Information Security Standards: COBIT and NIST 800‐53

By Peter H. Gregory

If you are seeking a job in the information security field, you will need to hone your knowledge of industry standards. Here, you will find information on COBIT and NIST 800-53.

COBIT

Control Objectives for Information and Related Technology (COBIT) is an IT process and governance framework created by ISACA (Information Systems Audit and Control Association) in the mid 1990s.

Before 2012, ISACA maintained five IT management libraries:

  • COBIT 4.1 (the process framework)

  • Val IT 2.0

  • Risk IT Framework

  • IT Assurance Framework (ITAF)

  • Business Model for Information Security (BMIS)

In 2012, ISACA released COBIT 5, which is an integration of these five models. COBIT 5 components are

  • IT governance and practices

  • Process descriptions

  • Control objectives

  • Management guidelines

  • Maturity models

ISACA offers the COBIT framework and related documentation to its members for free as a download. Hard copies are available for purchase.

NIST 800‐53

Special Publication 800‐53, Security and Privacy Controls for Federal Information Systems and Organizations, is a highly recognized and respected framework of security controls for both government and private organizations. It’s published by the National Institute for Standards and Technology (NIST), a branch of the U.S. Department of Commerce.

All agencies of the U.S. federal government are required to comply with NIST SP 800‐53; however, many state and local governments, as well as private organizations, also use NIST SP 800‐53 as their security controls framework.

NIST SP 800‐53 is comprised of several categories:

  • Access control

  • Audit and accountability

  • Security assessment and authorization

  • Configuration management

  • Contingency planning

  • Identification and authentication

  • Incident response

  • Maintenance

  • Media protection

  • Physical and environmental protection

  • Planning

  • Personnel security

  • Risk assessment

  • System and services acquisition

  • System and communications protection

  • System and information integrity