Not covered were enterprise architecture models like Zachman or TOGAF. Left out are other security frameworks like SABSA or things like RESILIA, FedRAMP or Cloud Control Matrix, SSAE 16/SOC, Secure DevOps, or Maturity Models for security.
Covered were:
- CIS CSC
- NIST CSF (plus FFIEC CAT)
- ISO/IEC 27001
- FISMA
- HIPAA
- GLBA
- SOX (plus COSO)
- PCI-DSS
- COBIT 5
- ITIL
I recently found this graphic, known as the Calder-Moir IT Governance Framework, that shows how all these frameworks and more all fit together.
As the workshop was an introduction or survey, I wanted to provide attendees with a list of further resources to help them learn more on this, including training and certification. So all that is given here:
CIS CSC
Know to most people as the "SANS Top20" or the like, the Critical Security Controls are a set of 20 critical items every org should look to implement. If an org doesn't have a good information security program, this is a good start before they move to something more complex.The CIS Critical Security Controls for Effective Cyber Defense, 6.0
Download from CIS or SANS Both sites have other resources for the CSC
Training & Certification:
SANS- AUD440: Critical Security Controls- Planning, Implementing, Auditing (2 days)SANS- AUD560: Implementing & Auditing the Critical Security Controls (5 days)
GCCC- GIAC Critical Controls Certification (w/AUD560)
NIST CSF (plus FFIEC CAT)
NIST Cybersecurity Framework was rolled out as a voluntary information security framework for organizations to develop their information security program. Interestingly are the cross-links to other frameworks.Framework for Improving Critical Infrastructure Cybersecurity
Download from NIST This site is a great resource site.
FFIEC Cybersecurity Assessment Tool (FFIEC CAT), OMB Control 1557-0328, June 2015
Download from FFIEC
An assessment tool to use mainly with financial institutions that output your current profile and tier for the NIST CSF.
Training & Certification:
Implementing CSF with COBIT 5 (from ISACA)Certificate with course (from ISACA)
ISO/IEC 27001:2013
ISO 27001 is an international standard used to develop organizations information security programs.- Information security management systems -- Requirements, ISO/IEC 27001:2013
- Code of practice for information security controls, ISO/IEC 27002:2013
- Information security management system implementation guidance, ISO/IEC 27003:2010
- Information security management — Measurement, ISO/IEC 27004:2009
- Information security risk management, ISO/IEC 27005:2011
- and others in the 27000 series.
Several works available on ISO 27001/2, but be sure they are about the 2013 version!
Training & Certification:
Courses for Foundation, Practitioner, Lead Implementer, Lead Auditor
Certifications for these courses (thru PECB and APMG)
Certifications for these courses (thru PECB and APMG)
FISMA
Federal Information Security Management Act applied to federal agencies and sets down a risk management framework (RMF) and a framework for their information security program. Other government agencies (state, country, city) levels may implement it as can some government contractors.- FIPS 199 Standards for Security Categorization of Federal Information and Information Systems
- FIPS 200 Minimum Security Requirements for Federal Information Systems
- NIST SP 800-18, Rev 1. Guide for Developing Security Plans for Federal Information Systems
- NIST SP 800-30, Rev 1. Guide for Conducting Risk Assessments
- NIST SP 800-34, Contingency Planning Guide for Information Technology Systems
- NIST SP 800-37, Rev 1. Guide for Applying the Risk Management Framework to Federal Information Systems
- NIST SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System View
- NIST SP 800-53, Rev 4. Security and Privacy Controls
- NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems
- NIST SP 800-60, Vol. 1 Guide for Mapping Types of Info. and Information Systems to Security Categories
- NIST SP 800-60, Vol. 2 Append., Guide for Mapping Types of Info. and Info. Systems to Security Categories
- NIST SP 800-61, Computer Security Incident Handling Guide
- NIST SP 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations
- NIST SP 800-160,
Taylor, Laura. FISMA Compliance Handbook, 2nd edition, Sybex, 2013
Training & Certification:
FISMA Center offers training & certification
ISC(2)- CAP certification
HIPAA
Health Insurance Portability and Accountability Act, along with the later HITECH Act are regulations regarding the protection of medical records. Organizations that create medical records (hospitals, doctor offices, etc) and third parties that store or handle medical records are subject to it.A good source of information from an IT background is HealthIT.gov. Especially check out their SRAtool which can be used to do a HIPAA security risk assessment and can be a good intro, as well as:
Guide to Privacy and Security of Electronic Health Records
HIPAA Security Toolkit Application
Summary of Security Rule
Training & Certification:
GLBA
Graham-Leach-Bliley Act is about protecting personally identifiable information in financial institutions.Examination Procedures to Evaluate Compliance with the Guidelines to Safeguard Customer Information, OCC 2001-35,
Download from Office of the Comptroller of the Currency
Training & Certification:
NONE KNOWNSOX (plus COSO)
Sarbanes-Oxley Act address financial mismanagement in public corporations. Section 404 is about internal controls on financial systems.Guy Lander. What is Sarbanes-Oxley?, McGraw-Hill
Christian Lahti/Roderick Peterson. Sarbanes-Oxley IT Compliance Using Open Source Tools, 2nd ed. Sybex
IT Control Objectives for Sarbanes-Oxley: Using COBIT® 5 in the Design and Implementation of Internal Controls Over Financial Reporting, 3rd Edition. ISACA
COSO Committee of the Sponsoring Organizations are 5 groups that came together and developed internal controls that are often used to met SOX requirements.
COSO’s Internal Controls- Integrated Framework- 3 volume set from AICPA.
COSO Internal Control Integrated Framework Turning Principles Into Positive Action, IIA Research, 2013
Executive's Guide to COSO Internal Controls, Wiley 2015
Internal Control Audit and Compliance, Wiley 2015
WARNING, have not seen the above 3 works!!!
Training & Certification:
SOX- NONE KNOWN
COSO- Courses and certificates from AICPA
COSO- Courses and certificates from AICPA
PCI-DSS
Required controls to secure cardholder data, as mandated by credit card companies.PCI-DSS 3.1 (v3.2 coming real soon!!!)
Available for download at PCI Security Standards Council
- A Practical Guide to the Payment Card Industry Data Security Standard (2015) ISACA
- PCI Compliance, 4th Edition (2014)
- PCI DSS 3.1 (2015) Addendum to above book
- PCI Compliance: the Definitive Guide (2014)
WARNING, have not seen the above 4 works!!!
Training & Certification:
Training and Certification from PCI Security Standards Council
COBIT 5
Framework for setting down the governance of enterprise IT used around the world. Also incorporates many other frameworks and standards.- COBIT 5
- COBIT 5 Implementation
- COBIT 5: Enabling Processes
- COBIT 5: Enabling Information
- COBIT 5 for Information Security
- COBIT 5 for Risk
- COBIT 5 for Assurance
Training & Certification:
Courses for Foundation, Implementation, Assessor
Certifications for these courses (from ISACA)
ITIL
Collection of best practices for managing the delivery of IT services. Can and maybe incorporated into COBIT.- ITIL Service Strategy: understands organizational objectives and customer needs.
- ITIL Service Design: turns the service strategy into a plan for delivering the business objectives.
- ITIL Service Transition: develops and improves capabilities for introducing new services into supported environments.
- ITIL Service Operation: manages services in supported environments.
- ITIL Continual Service Improvement: achieves services incremental and large-scale improvements.
Other books on ITIL available. Be sure they are for the 2011 version!!!
Training & Certification:
Courses for Foundation, Practitioner, Intermediate, Expert, Master
Certifications for these courses (thru Axelos)
If any have suggestions for other resources, please add in the comments below!
UPDATE:
ReplyDeleteI have learned that NIST has a PRE-DRAFT version of SP800-53R5, which will be the next version of this core document for FISMA.
This document is available for public comment.
Are you planning for ISO Certification? Are you looking for establishing management system for Quality/ Security/ Service and Continuity practices? Then look no further beyond Consultants Factory.
ReplyDeleteWe at Consutants Factory offer ISO Certifications in ISO 9001 / ISO 14001/ ISO 20000 / ISO 27001 and ISO 22301.
For more details follow: https://www.consultantsfactory.com/iso-certification-assistance
ISO 27001 implementation
ISO 27001 consulting
ISO 27001 certification
Get ISO certified from Consultants Factory
ReplyDeleteinformation security consulting
iso 27001 consulting
ISO 27000 certification in Bangalore
ISO 27000 certification
ISO certification