Security Standards and Frameworks overview

Security Standards and Frameworks overview

Various government and private entities have realized that while it is increasingly important to have a security policy, creating an effective and comprehensive one is hard. Hence, they have published many standards and frameworks to help with creating and implementing security policies. You can use one or more of these frameworks as the basis of your own policy and customize as required. While there are many organizations around the world that publish and maintain such standards and frameworks, these are the two most important ones:

  • International Organization for Standardization (ISO): ISO is an independent nongovernmental organization composed of representatives from 162 national standards organizations. ISO publishes standards that help establish quality requirements across products and services, ranging from manufacturing and technology to agriculture and healthcare. By following these standards and getting certified, organizations prove to their customers that their products, procedures, or services meet internationally accepted standards. Certification is optional. The standards can be used to simply improve quality within an organization without going through the certification process.
  • National Institute of Standards and Technology (NIST): NIST is a measurement standards laboratory. Even though it is part of the U.S. Department of Commerce, it is a non-regulatory organization. It provides measurements and standards for technology, including cybersecurity. Much as with ISO, standards from NIST can be used to certify products and services, or they can be used simply to improve quality.

These two organizations and various others have published many security standards and frameworks. While any of them can be used to create a security policy, the two most common ones in use today—and the ones most relevant to the exam—are ISO/IEC 27001/27002 and NIST Cyber Security Framework (CSF).

ISO/IEC 27001 and 27002

ISO and the International Electrotechnical Commission (IEC) jointly publish the ISO/IEC 27000 series standards, which are collectively known as the “Information Security Management Systems (ISMS) Family of Standards.” This series contains 45 individual standards related to information security. Out of these 45, 27001 and 27002 are most relevant for our discussion:

ISO/IEC 27001, “Information Security Management Systems—Requirements”: This standard provides the specifications for an information security management system and can be used as the framework for an organization’s security policy. If an organization implements the standard and is compliant with all requirements, it can apply to be audited and certified. Certification is not mandatory, and the standard can also be used only as a reference framework for a security policy.

ISO/IEC 27002,Code of Practice for Information Security Controls”: This standard outlines the best practices for implementation of a very comprehensive list of controls in information security. It is used to implement the controls identified in a security policy. The standard is based on the principles of confidentiality, integrity, and availability (CIA), which are considered cornerstones of security:

Confidentiality defines the capability to ensure that information in all its states is accessible only by authorized users. This is the most important and obvious aspect of a security system and also what most attackers aim to breach. Unauthorized access to information is the single biggest intent behind most attacks. Use of encryption and authentication are two primary ways to ensure confidentiality. For example, if data is not encrypted in transit, it can be captured on the wire using man-in-the-middle (MITM) attacks, resulting in loss of confidentiality.

Integrity defines the need to prevent unauthorized modification of information and systems in any state. Breached integrity is as bad as breached confidentiality. Encryption and authentication are also used to ensure integrity. Continuing the previous example, during a successful MITM attack, the attacker can not only breach confidentiality but also choose to modify information in transit—which results in loss of integrity as well.

Availability defines the need to prevent loss of access to information or to a system. Information should always be readily available to authorized users. DoS or the larger-scale DDoS attacks are common methods that attackers use to disrupt availability.

The latest revision of the ISO/IEC 27002 standard, published in 2013, is divided into 19 sections. The first 5 are introductory:

  1. Introduction
  2. Scope
  3. Normative references
  4. Terms and definitions
  5. Structure of This Standard

The remaining 14 sections describe different security control types and their objectives:

  1. Information Security Policies
  2. Organization of Information Security
  3. Human Resource Security
  4. Asset Management
  5. Access Control
  6. Cryptography
  7. Physical and Environmental Security
  8. Operations Security
  9. Communications Security
  10. System Acquisition, Development and Maintenance
  11. Supplier Relationships
  12. Information Security Incident Management
  13. Information Security Aspects of Business Continuity Management
  14. Compliance

Going into detail about the sections of ISO/IEC 27002:2013 is beyond the scope of this book, as well as the CCIE exam, but it is important to map out what Cisco products and technologies can be used to implement controls described in some of the relevant sections. Table 1 lists relevant sections and Cisco products that can be used to implement controls specified in those sections. It is important to remember that the standard deals with a complete information security system and its management, so network security is only a part of it.

Table 1 ISO/IEC 27002:2013 and Cisco Security Products

Section

Cisco Product

Details

8. Asset Management

ISE

Section 8.1.1 lists the controls for identification of assets. The profiling feature of ISE can be used to profile assets on the network.

9. Access Control

ISE

Section 9.1.2 lists controls for access to networks and network services. ISE helps authenticate and authorize users requesting access to the network or network devices.

10. Cryptography

ASA, NGFW, routers

Section 10 lists the controls for cryptography. Various Cisco products, such as ASA, NGFW, and routers, provide encryption using different types of VPN.

12. Operations Security

AMP, ISE, Umbrella, NGFW, ESA, WSA

Section 12.2 lists the controls for protection against malware. For example, AMP provides protection against malware, and it can be integrated with NGFW, WSA, and ESA, or can be used as a standalone device in the network and on endpoints. Umbrella also prevents malware execution by preventing communication with the command and control infrastructure.

Section 12.6 calls for vulnerability management. Posture validation with Cisco ISE can be used to ensure that operating systems and antimalware are updated with the latest patches and definitions.

13. Communications Security

ISE, NGFW, ASA

Section 13.1 lists controls for network security management and segregation or segmentation in particular. ISE can be used to provide segmentation with TrustSec. Segmentation can also be achieved by using NGFW and ASA with or without TrustSec.

16. Information Security Incident Management

Stealthwatch, NGFW, NGIPS

Section 16.1 lists controls for incident management. Stealthwatch, NGFW, and NGIPS generate, collect, and store event logs and analytical information that can be used to investigate incidents.

 

NIST Cybersecurity Framework

NIST created the Cybersecurity Framework (CSF) based on the executive order of the president titled “Improving Critical Infrastructure Cybersecurity.” It is a voluntary framework developed in collaboration with private industries to provide guidance on cybersecurity risk. It helps organizations in assessing their current security profile and in determining the desired target profile.

It is important to understand that the CSF does not provide a list of specific security controls that an organization should implement. It only provides a common set of activities that an organization can use to identify and mitigate its risk. It draws on and references other standards, such as ISO 27002, for recommending controls.

The framework is divided into three parts:

Core: The framework core is a set of cybersecurity activities, desired outcomes, and references applicable across the critical assets of an organization. It is organized into 5 functions: identify, protect, detect, respond, and recover. These functions are further divided into 22 categories, as shown in Table 2. These are further divided into 98 subcategories and references.

Table 2 NIST CSF Core Functions and Categories

Function Identifier

Function

Category Identifier

Category

ID

Identify

ID.AM

ID.BE

ID.GV

ID.RA

ID.RM

Asset Management

Business Environment

Governance

Risk Assessment

Risk Management Strategy

PR

Protect

PR.AC

PR.AT

PR.DS

PR.IP

PR.MA

PR.PT

Access Control

Awareness and Training

Data Security

Information Protection

Maintenance

Protective Technology

DE

Detect

DE.AE

DE.CM

DE.DP

Anomalies and Events

Continuous Monitoring

Detection Processes

RS

Respond

RS.RP

RS.CO

RS.AN

RS.MI

RS.IM

Response Planning

Communications

Analysis

Mitigation

Improvements

RC

Recover

RC.RP

RC.IM

RC.CO

Recovery Planning

Improvements

Communications

Implementation Tiers: The framework implementation tiers describe the degree to which an organization has implemented controls for each category of the framework core. The tiers are divided into four increasing levels: partial, risk-informed, repeatable, and adaptive. An organization has to decide the current and desired levels of implementation for each category based on risk tolerance. Increasing tier levels do not necessarily indicate maturity; the goal of the framework is not to ensure that an organization is at Tier 4 for each category.

Profile: The framework comes together in the framework profiles. An organization selects the categories and subcategories that align with its business needs. Then it identifies the controls that are already in place to create the current profile. Next, it creates a desired state, or target profile. The current profile can then be used to support prioritization and measurement of progress toward the target profile, while factoring in other business needs, including cost-effectiveness and innovation. Profiles can be used to conduct self-assessments and communicate within an organization or between organizations.

Going into further details about CSF is beyond the scope of this book and the exam, but it is important to map out Cisco products and technologies that can be used in each relevant category for the framework, as shown in Table 3.

Table 3 Cisco Security Products and NIST CSF

CSF Function

CSF Category

Cisco Products

Identify

Asset Management

Risk Assessment

ISE, NGFW, Stealthwatch

Cognitive Threat Analytics, NGFW

Protect

Access Control

Data Security

Maintenance

Protective Tech.

ISE, NGFW, Umbrella

All Cisco Security Products

ISE with AnyConnect

ISE, NGFW

Detect

Anomalies & Events

Continuous Monitoring

AMP, Stealthwatch, WSA/ESA, Umbrella, NGFW

AMP, Stealthwatch, ESA, CTA, NGFW

Respond

Analysis

Mitigation

AMP, Stealthwatch, WSA, ESA, NGFW

All Cisco Security Products

 

Вас заинтересует / Intresting for you:

Introducing Core IT Security P...
Introducing Core IT Security P... 455 views Андрей Волков Sun, 01 Dec 2019, 09:55:06
Payment Card Industry Data Sec...
Payment Card Industry Data Sec... 91 views Андрей Волков Wed, 25 Mar 2020, 05:55:34
Network Security: Know Thy Ene...
Network Security: Know Thy Ene... 106 views Андрей Волков Sun, 22 Mar 2020, 13:30:53
Understanding Physical IT Secu...
Understanding Physical IT Secu... 316 views Андрей Волков Sun, 01 Dec 2019, 18:20:12