There are a number of frameworks that you’ll need to know in order to familiarize your organization or agency with a range of leading guidelines and best practices to accomplish a necessary protection level from cyber incidents. Here are 10 security frameworks every cybersecurity analyst should know.
1. NIST Special Publication 800-53
The “NIST,” or the “National Institute of Standards and Technology,” is a part of the U.S. Department of Commerce. Congress established the agency in 1901 and was charged to remove a major challenge to U.S. industrial competitiveness at the time, specifically the nation’s infrastructure. NIST regularly publishes standards and guidelines, including for cybersecurity.
SP 800-53, the “Security and Privacy Controls for Federal Information Systems and Organizations,” is a document cataloging the security and privacy controls of federal information systems. SP 800-53 includes a helpful process for selecting controls to protect organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the nation from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors.
SP 800-53 breaks down the different control categories (e.g., access control, awareness and training, configuration management, contingency planning, incident response, risk assessment, and so on) into 1 of 3 different classes (either technical, operational, or management). This publication helps organizations outline controls they can place on their information systems to remain compliant with FIPS 199, which I’ll get into later.
2. NIST Special Publication 800-61 (Revision 2)
NIST Special Publication 800-61 (Revision 2) is the “Computer Security Incident Handling Guide” and it deals specifically with Incident Response (IR). SP 800-61 helps organizations respond efficiently and effectively to incidents big and small. Every organization is going to experience and incident at one point, so being able to appropriately respond and analyze incident-related data to determine an appropriate response is crucial in a time where IR has become an important aspect of Information Technology.
SP 800-61 provides organizations with a way to develop incident handling policies, plans, procedures, teams, and recommendations. It also prepares organizations the detection and analysis of cyber attacks as well as the containment, eradication, and recovery from cyber incidents.
3. NIST Special Publication 800-37
Special Publication 800-37 is the “Guide for Applying the Risk Management Framework to Federal Information Systems.” SP 800-36 provides a life cycle approach and guideline for applying an organization-wide Risk Management Framework (RMF) to federal information systems. RMF is a 6-step process that includes the following:
- security categorization,
- security control selection,
- security control implementation,
- security control assessment,
- information system authorization, and
- security control monitoring
SP 800-37 places a heavy emphasis on continuous monitoring (#6) of controls, risk, and response, which entails appropriate, cost-effective decisions that not only mitigate the risk involved, but also remain inline with the organization’s core missions and business functions.
4. FIPS 199
“FIPS” stands for the “Federal Information Processing Standards.” During the business impact analysis (BIA), each system or asset is identified and prioritized according to the guidelines laid out in the FIPS 199 publication. Because information systems are complex and often possess multiple mission-critical processes, it can be difficult to determine the importance of each system and its security categorization. CIOs and contingency planning coordinators can therefore work with management, IT specialists, and internal/external points of contact to validate the importance of each system and its proper security categorizations. Creating resource tables are helpful when identifying the value of mission critical systems.
FIPS 199 assists organizations with providing appropriate levels of information security by helping organizations classify their assets according to a range of potential impact levels (e.g., low, moderate, and high potential impact from potential disruption). Additionally, estimated downtime can also be estimated for each disaster, which is also extended by the estimated maximum amount of downtime tolerable for maintaining business operations. Three security objectives are also defined: confidentiality, integrity, and availability of data (or the CIA triad). Both the potential impact level and the security objective are used to produce a security categorization (SC) for each system and component. For example, the security categorization for a SCADA system at a power plant is expressed as Confidentiality = moderate; Integrity = high; Availability = high.
5. Cyber Security Framework (CSF)
The CSF was created by the NIST in response to Executive Order 13636, which called for the development of a voluntary cybersecurity framework for organizations that are part of the nation’s critical infrastructure. But the biggest factor of CSF is that it had to be flexible, repeatable, and cost effective.
The CSF is split into its 3 main components, which are the Framework Core, the Implementation Tiers, and the Framework Profile.
The Framework Core is split into 5 functions (Identify, Protect, Detect, Respond, and Recover). These are all cybersecurity activities that will help organizations enable risk
management decisions, address threats, and improve by learning from previous
activities. Functions are further split into 22 categories (e.g, access control and detection processes) and 98 subcategories (e.g., Data-at-rest is protected).
The Implementation Tiers help organizations classify the degree of cybersecurity practices into 1 or 4 tiers:
- Tier 1 (Partial),
- Tier 2 (Risk Informed)
- Tier 3 (Repeatable), and
- Tier 4 (Adaptive)
A Framework Profile is used to describe the current state or the desired target state of specific cybersecurity activities and organization. It indicates what the organization is currently achieving and additional requirements needed to achieve its overall risk management goals.
6. ISO/IEC 27000 Series
“ISO” stands for the “International Organization for Standardization.” I know, the acronym isn’t right, but that’s the way it is. The “IEC,” on the other hand, stands for the
“International Electrotechnical Commission (IEC).” These two groups work together to provide a wide range of standards from various industries, including agriculture, engineering, mining, electrical technologies, and cybersecurity.
What cybersecurity analysts are particularly interested in, however, is the ISO/IEC 27000, or the “Information Security Management System (ISMS)” standards
- ISO/IEC 27000 Overview and Vocabulary
- ISO/IEC 27001 ISMS Requirements
- ISO/IEC 27002 Security Management
- ISO/IEC 27003 ISMS Implementation
- ISO/IEC 27004 ISMS Measurement
- ISO/IEC 27005 Risk Management
- ISO/IEC 27006 Certification Requirements
- ISO/IEC 27007 ISMS Auditing
- ISO/IEC 27008 Guidance for Auditors
- ISO/IEC 27031 Business Continuity
- ISO/IEC 27033 Network Security
- ISO/IEC 27034 Application Security
- ISO/IEC 27035 Incident Management
- ISO/IEC 27037 Digital Evidence Collection and Preservation
As you can see, there is a lot to know. But, it helps to be familiar with at least some of these. These are all standards and best practices for a particular focus (e.g., network security, application security, incident management, etc.).
7. Control Objectives for Information and Related Technology (COBIT)
COBIT was developed by the “Information Systems Audit and Control Association (ISACA)” and the “IT Governance Institute (ITGI).” It is an IT governance framework and supporting toolset that defines the goals for control objectives for managing IT. COBIT is broken down into 4 “domains,” which are:
- Plan and Organize,
- Acquire and Implement,
- Deliver and Support, and
- Monitor and Evaluate
Each domain has a complete “roadmap” to properly manage IT in each area.
8. Sherwood Applied Business Security Architecture (SABSA)
I was unaware of SABSA until recently. SABSA uses a matrix (shown below) for developing risk-driven enterprise information security architectures. SABSA attempts to assist an organization in answering “What, Why, How, Who, Where, and When.
Answering these questions at each layer requires an analysis of business requirements for security.
9. The Open Group Architecture Framework (TOGAF)
Based on the U.S. Department of Defense’s TAFIM, TOGAF is an enterprise architecture methodology and framework used by the world’s leading organizations to improve business efficiency. TOGAF helps organizations create a broad range of different architectures by designs and implementations, specifically in the following areas: Business architecture, Data architecture, Applications architecture, and Technology architecture.
Whichever architecture is chosen for development, it can follow TOGAF’s “Architecture Development Method (ADM),” which helps provide a description of the system to be implemented, its structure, components, and any principles or guidelines governing its design.
10. Information Technology Infrastructure Library (ITIL)
The last security framework, ITIL, is a set of best practices for IT service management with a primary focus on meeting an organization’s business needs. ITIL integrates IT and business. Therefore, instead of having the IT team solely working IT support, they can also assist in business services.
The ITIL framework is divided into 5 categories that make up the ITIL Service Life Cycle:
- Service Strategy,
- Service Design,
- Service Transition,
- Service Operation, and
- Continual Service Improvement
Each category contains subcategories of different processes and functions. If you’re interested in digging deeper into what each category entails, you can read more about it here. Overall, the ITIL framework helps an organization design a strategy for achieving its goals, designing the services and supporting elements, and designing any activities that are necessary to achieve these goals.
Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). Computer Security Incident Handling Guide (NIST Special Publication 800-61 Rev. 2). Retrieved from the National Institute of Standards and Technology Web site:https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf
Maymi, F. J., Chapman, B. (2018). All-in-One CompTIA CSyA+ Cybersecurity Analyst Certification Exam Guide CS0-001. McGraw-Hill Education: New York, NY.
National Institute of Standards and Technology. (2004). Federal Information Processing Standards Publication (FIPS PUB 199). Retrieved from the National Institute of Standards and Technology Web site: http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf
National Institute of Standards and Technology. (2014). Framework for Improving Critical Infrastructure Cybersecurity (version 1). Retrieved from the National Institute of Standards and Technology Web site: https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf
Swanson, M., Bowen, P., Phillips, A. W., Gallup, D., & Lynes, D. (2010). Contingency Planning Guide for Federal Information Systems (NIST Special Publication 800-34 Rev. 1). Retrieved from the National Institute of Standards and Technology Web site: http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-34r1.pdf
Ross, R., Swanson, M., Stoneburner, G., Katzke, S., & Johnson, L. (2010). Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (NIST Special Publication 800-137 Rev. 1). Retrieved from the National Institute of Standards and Technology Web site: https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-37r1.pdf