At the 2019 BSides Tampa Security conference I did a talk on 2019 Updates on frameworks, standards, and regulations for infosec. Over the last year several new and updated frameworks and regulations have come out, as well as are being updated.
Most of the information can be found on the Internet, but if you're not making an effort to stay up to date, you can miss something. So here I give links to much of the information I gave.
NIST is the National Institute of Standards and Technology, a non-regulatory part of the Department of Commerce. They are doing a lot of things that impact us in infosec. Most are hopefully familiar with the Special Publication 800 and 1800 series that are put out on a regular basis. Several are being developed, updated, and in a few cases retired. Go HERE to access all of them.
The NIST Cybersecurity Framework (CSF) was updated to version 1.1 last year, and they later had a cyber risk conference in October. It just had its 5th anniversary, too. For full info on the CSF, and any updates and the like, go HERE. One element I am looking forward to is an update to informative references that will add additional references (such as crosswalks to PCI-DSS, Standards of Good Controls, etc). Hopefully we'll start seeing these coming out.
NIST Privacy Framework. NIST has embarked on creating a privacy framework like they've done for cybersecurity. This work has just begun, and they are working on a preliminary framework which we should see soon. I would hope there will be further workshops and feedback before the final version is out. To see where they are, go HERE.
FISMA is the Federal Information Security Management Act. Basically sets down security standards for federal information systems. NIST has developed the materials for this, the Risk Management Framework (SP 800 37), the controls set (SP 800-53) and other materials. They are working on updating this, having just come out with the latest version of the RMF. The control set is next, with others to follow. Go HERE for their page on this work. The schedule is HERE.
Baldridge Cybersecurity Excellence Builder is a combination of NIST's Baldridge Excellence work crossed with their CSF. It was rolled out in 2017, and should get an update this Spring. You can download it for free HERE, and there is info on how others have used it successfully.
NIST OSCAL is an interesting project that attempts to create a common set of control assessment language. This is a project I want to spend more time looking into myself. More info on their website HERE.
Hopefully most have heard of the "Critical Controls" or the "Critical Security Controls". Maybe you've heard it referred to as the "Top 20" or the "SANS20" or the like. While it was started by SANS, they no longer manage it. For the last few years its been handled by the Center for Internet Security, which has rolled out v6 and in early 2018 they rolled out v7. They have reorganized it into 3 groups: Basic, Foundational, Organizational. They have been putting out other resources for it, including the CSAT, a self assessment tool. They are working on a v7.1 and I expect more resources coming from CIS. So keep your eye out for them, as they just rolled out a companion guide for cloud (go HERE) and is working on another for IoT.
ISO/IEC 27000 is the international standard set for information security. This series is made up of about 50-60 documents in various states of work. Sadly, the documents are not free, and the cost is over $100 for each. Key documents is usually 27001 and 27002. 1 sets down the ISMS (Information Security Management System) and 2 is the control set (compare with SP800-53). As several of the documents are being worked on, its hard to keep up. ISO/IEC 27005 got updated. My go-to site to keep up to date on this is iso27002security.com.
Privacy regs (GDPR & California). Privacy is getting more and more important. While we work in security, we often get pulled into privacy work as well. GDPR (General Data Protection Regulation) of the EU was rolled out last year. And we've already seen some big companies get in trouble. While I see a lot of groups pushing GDPR training and the like, as a consultant I'm not seeing a lot of clients asking for help. Yet. California is rolling out their regulation, which isn't in effect yet. We'll see if other states will roll out or update their privacy regulations.
One I left out of my presentation is 23 NYCRR 500, which is the New York Department of Financial Services (NY DFS) regulations on cybersecurity. Rolled out a couple of years ago, the various elements of the regulation has been slowly rolled out with the last one required this March. This regulation expects companies do certain things to protect NPI (non-public information), such as have a security program, policies, doing pentesting and vulnerability scanning, have a CISO, do training, have an incident response plan, vendor management plan, etc. This may be a model for other state. You can read it all HERE.
Now, there are some other items that aren't pure infosec/cybersecurity, but do touch on it, so should be mentioned.
CMMI- The Capability Maturity Model Integrated, originally for assessing the maturity of software development, it was later expanded to others. Later merged into the CMMI, with Development, Service, and Acquisition versions. The Software Engineering Institute at CMU developed it, and it used to be available for free or via books. But they moved the CMMI to the CMMI Institute, which was recently bought by ISACA. They've rolled out CMMI v2, but its available as a SaaS product, and no longer free. The CMMI Institute has also rolled out a Cybermaturity Platform, again as a SaaS product. I'd like to learn more about it, but hard to do.
COBIT, which is ISACA framework for governance of enterprise IT has been updated to COBIT 2019. They've rolled out the new books, and hopefully other materials will be updated to COBIT 2019.
ITIL is a framework for IT Service Management, which includes infosec. The current version is ITIL v3 (updated in 2011). It's being updated to a new version, ITIL 4. So far only the foundation certification info have been updated. Hopefully they will update the 5 main books this year.
PCI-DSS is the standard for assessing credit card processing systems. Current version is 3.2.1, which was updated due to issues with SSL. Well, the next version, v4, is going to be coming out, but not for another year or so. It will be a very different version, but info on this is hard to find. Am sure as we move further along we'll learn more.
Hopefully this is useful for others. As I learn of new updates, I'll make further postings.
Thanks for sharing very informative content.
ReplyDeleteDark web monitoring to secure information which has been “leaked” on Dark Web. Dark web marketplace is a real threat, how are you planning to recover and validate data from the Dark web ? Monitor and identify threats from dark web.
I'm interested if we'll see a revision to the FFIEC CSAT.
ReplyDeleteDitto. It's overdue what with CSF 1.1 being out. They just updated the Baldridge Cybersecurity Excellence Builder to v1.1 for that reason (as well as an update to the Baldrige Excellence Builder).
DeleteNice blog... This post share lot of valuable links for NIST framework. I want to share more information on NIST incident response framework. Thanks
ReplyDeleteWorld Guardian Security Services sets itself apart in Alberta's security company. Their dedication to excellence shines through their extensively trained staff, cutting-edge technology, and 24/7 support. Offering a diverse range of services tailored to meet various needs, they're not just a security firm—they're trusted partners in ensuring safety and reassurance. Opt for World Guardian for unmatched professionalism, top-tier service, and a steadfast commitment to client contentment.
ReplyDeleteI recently hired World Guardian Security Services for my business in Yellowhead County, and their professionalism and dedication are outstanding. The security guards are well-trained and vigilant, providing excellent protection. I highly recommend their services to anyone needing reliable security solutions. They're truly the best!
ReplyDeleteyellowhead county security company
For reliable fire watch services, check out World Guardian Security. They offer 24/7 coverage in Alberta, Edmonton, Calgary, and surrounding areas. Their highly trained guards and advanced technology ensure early detection and rapid response to fire hazards. Plus, they customize solutions to meet your needs and comply with all regulations. Highly recommend!
ReplyDeleteWorld Guardian Security is the best choice for earning your Security license in Alberta. Their training is trusted, and they offer live support 7 days a week. Highly recommend!
ReplyDeleteIf you're looking for top-notch security solutions in Alberta, I highly recommend checking out World Guardian Security Guard Services
ReplyDelete. They offer a wide range of professional Security Guard Services tailored to meet the unique needs of businesses, residential communities, and construction sites. With their experienced and highly trained guards, you can trust that your property and personnel will be in safe hands. Whether you need mobile patrols, fire watch, or around-the-clock protection, World Guardian has you covered.
Looking for reliable security companies near me ? 🛡️ Check out World Guardian Security – Canada’s trusted security agency! They offer top-notch security guard services for construction sites, retail, commercial spaces, and more. Get a free quote in just 30 minutes! Call 780-328-9132 for more info. #securityagencynearme #securitycompaniesnearme #canadaguardsecurity #firewatchsecurity #mobilepatrols
ReplyDeleteWorld Guardian offers reliable and cost-effective mobile patrol services to keep your premises safe. Their trained mobile patrol security guards provide routine checks, rapid responses, and use modern technology like CCTV for extra protection. Great for businesses in Edmonton and Alberta!
ReplyDeleteNice blog! I found your post really insightful, especially the points you made about security concerns in different industries. If you're ever looking for top-notch security services in Calgary, I highly recommend World Guardian Security Services. They provide 24/7 protection with well-trained guards and use advanced technology like GPS tracking for real-time monitoring. Whether it's fire watch, construction site security, or mobile patrols, they have you covered.
ReplyDeleteGreat post! I really appreciate how you highlighted the essential role Security Guards play in maintaining safety and order. Their ability to stay calm under pressure and handle difficult situations is truly admirable. Security guards often go unnoticed, but their presence provides a sense of security and peace of mind for everyone. What training do you think is most important for security guards to handle unexpected situations effectively?
ReplyDeleteHaving a robust security system is essential for ensuring the safety and integrity of any construction site. The presence of trained construction security guards not only deters theft but also helps maintain order and enforce safety protocols. For those looking to enhance their security measures, it's important to consider aspects like site security management, access control solutions, and emergency response planning. Implementing these strategies can significantly reduce risks and promote a safer working environment.
ReplyDeleteThis is such an informative post! Security has become a crucial need for businesses and residential areas alike. As someone who has worked with professional security services, I’ve seen how vital it is to choose a reliable security agency near me that offers tailored solutions like mobile patrols, fire watch services, and CCTV monitoring. Companies like World Guardian Security stand out for their commitment to safety and quick response times. Highly recommend checking out local options if you’re looking for quality service!
ReplyDelete
ReplyDeleteNice Post. World Guardian Security Services offers reliable construction site protection with trained Security guards and 24/7 monitoring
Looking for reliable security services in Edmonton? World Guardian provides expert security guards and surveillance solutions to keep your business safe 24/7. Contact us today!
ReplyDeleteThis blog post is very great! If you’re looking for the best security company near me, World Guardian Security Services offers top-notch solutions like fire watch services, mobile patrols, and construction site security. Their reliable guards and advanced tech ensure peace of mind. Highly recommended for Edmonton and Alberta residents!
ReplyDeleteThis blog is genuinely informative and useful. It's rare to find such detailed and easy-to-understand information about security services. Do you also offer customized security solutions for residential properties? I’m definitely interested in exploring your services.
ReplyDeleteLooking for reliable security solutions in Alberta ? 🌟 World Guardian Security Services is your trusted choice when searching for security guard agencies near me. With 24/7 protection, trained professionals, and tailored security plans, they ensure complete peace of mind. Whether it's fire watch, construction site security, or mobile patrols — they've got you covered! 🚨 Visit their website today for a free quote and discover unmatched security services!
ReplyDelete