Security Control Frameworks - dummies

By Lawrence C. Miller, Peter H. Gregory

Organizations often adopt a security control framework to aid in their legal and regulatory compliance efforts. Some examples of relevant security frameworks include the following:

  • COBIT. Developed by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI), COBIT consists of several components, including
    • Framework. Organizes IT governance objectives and best practices.
    • Process descriptions. Provides a reference model and common language.
    • Control objectives. Documents high-level management requirements for control of individual IT processes.
    • Management guidelines. Tools for assigning responsibility, measuring performance, and illustrating relationships between processes.
    • Maturity models. Assess organizational maturity/capability and address gaps.

The COBIT framework is popular in organizations that are subject to the Sarbanes-Oxley Act.

  • NIST (National Institute for Standards and Technology) Special Publication 800-53: Security and Privacy Controls for Federal Information Systems and Organizations. Known as NIST SP800-53, this is a very popular and comprehensive controls framework required by all U.S. government agencies. It also is widely used in private industry.
  • COSO (Committee of Sponsoring Organizations of the Treadway Commission). Developed by the Institute of Management Accountants (IMA), the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), The Institute of Internal Auditors (IIA), and Financial Executives International (FEI), the COSO framework consists of five components:
    • Control environment. Provides the foundation for all other internal control components.
    • Risk assessment. Establishes objectives through identification and analysis of relevant risks and determines whether anything will prevent the organization from meeting its objectives.
    • Control activities. Policies and procedures that are created to ensure compliance with management directives. Various control activities are discussed in the other chapters of this book.
    • Information and communication. Ensures appropriate information systems and effective communications processes are in place throughout the organization.
    • Monitoring. Activities that assess performance over time and identify deficiencies and corrective actions.
  • ISO/IEC 27002 (International Organization for Standardization/ International Electrotechnical Commission). Formally titled “Information Technology — Security Techniques — Code of Practice for Information Security Management,” ISO/IEC 27002 documents security best practices in 14 domains, as follows:
    • Information security policies
    • Organization of information security
    • Human resource security
    • Asset management
    • Access control and managing user access
    • Cryptographic technology
    • Physical security of the organization’s sites and equipment
    • Operational security
    • Secure communications and data transfer
    • Systems acquisition, development, and support of information systems
    • Security for suppliers and third parties
    • Information security incident management
    • Information security aspects of business continuity management
    • Compliance
  • ITIL (Information Technology Infrastructure Library). A set of best practices for IT service management consisting of five volumes, as follows:
    • Service Strategy. Addresses IT services strategy management, service portfolio management, IT services financial management, demand management, and business relationship management.
    • Service Design. Addresses design coordination, service catalog management, service level management, availability management, capacity management, IT service continuity management, information security management system, and supplier management.
    • Service Transition. Addresses transition planning and support, change management, service asset and configuration management, release and deployment management, service validation and testing, change evaluation, and knowledge management.
    • Service Operation. Addresses event management, incident management, service request fulfillment, problem management, and access management.
    • Continual Service Improvement. Defines a seven-step process for improvement initiatives, including identifying the strategy, defining what will be measured, gathering the data, processing the data, analyzing the information and data, presenting and using the information, and implementing the improvement.