Many organizations adopt security control frameworks that help organize controls into logical groupings and ensure coverage of all security objectives. Commonly used frameworks include the Control Objectives for Information Technology (COBIT), ISO 27001, and the security guidelines published by the National Institute for Standards and Technology.
- [Instructor] Security professionals have a wide variety of responsibilities and typically oversee the design, implementation, and management of many different controls that protect confidentiality, integrity, and availability. It's important to make sure that these controls provide adequate levels of protection and cover many different risks. It's quite a challenge to build a comprehensive security program. Fortunately, security professionals in an organization don't have to start with a blank piece of paper when they design security programs.
They can use security control frameworks to help ensure that they're covering all the bases and building controls that protect the organization against many foreseeable risks. There are many different control frameworks covering information security. Let's take a look at a few of the most common ones. The Control Objectives for Information Technology, or COBIT, is a security control framework developed by the Information Systems Audit and Control Association. This framework is very often used by auditors and has a strong focus on linking business goals with the functions of information security.
As you can see here, the COBIT standard is a detailed document. It covers five different principles: meeting stakeholder needs, covering the enterprise end-to-end, applying a single integrated framework, enabling a holistic approach, and separating governance from management. It also contains implementation guidance to help organizations who are trying to implement the COBIT framework in their enterprise. The International Organization for Standardization also publishes a control framework for information security.
The full title of that standard is Information technology - Security techniques - Information security management systems - Requirements, but most people know it by its designation, ISO 27001. This is a very commonly-used standard, as many organizations follow ISO standards for a wide variety of business functions. Government agencies and contractors have a standard all their own. The National Institute for Standards and Technology, NIST, publishes a document called the Security and Privacy Controls for Federal Information Systems and Organizations.
It's known as NIST Special Publication 800-53, or more commonly, just NIST 800-53. While this standard is mandatory for federal government agencies, many other organizations use this standard as well. Let's take a look at the detailed contents of NIST Special Publication 800-53. It contains over 400 pages of information about building a security program for government agencies and other organizations.
If we take a quick look at the table of contents, you'll see that after an introduction, it goes through the fundamentals of information security, talking about multitiered risk management, security control structures, baselines, and designations, the use of external service providers, and how to assess assurance and trustworthiness for information systems. It then goes into the process of implementing security and privacy controls, talking about selecting an appropriate security control baseline and then tailoring that baseline to the specific needs of an organization, creating overlays and documenting the control selection process for both new development and legacy systems.
Security control frameworks play an important role in information security. While most organizations don't follow them letter-for-letter, these frameworks do provide a useful tool for designing the appropriate controls for any organization.
- Designing an information security strategy
- Aligning security with the business
- Security roles and responsibilities
- Security standards
- Budgeting for security
- Data security
- Obtaining leadership support
- Assessing security programs
- Security principles