Sunday, March 13, 2016

Resources for workshop on security standards/frameworks/regulations for information security professionals

At the 2016 Security BSides Orlando conference, I gave a workshop on security standards, frameworks, regulations for information security professionals.  While not an exhaustive survey of such, I focused on the ones that seem the most known, and which I typically see on job descriptions.

Not covered were enterprise architecture models like Zachman or TOGAF.  Left out are other security frameworks like SABSA or things like RESILIAFedRAMP or Cloud Control Matrix, SSAE 16/SOC, Secure DevOps, or Maturity Models for security.

Covered were:
  • ISO/IEC 27001
  • GLBA 
  • SOX (plus COSO)
  • COBIT 5
  • ITIL

I recently found this graphic, known as the Calder-Moir IT Governance Framework, that shows how all these frameworks and more all fit together.

As the workshop was an introduction or survey, I wanted to provide attendees with a list of further resources to help them learn more on this, including training and certification.  So all that is given here:


Know to most people as the "SANS Top20" or the like, the Critical Security Controls are a set of 20 critical items every org should look to implement.  If an org doesn't have a good information security program, this is a good start before they move to something more complex.

The CIS Critical Security Controls for Effective Cyber Defense, 6.0
Download from CIS or SANS  Both sites have other resources for the CSC

Training & Certification:

SANS- AUD440: Critical Security Controls- Planning, Implementing, Auditing (2 days)
SANS- AUD560: Implementing & Auditing the Critical Security Controls (5 days)
GCCC- GIAC Critical Controls Certification (w/AUD560)


NIST Cybersecurity Framework was rolled out as a voluntary information security framework for organizations to develop their information security program.  Interestingly are the cross-links to other frameworks.

Framework for Improving Critical Infrastructure Cybersecurity
Download from NIST  This site is a great resource site.

FFIEC Cybersecurity Assessment Tool (FFIEC CAT), OMB Control 1557-0328, June 2015
Download from FFIEC
An assessment tool to use mainly with financial institutions that output your current profile and tier for the NIST CSF.

Training & Certification:

Implementing CSF with COBIT 5  (from ISACA)
Certificate with course (from ISACA)

ISO/IEC 27001:2013

ISO 27001 is an international standard used to develop organizations information security programs.
  • Information security management systems -- Requirements, ISO/IEC 27001:2013
  • Code of practice for information security controls, ISO/IEC 27002:2013
  • Information security management system implementation guidance, ISO/IEC 27003:2010
  • Information security management — Measurement, ISO/IEC 27004:2009
  • Information security risk managementISO/IEC 27005:2011
  • and others in the 27000 series.

Several works available on ISO 27001/2, but be sure they are about the 2013 version!

Training & Certification:

Courses for Foundation, Practitioner, Lead Implementer, Lead Auditor
Certifications for these courses (thru PECB and APMG)


Federal Information Security Management Act applied to federal agencies and sets down a risk management framework (RMF) and a framework for their information security program.  Other government agencies (state, country, city) levels may implement it as can some government contractors.
  • FIPS 199 Standards for Security Categorization of Federal Information and Information Systems
  • FIPS 200 Minimum Security Requirements for Federal Information Systems
  • NIST SP 800-18, Rev 1. Guide for Developing Security Plans for Federal Information Systems
  • NIST SP 800-30, Rev 1. Guide for Conducting Risk Assessments
  • NIST SP 800-34, Contingency Planning Guide for Information Technology Systems
  • NIST SP 800-37, Rev 1. Guide for Applying the Risk Management Framework to Federal Information Systems
  • NIST SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System View
  • NIST SP 800-53, Rev 4. Security and Privacy Controls
  • NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems
  • NIST SP 800-60, Vol. 1 Guide for Mapping Types of Info. and Information Systems to Security Categories
  • NIST SP 800-60, Vol. 2 Append., Guide for Mapping Types of Info. and Info. Systems to Security Categories
  • NIST SP 800-61, Computer Security Incident Handling Guide
  • NIST SP 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations
  • NIST SP 800-160,
Available for download from NIST  Or FISMACenter

Taylor, Laura.  FISMA Compliance Handbook, 2nd edition, Sybex, 2013

Training & Certification:

FISMA Center offers training & certification
ISC(2)- CAP certification


Health Insurance Portability and Accountability Act, along with the later HITECH Act are regulations regarding the protection of medical records.  Organizations that create medical records (hospitals, doctor offices, etc) and third parties that store or handle medical records are subject to it.

A good source of information from an IT background is  Especially check out their SRAtool which can be used to do a HIPAA security risk assessment and can be a good intro, as well as:

Guide to Privacy and Security of Electronic Health Records

HIPAA Security Toolkit Application

Summary of Security Rule

Training & Certification:

No official training
ISC(2)- HCISPP certification
Certs from AHIMA & HIMSS


Graham-Leach-Bliley Act is about protecting personally identifiable information in financial institutions.

Examination Procedures to Evaluate Compliance with the Guidelines to Safeguard Customer Information, OCC 2001-35,

Download from Office of the Comptroller of the Currency

Training & Certification:


SOX (plus COSO)

Sarbanes-Oxley Act address financial mismanagement in public corporations.  Section 404 is about internal controls on financial systems.

Guy Lander.  What is Sarbanes-Oxley?, McGraw-Hill
Christian Lahti/Roderick Peterson.  Sarbanes-Oxley IT Compliance Using Open Source Tools, 2nd ed.  Sybex
IT Control Objectives for Sarbanes-Oxley: Using COBIT® 5 in the Design and Implementation of Internal Controls Over Financial Reporting, 3rd Edition.  ISACA

COSO   Committee of the Sponsoring Organizations are 5 groups that came together and developed internal controls that are often used to met SOX requirements.
COSO’s Internal Controls- Integrated Framework- 3 volume set from AICPA.

COSO Internal Control Integrated Framework Turning Principles Into Positive Action, IIA Research, 2013
Executive's Guide to COSO Internal Controls, Wiley 2015
Internal Control Audit and Compliance, Wiley 2015
WARNING, have not seen the above 3 works!!!

Training & Certification:

COSO- Courses and certificates from AICPA


Required controls to secure cardholder data, as mandated by credit card companies.

PCI-DSS 3.1   (v3.2 coming real soon!!!)
Available for download at PCI Security Standards Council
  • A Practical Guide to the Payment Card Industry Data Security Standard (2015) ISACA
  • PCI Compliance, 4th Edition (2014)
  • PCI DSS 3.1 (2015) Addendum to above book
  • PCI Compliance: the Definitive Guide (2014)
WARNING, have not seen the above 4 works!!!

Training & Certification:

Training and Certification from PCI Security Standards Council


Framework for setting down the governance of enterprise IT used around the world.  Also incorporates many other frameworks and standards.
  • COBIT 5
  • COBIT 5 Implementation
  • COBIT 5: Enabling Processes
  • COBIT 5: Enabling Information
  • COBIT 5 for Information Security
  • COBIT 5 for Risk
  • COBIT 5 for Assurance
Available for purchase at ISACA  (some can be downloaded for free by members).

Training & Certification:

Courses for Foundation, Implementation, Assessor
Certifications for these courses (from ISACA)


Collection of best practices for managing the delivery of IT services.  Can and maybe incorporated into COBIT.
  • ITIL Service Strategy: understands organizational objectives and customer needs.
  • ITIL Service Design: turns the service strategy into a plan for delivering the business objectives.
  • ITIL Service Transition: develops and improves capabilities for introducing new services into supported environments.
  • ITIL Service Operation: manages services in supported environments.
  • ITIL Continual Service Improvement: achieves services incremental and large-scale improvements.
Available for purchase from itSMF-US or Amazon.

Other books on ITIL available.  Be sure they are for the 2011 version!!!

Training & Certification:

Courses for Foundation, Practitioner, Intermediate, Expert, Master
Certifications for these courses (thru Axelos)

If any have suggestions for other resources, please add in the comments below!


  1. UPDATE:
    I have learned that NIST has a PRE-DRAFT version of SP800-53R5, which will be the next version of this core document for FISMA.
    This document is available for public comment.

  2. COBIT 5 online training delivery is a specialty of Consultants Factory. We’re among the best to offer it. We’ve trained 5000+ candidates across India, UAE & Saudi Arabia.
    COBIT 5 online training
    cobit foundation training
    cobit foundation certification
    COBIT 5 online training