Skip to content

Information security resources

(Excerpts from Security+)

Frameworks

An information security framework is a series of documented processes used to define policies and procedures for implementation and management of security controls in an enterprise environment.

NIST - parts of a framework

Framework core

Defines the activities needed to attain different cybersecurity results.

Functions

The most basic information security tasks: Identify, protect, detect, respond, and recover.

Categories

Tasks to be performed for each of the functions

Subcategories

Tasks or challenges associated with each category These are the actionable items

Information Sources

The documents or manuals that detail specific tasks for users and explain how to accomplish the tasks

Implementation tiers

Each framework specifies four tiers that help companies identify their level of compliance. The higher the tier, the more compliant

Profiles

Profiles summarize the status of the organization's cybersecuirty posture. Profiles summarize everything an organization has done to follow the framework as well.

NIST frameworks

Risk Management Framework (RMF)

Helps organizations assess and manage risks to their systems. It is a comprehensive roadmap to integrate cybersecurity, privacy, and risk management processes.

Cybersecurity Framework (CSF)

Measures companies to allow comparisons of their cybersecurity practices relative to their potential threats

Functions
  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

Regulations

Adhering to regulations is called regulatory compliance. Organizations or government agencies typically consult with professionals to establish a set of regulations for a specific industry. These regulations are followed by companies that have similar business processes, resulting in a common set of tested and approved regulations that are under continual review and revision.

Challenges

Each company faces different regulatory bodies. Some have a mixture of industry-specific regulations, U.S. state regulations, and international regulations.

Legislation

Specifically in the US, national and state level differences can cause conflicts. Many decisions get made at the state level leaving each state to make their own, often conflicting decisions. Often, the most restrictive laws win. Many companies follow either California legislation or EU privacy laws. While not directly applicable, countries can ban websites which do not follow their legislation.

Standards

Standards are an optional set of rules an organization can choose to abide by. Certain standards such as Payment Card Industry Data Security Standard (PCI DSS) are required to do business in certain industries. These standards lay rules, guidelines, frameworks and metrics companies must abide by to stay compliant. Non-compliance can range from losing recognition to sanctions that hinder business. Reinstating a business is purely at the discretion of the governing body and may take awhile to determine measures have been put in place to correct any non-compliance.

Benchmark/Secure configuration guidelines

Often distributed by hardware manufacturers and software developers. These are suggestions for configuring the product for easy use and security. They ensure the product functions securely and as intended by the manufacturer. These guidelines are usually platform specific ensuring the correct configuration of a specific product. RedHat is a company which provides immense documentation to ensure companies are well informed about configuration guidelines.

Information Sources

Generic sources exist like vendor websites, conferences, journals, industry groups, and LinkedIn. Some companies may choose to contribute and/or subscribe to be a part of a research group for cybersecurity.

Request For Comments (RFCs)

Bodies may introduce Requests for comments (RFCs) which are documents authored by technology bodies employing specialists, engineers, and scientists who are experts in the respective field. The Internet Engineering Task Force (IETF) is one of the largest contributors of Information Security RFCs.

Data Feeds

Data feeds are continually maintained databases of information regarding the latest cybersecurity information. The most commonly available and references data feeds are vulnerability and threat feeds. Companies will subscribe to data feeds to stay informed about vulnerabilities, zero days, and common attacks at any given moment.