CYBER SECURITY FRAMEWORKS

ISO 27000 - International Organization for Standardization

- valid for 10 years, updated every 8 years

ISO 27001 (Certifiable Standard)

- primary standard is Information Security; helps organizations build a management
framework
- discussed controls from post-it notes on desks to backups
- Key Objectives: (1) Confidentiality (2) Integrity (3) Availability
- Minimum baseline of information security controls that information security programs
shall address
- Not technology driven

Clause 4: Context of the organization

Set of controls, external and internal issues, concerns and requirements of
interested parties
Clause 5: Leadership
Role of executives, putting together and implementation of policies, things a
company needs to address
Clause 6: Planning
Establishment of Information Security objectives, identify risks/opportunities,
assess probability and impact of risk, define risk acceptance criteria
Statement of Applicability should be prepared to justify reasons for inclusion
and exclusion of all controls
Clause 7: Support
Details the support required to establish, implement and maintain and
improve an effective ISMS (resource requirements, competence of people,
awareness, requirements for document management)
Documented information over documents and records
Clause 8: Operation
Mandates the organization to plan and control the operation of their
information security requirements
Operational planning and control
Results of Information Security Risk Assessments and Treatments
Clause 9: Performance and evaluation
The need to evaluate the IS performance and effectiveness of ISMS
Determine methods of monitoring, measurement to ensure valid results
Focus: Policies and procedures, ISO standard, legal, regulatory and
contractual obligations
Has to be regular at a reasonable point
Clause 10: Improvement
Impact of non-conformities and the related corrective actions to ensure that
they dont happen again
Annex A of ISO 27001:2013
References 114 generally accepted security controls within 14 domains
o Information Security Policy
o Organization of Information Security
o Asset Management
o Access Control
o Cryptography
 o Physical and Environmental Security
o Operations Security
o Communications Security
o Systems Acquisition, Development and Maintenance
o Supplier Relationships
o Information Security Incident Management
o Information Security Aspects of Business Continuity Management
o Compliance
Benefits: (1) Compliance (2) Marketing Advantage (3) Decreasing the Cost (4)
Optimizing the Business Processes

ISO 27002 (Guideline and Reference)

- Code of best practices for implementation of generally accepted information security
controls
- Detailed information on how to implement controls defined in ISO 27001

NIST National Institute of Standards and Technology

- Non-regulatory agency (not requiring anything but a framework provides guidance on what
companies should or should not have)
- Voluntary international standards
- Unique approach: grassroots campaign of public outreach and involvement (series of public
meetings across the country that invited stakeholders to contribute to the writing process)
- EY: 25 point response
- Intended audience: organizations of any size, in any sector in (and outside of) the critical
infrastructure
- Framework Basics
- Core
5 Functions; 22 Categories; 98 Sub-categories
Identify
Protect
Detect
Respond
Recover
- Tiers
Degree to which an organizations cyber risk management practices exhibit the
characteristics defined
Tier 1: Partial (not formalized, limited awareness)
Tier 2: Risk Informed (approved by management but not established as
organizational-wide)
Tier 3: Repeatable (formally approved and expressed as a policy; already
have an organizational approach)
Tier 4: Adaptive (adapt based on lessons learned, environment, implements
advancement on people, process and technology)
- Profile
Alignment of standards, guidelines and practices
Can be used to describe the current state or the desired target state of specific
cybersecurity activities

CYBER PROGRAM ASSESSMENT (CPA) Framework

- Used in the assessment of the maturity of information security management system
- Aligned with industry standards and regulations
- Security Challenges, Value Proposition
1. Identify high value assets
2. Assess the maturity of the current information security practices
3. Benchmark assessment findings against other companies and industries
4. Provide recommendations to address gaps that will align with business goals and
needs

- Our approach:
- Level 1: Quick Health Check (drivers, strategy, governance & org, reporting)
- Level 2: Holistic Security Program Assessment (covers all components of the CPA
framework)
- Level 3: Comprehensive Domain Assessment (deep-dive into selected components of the
CPA framework asset management, data protection)
- CPA Lifecycle
- Top-down + bottom up integrated risk assessment approach to identify the
organizations keys risks and cybersecurity gaps
- Maturity Levels
- 1 Initial
Basic, ad-hoc, undocumented, limited organizational support
- 2 Managed
Partial capability in place with a combination of some tools and technologies
- 3 Defined
Defined capability is in place with significant technology and tools for some key
resources and people
- 4 Quantitatively Managed
Mature capabilities are already in place with a lot more advance technologies
- 5 Optimized
Advanced technologies