Chapter 4: Frameworks PDF

Summary

This chapter reviews various frameworks for information security. It covers different types of security frameworks, including risk management, information security, and enterprise architecture frameworks. It aims to provide practical insights into security systems.

Full Transcript

Chapter 4: Frameworks
203
To tie these pieces together, you can think of the NIST Cybersecurity Framework
that works mainly at the policy level as a description of the type of house you want to

PART I
build (ranch style, five bedrooms, three baths). The security enterprise framework is
the architecture layout of the house (foundation, walls, ceilings). The blueprints are the
detailed descriptions of specific components of the house (window types, security system,
electrical system, plumbing). And the control objectives are the building specifications
and codes that need to be met for safety (electrical grounding and wiring, construction
material, insulation, and fire protection). A building inspector will use his checklists
(building codes) to ensure that you are building your house safely. Which is just like how
an auditor will use his checklists (like NIST SP 800-53) to ensure that you are building
and maintaining your security program securely.
Once your house is built and your family moves in, you set up schedules and processes
for everyday life to happen in a predictable and efficient manner (dad picks up kids from
school, mom cooks dinner, teenager does laundry, dad pays the bills, everyone does yard
work). This is analogous to ITIL—process management and improvement. If the family
is made up of anal overachievers with the goal of optimizing these daily activities to be as
efficient as possible, they could integrate a Six Sigma approach where continual process
improvement is a focus.

Chapter Review
This chapter should serve at least two purposes for you. First, it familiarizes you with the
various frameworks you need to know to pass your CISSP exam. Though some of these
frameworks don’t fit neatly into one category, we did our best to group them in ways that
would help you remember them. So, we have risk management, information security,
enterprise architecture, and “other” frameworks. Within information security, we further
subdivided the frameworks into those that are focused on program-level issues and those
that are primarily concerned with controls. You don’t have to know every detail of each
framework to pass the exam, but you really should know at least one or two key points
about each to differentiate them.
The second purpose of this chapter is to serve as a reference for your professional
life. We focused our discussion on the frameworks that are most likely to show up in
your work places so that you have a desktop reference to which you can turn when
someone asks your opinion about one of these frameworks. While this second purpose
of the chapter should apply to the whole book, it is particularly applicable to this
chapter because frameworks are tools that don’t change very often (especially within an
organization), so you may become very familiar with the one(s) you use but a bit rusty
on the rest. Grouping them all in this chapter may help you in the future.

Quick Review
A framework is a guiding document that provides structure to the ways in which
we manage risks, develop enterprise architectures, and secure all our assets.
The most common risk management frameworks (RMFs) are the NIST RMF,
ISO/IEC 27005, OCTAVE, and FAIR.
CISSP All-in-One Exam Guide
204
The seven steps of the NIST RMF are prepare, categorize, select, implement,
assess, authorize, and monitor.
Security controls in the NIST frameworks can be classified as common (if they
exist outside of a system and apply to multiple systems), system-specific (if they
exist inside a system boundary and protect only the one system), or hybrid
(if they are a combination of the other two).
Risks in a risk management framework can be treated in one of four ways:
mitigated, accepted, transferred, or avoided.
Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) is
a team-oriented risk management methodology that employs workshops and is
commonly used in the commercial sector.
The Factor Analysis of Information Risk (FAIR) risk management framework is
the only internationally recognized quantitative approach to risk management.
The most common information security program frameworks are ISO/IEC
27001 and the NIST Cybersecurity Framework.
ISO/IEC 27001 is the standard for the establishment, implementation, control,
and improvement of the information security management system.
The NIST Cybersecurity Framework’s official name is the “Framework for
Improving Critical Infrastructure Cybersecurity.”
The NIST Cybersecurity Framework organizes cybersecurity activities into five
higher-level functions: identify, protect, detect, respond, and recover.
The most common security controls frameworks are NIST SP 800-53, the CIS
Controls, and COBIT.
NIST SP 800-53, Security and Privacy Controls for Information Systems and
Organizations, catalogs over 1,000 security controls grouped into 20 families.
The Center for Internet Security (CIS) Controls is a framework consisting of
20 controls and 171 subcontrols organized in implementation groups to address
any organization’s security needs from small to enterprise level.
COBIT is a framework of control objectives and allows for IT governance.
Enterprise architecture frameworks are used to develop architectures for specific
stakeholders and present information in views.
Blueprints are functional definitions for the integration of technology into
business processes.
Enterprise architecture frameworks are used to build individual architectures that
best map to individual organizational needs and business drivers.
The most common enterprise architecture frameworks are the Zachman and
SABSA ones, but you should also be aware of TOGAF and DoDAF.
Zachman Framework is an enterprise architecture framework, and SABSA is a
security enterprise architecture framework.