CISSP Standards Selection – Bk1D2T6St4

Standards Selection

The main point in standards selection is to choose a recognized framework or a combination of parts of recognized frameworks to establish the baseline requirements. If a standard is recognized by regulators or security industry entities, that most likely means expert practitioners in the field developed the standards. The following sections cover some U.S. and internationally recognized frameworks.

Leading Security Frameworks
One approach to establishing a security control baseline to start with is to choose an existing framework. The frameworks may have differences in how they focus more on assurance, compliance, or risk management. In general, the use of a framework to establish the security baseline is appropriate to assess and improve the organization’s ability to prevent, detect, and respond to cyber attacks. A few examples that can be used in government and private organizations are included here:

  • U.S. Department of Defense Instruction (DoDI): DoDI 8510.01 Risk Management Framework for DoD InformationTechnology:http://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/851001_2014.pdf)This directive applies to the DoD information systems and manages the lifecycle cybersecurity risk to all DoD IT. The use of this framework assists DoD security professionals in establishing a baseline and tailoring security controls as it relates to the DoD mission.
  • U.S. National Institute of Standards and Technology Special Publications (NIST SP): (http://csrc.nist.gov/groups/SMA/fisma/framework.html) NIST develops cybersecurity standards, guidelines, tests, and metrics to protect federal information systems.
  • NIST SP 800-37 Risk Management Framework: Similar to the DoD RMF, the special publications have broader access and applicability to both public and private sector organizations. Federal government agencies outside of the DoD are subject to the FISMA framework, of which NIST SP 800-37 is a cornerstone directive.
  • U.S. National Security Agency Top Ten Cybersecurity Mitigation Strategies (https://apps.nsa.gov/iaarchive/library/ia-guidance/security-tips/nsas-top-ten-cybersecurity-mitigation-strategies.cfm): The NSA’s Top Ten Mitigation Strategies counter a broad range of exploitation techniques used by advanced persistent threat (APT) actors. The NSA’s mitigations set priorities for enterprise organizations and required measures to prevent mission impact. The mitigations also build upon the NIST Cybersecurity Framework functions to manage cybersecurity risk and promote a defense-in-depth security posture. The mitigation strategies are ranked by effectiveness against known APT tactics. The strategies are updates to reflect new best practices to mitigate the occurrence of new adversary tactics. The applicability of this framework is to help organizations implement a broader framework, like NIST RMF, and prioritize control effectiveness and any mitigation based on risk (based on the NSA perspectives). While the guidance is most relevant to government and industry with critical infrastructure, it is useful in other organizations attempting to rank order risk mitigations.
  • UK 10 Steps to Cyber Security (https://www.ncsc.gov.uk/guidance/10- steps-cyber-security): The UK National Cyber Security Centre recommendations for cyber protection for business against the majority of cyber attacks. This is an example of a government-published advice document that is meant to help organizations focus on the main threats to reduce the greatest amount of risk. This document is intended for UK organizations and is considered official. It is insufficient alone but is valuable in a portfolio of security controls to make up the baseline control set.
  • International Telecommunications Union-Telecommunications (ITU-T) Standardization Sector (https://www.itu.int/en/ITU-T/publications/Pages/recs.aspx): A specialized agency of the United Nations, it is made up of experts from around the world to develop international standards Selection known as ITU-T Recommendations, which act as defining elements in the global infrastructure of information and communication technologies (ICTs). Standards are critical to the interoperability of ICTs, and whether we exchange voice, video, or data messages, standards enable global communications by ensuring that countries’ ICT networks and devices are speaking the same language. International ICT standards avoid costly market battles over preferred technologies, and for companies from emerging markets, they create a level playing field that provides access to new markets. They are an essential aid to developing countries in building their infrastructure and encouraging economic development, and through economies of scale, they can reduce costs for all: manufacturers, operators, and consumers. No participating international country is forced to follow the recommendations, although compliance with the standards is collectively beneficial. Recommendations are neither an implementation specification for systems nor a basis for appraising the conformance of implementations. The recommendations become mandatory when adopted as part of a national law by one of the participatory nations. It is significant to note that ITU-T recommendations are freely available and have identical ISO counterparts.

Security Standards
As an organization approaches scoping and tailoring of security baselines, it may want to supplement or add compensating controls. Security standards or specific control sets are techniques established by expert groups that attempt to protect the cyber environment of a user or organization. There are many sources of security controls that an organization may evaluate and implement. Some examples are provided in the following list.
Instead of using a complete security framework, another reason to use individual controls or standards Selection to build the baseline or add to it is based on the organizational mission or the specific product to be secured. In the case of an electronic health record or customer relationship management system, a more granular, hybrid approach to building a security baseline may be appropriate versus overlaying an existing security framework.
Although not an exhaustive list, here are major standards to be aware of:

  • U.S. National Institute of Standards and Technology Special Publications:
    • NIST SP 800-53 Rev 4: Security and Privacy Controls for Federal Information Systems and Organizations (https://csrc.nist.gov/publications/detail/sp/800-53): This is a catalog of security controls for all U.S. federal information systems except those related to national security (e.g., DoD). It is used by organizations to establish the baseline security controls, tailor security controls, and supplement security controls based on worst-case scenario planning and assessment of risk for the organization.
    • NIST SP 800-53A Rev 4: Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans (https://csrc.nist.gov/publications/detail/sp/800-53a/rev-4/final): Used as a complementary guide, it provides a set of procedures for conducting assessments of security controls and privacy controls employed within U.S. federal information systems and organizations. The assessment procedures, executed at various phases of the system development lifecycle, are consistent with the security and privacy controls in NIST SP 800-53, Revision 4. It is applicable to private-sector organizations too.
  • NIST SP 800-60: Guide for Mapping Types of Information and Information Systems to Security Categories (http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v1r1.pdf): This assists U.S. federal government agencies in categorizing information and information systems. The guide’s objective is to facilitate application of appropriate levels of information security according to a range of levels of impact or consequences that might result from the unauthorized disclosure, modification, or use of the information or information system. It can be used by private-sector organizations, although it is not required.
  • U.S. NIST Federal Information Processing Standards:
    • FIPS Publication 199: Standards for Security Categorization of Federal Information and Information Systems (http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf): This provides a standard for categorizing U.S. federal information and information systems according to a government agency’s level of concern for confidentiality, integrity, and availability and the potential impact on agency assets and operations, should their information and information systems be compromised through unauthorized access, use, disclosure, disruption, modification, or destruction. This is another directive primarily aimed at U.S. government agencies, but it can be applicable and useful for private-sector organizations.
    • FIPS Publication 200: Minimum Security Requirements for Federal Information and Information Systems (http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.200.pdf): An integral part of the NIST RMF, this standard emphasizes more security during the development, implementation, and operation of more secure information systems. FIPS 200 defines the 17 families of security controls covered under confidentiality, integrity, and availability of U.S. federal information systems and the information processed, stored, and transmitted by those systems.
  • U.S. National Checklist Program (https://nvd.nist.gov/ncp/repository):The NCP is a repository of publicly available security checklists (or benchmarks)that provide detailed low-level guidance on setting the security configuration of operating systems and applications. Useful for organizations using SCAP tools. SCAP enables validated security products to automatically perform configuration checking using NCP checklists. Established by NIST and defined by NIST SP 800-70, the NCP is valuable in public and private organizations.
  • International Organization for Standardization:
    • ISO 27001: Information technology – Security techniques – Information security management systems – Requirements (https://www.iso.org/isoiec-27001-information-security.html): This specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size, or nature. It is applicable to global organizations independent of national jurisdiction and industry. For example, although not focused on HIPAA, the information security management system framework in ISO 27001 is relevant for use in U.S. healthcare organizations.
    • ISO 27002: Information Technology: Security techniques – Code of practice for information security controls (https://www.iso.org/standard/54533.html): This gives guidelines for organizational information security standards and information security management practices including the selection, implementation, and management of controls, taking into consideration the organization’s information security risk environment(s). The code of practice is designed to be used by organizations that intend to select controls within the process of implementing an Information Security Management System based on ISO 27001. It can also be tailored for organizations that want to implement commonly accepted information security controls and develop their own information security management guidelines, but as a modification of the ISO 270001 framework.
  • International Telecommunications Union-Telecommunications Standardization Sector:
    • RecommendationsX.800–X.849(https://www.itu.int/itu-t/recommendations/index.aspx?ser=X):The.800 series of ITU-T Recommendations defines a security baseline against which network operators can assess their network and information security status in terms of readiness and ability to collaborate with other entities to counteract information security threats. This group of recommendations establishes guidelines for implementing system and network security with a focus on telecommunications networks. The security guidelines cover critical activities during the network lifecycle.
    • Recommendation X.1205 (https://www.itu.int/itu-t/recommendations/index.aspx?ser=X): Applicable to international government and private global corporations, the recommendation provides a definition for cybersecurity. It provides a taxonomy of the security threats from an organization point of view. Cybersecurity threats and vulnerabilities, including the most common hacker’s tools of the trade, are presented. Threats are discussed at various network layers. Various cybersecurity technologies that are available to remedy the threats are discussed, including routers, firewalls, antivirus protection, intrusion detection systems, intrusion protection systems, secure computing, and auditing and monitoring. It also covers network protection principles, such as defense in depth, and access management with application to cybersecurity. Risk management strategies and techniques are discussed, including the value of training and education in protecting the network. There are also examples for securing various networks included in the documentation.

The best approach is to use a combination of security frameworks and security standards to supplement or provide compensating controls. In this way, the organization can address real threats and vulnerabilities. The security professional is able to scope and tailor the security control program to adequately protect the organization with respect to the business imperative, regulatory requirements, and overall effectiveness. Throughout the process of selecting security frameworks and standards, it is important to address the use of all applicable controls.
ISO 27002 and NIST SP 800-53 provide foundational control standards for the industry worldwide. An illustration of the families of controls that constitute these standards is found in Figure 2.6. This side-by-side comparison demonstrates where the security standards share commonality and differ from each other. The fact that there are gaps underscores the need for the security professional to assess the organizational requirements and implement a comprehensive, properly scoped, and tailored asset protection program that will incorporate multiple sources of security standards.Standards selection

Note The scope of this domain is not to enumerate and evaluate all the control frameworks (or to recommend any one over the others). It is a requirement to be aware of recognized frameworks and how to evaluate the applicability and effectiveness for your organization. You will want to use evaluation criteria such as the following:

  • Sensitivity of assets to be protected
  • Industry requirements
  • Regulatory factors (jurisdiction)
  • Cost/benefit
  • Organizational controls versus system-specific focus

Other Examples of Security Control Frameworks
In addition to the various examples of standards that you can use to help build an entire security program, other special-purpose or focused frameworks exist to address threats and support resource alignment. While the NIST RMF or ISO 270001/2 frameworks can be effective, scoping and tailoring for business requirements may lead you to a requirement for a more particular set of baseline controls. Some good examples of such resources are described next.

Control Objectives for Information and Related Technology (COBIT)

COBIT is not a primary security framework, but it applies to overall IT risk management. COBIT does contain a body of controls applicable to security. The framework was developed as an IT governance tool by ISACA. The framework is meant to help organizations reduce IT risk much like other security frameworks discussed in this domain. The Center for Internet Security Critical Security Controls for Effective Cyber Defense Using actual threat intelligence and reports of cyber attacks, the CIS has created the Critical Security Controls. Organizations can use the controls to focus attention on scoping and tailoring information protection resources on the most common attack patterns. Additional to the threat intelligence, the standards are informed by feedback and contributions from leading security practitioners from government and industry. The CIS Critical Security Controls are a prioritized set of actions to protect an organization and data from known cyber-attack vectors. The CIS framework attempts to focus on the highest actual risks. By accessing the CIS website, you can download the explanatory documentation for each control area listed next can be examined for specific, actionable, and effective specifications an organization can prioritize, implement, and measure for high payoff results.

  1. Inventory of Authorized and Unauthorized Devices
  2. Inventory of Authorized and Unauthorized Software
  3. Secure Configurations for Hardware and Software
  4. Continuous Vulnerability Assessment and Remediation
  5. Controlled Use of Administrative Privileges
  6. Maintenance, Monitoring, and Analysis of Audit Logs
  7. Email and Web Browser Protections
  8. Malware Defenses
  9. Limitation and Control of Network Ports
  10. Data Recovery Capability
  11. Secure Configurations for Network Devices
  12. Boundary Defense
  13. Data Protection
  14. Controlled Access Based on the Need to Know
  15. Wireless Access Control
  16. Account Monitoring and Control
  17. Security Skills Assessment and Appropriate Training to Fill Gaps
  18. Application Software Security
  19. Incident Response and Management
  20. Penetration Tests and Red Team Exercises
    Source: https://www.cisecurity.org/controls/

The Security Content Automation Protocol SCAP is an automated vulnerability management protocol that provides a structured way to measure compliance with policy for systems. Organizations can use SCAP to automate a process to make sure systems are within configuration standards according to NIST SP 800-53. The SCAP content is informed by the National Vulnerability Database (NVD), authored by the U.S. government. SCAP is designed to perform initial measurement and continuous monitoring of security settings against the established set of security controls.

Cybersecurity Framework
In recent years, the attention has been on asset management in organizations that operate critical infrastructures. Security attacks against organizations that are named in the U.S. Presidential Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” issued on February 12, 2013, may impact the nation’s security, economy, and public safety and health at risk. This type of risk is above and beyond financial and reputational risk. Among other directives, the executive order calls for the development of a voluntary risk-based Cybersecurity Framework (CSF). Developed by the NIST Computer Security Division (CSD) Computer Security Resource Center (CSRC) and made up of standards and guidelines from FISMA, the framework consists of controls found in various NIST SPs. These publications include FIPS 199, FIPS 200, and NIST SPs 800-53, 800-59, and 800-60, 800-160, 800-137, 800-18. Additional security guidance documents that support the project include NIST SPs 800-37, 800-39, 800-171, 800-171A, 800-53A, and NIST Interagency Report 8011. Without question, the framework is a large compilation and combination of current industry standards and best practices provided by government and private-sector security experts. Helping to deliver the message that cybersecurity is not an IT problem (it is a business problem), the framework focuses on using business drivers to guide cybersecurity activities. The risks identified by a security risk analysis are made part of the entire organizational risk management approach. The CSF was published in January 2017. It is to be customized to the mission and purpose of each organization. Additionally, each organization will have unique risks, threats, vulnerabilities, and risk tolerances. Prioritization of control implementation will have to shape how the framework is utilized.
There are some critical concepts to know about the CSF. The CSF is a voluntary framework. An organization conducts a self-assessment against its selected implementation tier to determine its current state. A tool that can help complete these actions is available at https://www.nist.gov/cyberframework/csf-reference-tool.
The Framework Core is based on cybersecurity activities, desired outcomes, and references that are applicable to a broad range of industries. The Core consists of five functions: Identify, Protect, Detect, Respond, and Recover. Each of these functions is further broken down into 22 categories, ultimately identifying 98 outcomes and security controls. The framework is segmented into framework implementation tiers that describe the organization’s risk tolerance. The tiers also categorize if the organization is reactive to security or more proactive. The tier an organization positions itself within will be relative to its current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints. Tiers can be designed as categories and subcategories.
The other categorization is against a framework profile. The profile comes from the results of the tier categorizations. The profile is the alignment of standards, guidelines, and practices with the Framework Core in a particular implementation scenario. To improve the profile, the organization can set a target profile based on the current profile. The current state of the CSF has been an evolution from the original intention of improving critical cyber infrastructure to uniting the cybersecurity industry and other stakeholders in a collaborative, engaged model. The CSF is already in version 1.1, with more revisions projected. The process is improving the way organizations can assess their cybersecurity infrastructure in relevant and cost-effective ways. Refer to https://www.nist.gov/cyberframework/framework for additional information.
The common theme is that there are many good security frameworks. They all have advantages and disadvantages. Each can be customized to solve specific information security problems. The choice of cybersecurity frameworks depends on the particular variables present in an organization, such as cost, risk tolerance, mission, and legal and regulatory factors. The security practitioner must be able to evaluate the frameworks against organizational requirements and implement the solutions that drive the level of asset security desired.