical control for this objective is network segregation. Manage endpoint security covers the security of laptops, desktops, servers, mobile devices, and network equipment. It requires that controls are put in place to ensure the endpoints are securely configured, hardened to remove unnecessary ports and protocols, and that remote access is managed. The next control objective is manage user identity and logical access. Identity and access management is a very complex issue and this one control objective can easily consume half the effort in a mature cybersecurity program. It's also the area which generates a good proportion of all audit findings, so it pays to keep a tight focus on it. This process requires that identities are managed from creation to removal, access rights are established and maintained in line with the roles and responsibilities of the organization, that access to systems and information is authorized and authenticated, that privileged access is strictly controlled, and that access rights are regularly reviewed, and that appropriate audit trails of access are kept. The fifth of these control objectives covers the management of physical access to IT assets. This includes perimeter protection, such as fences, doors, and locks, intruder detection systems, access controls for data centers and office spaces, identity cards and visitor-management procedures. Increasingly, the use of cloud-based infrastructure is reducing the effort required to manage this area but increasing the dependence on and the oversight of third-party security. Managing sensitive documents is an increasingly important aspect of security, as the focus of protective measures shrinks from the perimeter to the information itself. With employees taking laptops out of the enterprise and sending data out to mobile devices, perimeter security devices such as corporate firewalls no longer protect enterprise information.
New techniques such as digital rights management and mobile email encryption need to be employed. This process also includes information and device-centric controls, such as passwords or pin-controlled printing and pin codes on mobile devices. Finally, monitor the infrastructure for security-related events provides the detective controls which are needed to identify security breaches should the enterprise's preventative controls fail. This control objective includes the operation of intrusion detection and prevention systems, logging and alerting security-related events, operating log management in security information and event-monitoring systems, delivering security incidents to the incident-management process, carrying out forensics, and managing evidence. These are all key activities for a cybersecurity operations center.
Chapter 10; Introduction to Cybersecurity Controls
The term cybersecurity means to protect things in cyberspace from attack. And we do this by using security controls. When designing our controls we need to make sure they're fit for purpose. Firstly, we need to check whether the cost of the control is more or less than the loss associated with the impact of the attack. We often see a curve graph to explain this where we plot the cost of an increasingly powerful control against the benefit it provides. Where the benefit in additional risk reduction outweighs the cost of achieving it, we don't proceed with any further control.
Secondly, we need to consider how effective the control is against the threat. The result of assessing the risk based on the likelihood an impact of a threat is known as the inherent risk. When controls are implemented, they'll usually be an acceptably small level of risk remaining which is known as the residual risk. We can apply what's known as a multi-tiered or defense in depth control strategy to mitigate cyber risks. There are four key types of controls that can be applied and it's generally recommended that two or more are used together. The first is deterrent controls. These reduce the threat. An example of this is incarceration which deters would be criminals from carrying out their attacks. Preventative controls are designed to stop the attack from succeeding by not allowing it to get at an asset to exploit a vulnerability. A firewall is one such preventative control, blocking protocols that might be used as attack vectors. Detective controls are used to detect that an attack has taken place.
A burglar alarm is a typical detective control. And finally, corrective controls are used to reduce the impact of an incident. And a good example of this is recovery from data backups. The NIST Cybersecurity Framework presents corrective as the respond and recover functional controls. Let's look at an example. In order to protect data from an authorized modification, we firstly apply access controls to ensure that anyone trying to access the data has been authorized. In case this fails, we then monitor for any data changes. If data is changed maliciously, we can recover it by restoring from backup.
Chapter 11; Cybersecurity Control Framework
While controls can be applied by an enterprise as a customized response to business risks, in many cases, an external authority will direct that a predefined set of controls be adopted as a baseline for security. An example of government policy is SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, which federal organizations are required to adopt. An authority may be an industry body, such as the Payment Card Industry Council, which requires that merchants adhere to the Payment Card Industry Data Security Standard. NIST's SP 800-53 is one of two important control frameworks used in cybersecurity, the other being ISO 27002. They're both structured as a set of control categories within each existing number of specific controls. While the categories and the controls are different for each standard, they can be mapped against each other. These two control frameworks are widely referenced by other security schemes. In particular, the NIST Cybersecurity Framework. The controls in ISO 27002 are described in a three-tier hierarchy of security category, security control objective, and control. Let's have a look at an example. Here, we can see access control is the main category, operating system access control is the control objective, and user identification and authentication is the control. The NIST SP 800-53 controls are described in a two-tier hierarchy. In this example, identity and authentication is the control family and identity and authentication, organizational users, is the control. The description is very similar to the description of the ISO 11.5.2 control. An important first stage in implementing a control framework is to create what's known as a Statement of Applicability. The Statement of Applicability is the main link between the risk assessment and the selection of controls, and its purpose is to provide evidence that all controls have been considered. The controls that aren't applicable won't be implemented, and the rationale for emitting them is recorded in the Statement of Applicability. Developing a clear Statement of Applicability is a good way to reduce the effort required to meet and maintain a compliant and effective security posture. There are a number of specific considerations around controls. Common controls can be inherited by one or more systems, reducing both deployment and ongoing operational effort and cost. Where specific controls are called for but are either not yet present or can't be implemented, then compensating controls will be required, such as sample checks of manual authorizations in the absence of an electronic authorization process. Once a control has been implemented, it needs regular testing, and this should be a routine part of any compliance program. Control testing involves two stages: testing design effectiveness, and testing operational effectiveness. Design effectiveness is checked by verifying that the control, as implemented, meets the original design requirements. For example, to carry out a design test of control ISO 11.5.2, user identification and authentication would involve verifying configuration files.
To confirm, the taxes to the system requires entry of a user identifier and that a password or some other form of authentication is required prior to allowing access into the system. Operational effectiveness involves testing the system and making sure that the control is continuing to be effective against attack. For example, a penetration testing might attempt an SQL injection on the user identifier field in a log-on form to see whether access can be gained without entering valid credentials.
Chapter 12; Cybersecurity Standards of Good Practice
here are a number of industry standards of good practice which provide guidance on cybersecurity. The most well-known is the ISF Standard of Good Practice. It's essentially a risk and control framework for managing cybersecurity.
The Standard of Good Practice is consistent with the major recognized information security standards such as ISO 27002, the NIST Cybersecurity Framework, COVIT and PCI DSS control standards. It also aligns with the controls required to satisfy Europe's General Data Privacy Regulations. It incorporates the ISF Risk Assessment Methodology or IRAM, which presents a risk management scheme with the three phases of business impact assessment, threat and vulnerability assessment and control selection. Let's have a look at what the ISF controls look like. The ISF standard of good practice structures its controls into categories, areas, and topics. Let's have a look at the security monitoring and improvement category. It has two areas and eight topics. The two areas are security audits, with its five topics and security improvement, with its three. If we dig down into security monitoring, topic S 12.1, it has a principle. The information security condition of the organization should be monitored regularly and reported to executive management. And an objective. To provide the executive management with an accurate, comprehensive, and coherent assessment of the information security condition of the organization. The standard of good practice is a comprehensive industry approach to security but only available to members of the Information Security Forum.
The Central Bank of the Netherlands, DNB, has published a cybersecurity standard of good practice as guidance for the financial sector. This is freely available from their website. As we can see it takes a risk and testing perspective on controls. The standard is structured into categories with each having one or more controls. There are almost 60 controls detailed in the standard across these categories. The standard contains a maturity model in support of the process category. Here we see five levels of maturity, starting with initial and progressing through repeatable, defined, managed and measured to continuous improvement. Each level builds on the previous ones and adds more rigor to the process at each step. Here we see one of the controls. This is the DNB standard of good practice guidance on security and monitoring. The DNB standard isn't as well known as the ISF standard but it is free and it contains a lot of valuable guidance.
Top comments (0)