Various government and private entities have realized that while it is increasingly important to have a security policy, creating an effective and comprehensive one is hard. Hence, they have published many standards and frameworks to help with creating and implementing security policies. You can use one or more of these frameworks as the basis of your own policy and customize as required. While there are many organizations around the world that publish and maintain such standards and frameworks, these are the two most important ones:
- International Organization for Standardization (ISO): ISO is an independent nongovernmental organization composed of representatives from 162 national standards organizations. ISO publishes standards that help establish quality requirements across products and services, ranging from manufacturing and technology to agriculture and healthcare. By following these standards and getting certified, organizations prove to their customers that their products, procedures, or services meet internationally accepted standards. Certification is optional. The standards can be used to simply improve quality within an organization without going through the certification process.
- National Institute of Standards and Technology (NIST): NIST is a measurement standards laboratory. Even though it is part of the U.S. Department of Commerce, it is a non-regulatory organization. It provides measurements and standards for technology, including cybersecurity. Much as with ISO, standards from NIST can be used to certify products and services, or they can be used simply to improve quality.
These two organizations and various others have published many security standards and frameworks. While any of them can be used to create a security policy, the two most common ones in use today—and the ones most relevant to the exam—are ISO/IEC 27001/27002 and NIST Cyber Security Framework (CSF).
ISO/IEC 27001 and 27002
ISO and the International Electrotechnical Commission (IEC) jointly publish the ISO/IEC 27000 series standards, which are collectively known as the “Information Security Management Systems (ISMS) Family of Standards.” This series contains 45 individual standards related to information security. Out of these 45, 27001 and 27002 are most relevant for our discussion:
ISO/IEC 27001, “Information Security Management Systems—Requirements”: This standard provides the specifications for an information security management system and can be used as the framework for an organization’s security policy. If an organization implements the standard and is compliant with all requirements, it can apply to be audited and certified. Certification is not mandatory, and the standard can also be used only as a reference framework for a security policy.
ISO/IEC 27002, “Code of Practice for Information Security Controls”: This standard outlines the best practices for implementation of a very comprehensive list of controls in information security. It is used to implement the controls identified in a security policy. The standard is based on the principles of confidentiality, integrity, and availability (CIA), which are considered cornerstones of security:
Confidentiality defines the capability to ensure that information in all its states is accessible only by authorized users. This is the most important and obvious aspect of a security system and also what most attackers aim to breach. Unauthorized access to information is the single biggest intent behind most attacks. Use of encryption and authentication are two primary ways to ensure confidentiality. For example, if data is not encrypted in transit, it can be captured on the wire using man-in-the-middle (MITM) attacks, resulting in loss of confidentiality.
Integrity defines the need to prevent unauthorized modification of information and systems in any state. Breached integrity is as bad as breached confidentiality. Encryption and authentication are also used to ensure integrity. Continuing the previous example, during a successful MITM attack, the attacker can not only breach confidentiality but also choose to modify information in transit—which results in loss of integrity as well.
Availability defines the need to prevent loss of access to information or to a system. Information should always be readily available to authorized users. DoS or the larger-scale DDoS attacks are common methods that attackers use to disrupt availability.
The latest revision of the ISO/IEC 27002 standard, published in 2013, is divided into 19 sections. The first 5 are introductory:
- Introduction
- Scope
- Normative references
- Terms and definitions
- Structure of This Standard
The remaining 14 sections describe different security control types and their objectives:
- Information Security Policies
- Organization of Information Security
- Human Resource Security
- Asset Management
- Access Control
- Cryptography
- Physical and Environmental Security
- Operations Security
- Communications Security
- System Acquisition, Development and Maintenance
- Supplier Relationships
- Information Security Incident Management
- Information Security Aspects of Business Continuity Management
- Compliance
Going into detail about the sections of ISO/IEC 27002:2013 is beyond the scope of this book, as well as the CCIE exam, but it is important to map out what Cisco products and technologies can be used to implement controls described in some of the relevant sections. Table 1 lists relevant sections and Cisco products that can be used to implement controls specified in those sections. It is important to remember that the standard deals with a complete information security system and its management, so network security is only a part of it.
Table 1 ISO/IEC 27002:2013 and Cisco Security Products
Section | Cisco Product | Details |
8. Asset Management | ISE | Section 8.1.1 lists the controls for identification of assets. The profiling feature of ISE can be used to profile assets on the network. |
9. Access Control | ISE | Section 9.1.2 lists controls for access to networks and network services. ISE helps authenticate and authorize users requesting access to the network or network devices. |
10. Cryptography | ASA, NGFW, routers | Section 10 lists the controls for cryptography. Various Cisco products, such as ASA, NGFW, and routers, provide encryption using different types of VPN. |
12. Operations Security | AMP, ISE, Umbrella, NGFW, ESA, WSA | Section 12.2 lists the controls for protection against malware. For example, AMP provides protection against malware, and it can be integrated with NGFW, WSA, and ESA, or can be used as a standalone device in the network and on endpoints. Umbrella also prevents malware execution by preventing communication with the command and control infrastructure. Section 12.6 calls for vulnerability management. Posture validation with Cisco ISE can be used to ensure that operating systems and antimalware are updated with the latest patches and definitions. |
13. Communications Security | ISE, NGFW, ASA | Section 13.1 lists controls for network security management and segregation or segmentation in particular. ISE can be used to provide segmentation with TrustSec. Segmentation can also be achieved by using NGFW and ASA with or without TrustSec. |
16. Information Security Incident Management | Stealthwatch, NGFW, NGIPS | Section 16.1 lists controls for incident management. Stealthwatch, NGFW, and NGIPS generate, collect, and store event logs and analytical information that can be used to investigate incidents. |
NIST Cybersecurity Framework
NIST created the Cybersecurity Framework (CSF) based on the executive order of the president titled “Improving Critical Infrastructure Cybersecurity.” It is a voluntary framework developed in collaboration with private industries to provide guidance on cybersecurity risk. It helps organizations in assessing their current security profile and in determining the desired target profile.
It is important to understand that the CSF does not provide a list of specific security controls that an organization should implement. It only provides a common set of activities that an organization can use to identify and mitigate its risk. It draws on and references other standards, such as ISO 27002, for recommending controls.
The framework is divided into three parts:
Core: The framework core is a set of cybersecurity activities, desired outcomes, and references applicable across the critical assets of an organization. It is organized into 5 functions: identify, protect, detect, respond, and recover. These functions are further divided into 22 categories, as shown in Table 2. These are further divided into 98 subcategories and references.
Table 2 NIST CSF Core Functions and Categories
Function Identifier | Function | Category Identifier | Category |
ID | Identify | ID.AM ID.BE ID.GV ID.RA ID.RM | Asset Management Business Environment Governance Risk Assessment Risk Management Strategy |
PR | Protect | PR.AC PR.AT PR.DS PR.IP PR.MA PR.PT | Access Control Awareness and Training Data Security Information Protection Maintenance Protective Technology |
DE | Detect | DE.AE DE.CM DE.DP | Anomalies and Events Continuous Monitoring Detection Processes |
RS | Respond | RS.RP RS.CO RS.AN RS.MI RS.IM | Response Planning Communications Analysis Mitigation Improvements |
RC | Recover | RC.RP RC.IM RC.CO | Recovery Planning Improvements Communications |
Implementation Tiers: The framework implementation tiers describe the degree to which an organization has implemented controls for each category of the framework core. The tiers are divided into four increasing levels: partial, risk-informed, repeatable, and adaptive. An organization has to decide the current and desired levels of implementation for each category based on risk tolerance. Increasing tier levels do not necessarily indicate maturity; the goal of the framework is not to ensure that an organization is at Tier 4 for each category.
Profile: The framework comes together in the framework profiles. An organization selects the categories and subcategories that align with its business needs. Then it identifies the controls that are already in place to create the current profile. Next, it creates a desired state, or target profile. The current profile can then be used to support prioritization and measurement of progress toward the target profile, while factoring in other business needs, including cost-effectiveness and innovation. Profiles can be used to conduct self-assessments and communicate within an organization or between organizations.
Going into further details about CSF is beyond the scope of this book and the exam, but it is important to map out Cisco products and technologies that can be used in each relevant category for the framework, as shown in Table 3.
Table 3 Cisco Security Products and NIST CSF
CSF Function | CSF Category | Cisco Products |
Identify | Asset Management Risk Assessment | ISE, NGFW, Stealthwatch Cognitive Threat Analytics, NGFW |
Protect | Access Control Data Security Maintenance Protective Tech. | ISE, NGFW, Umbrella All Cisco Security Products ISE with AnyConnect ISE, NGFW |
Detect | Anomalies & Events Continuous Monitoring | AMP, Stealthwatch, WSA/ESA, Umbrella, NGFW AMP, Stealthwatch, ESA, CTA, NGFW |
Respond | Analysis Mitigation | AMP, Stealthwatch, WSA, ESA, NGFW All Cisco Security Products |