SlideShare a Scribd company logo

Standards & Framework.ppt

Download as PPT, PDF
K
karthikvcyber

This document discusses several cybersecurity standards and frameworks. It describes the objectives of cybersecurity standards as protecting users, networks, devices, software, processes, information, applications, services and systems from cyber attacks by implementing tools, policies, security concepts, guidelines and best practices. It provides an overview of the NIST Cybersecurity Framework, ISO/IEC 27001, PCI DSS, HIPAA, SOX, and GDPR frameworks. It also discusses how security controls can be classified based on when they act, their nature, and provides examples of controls from the ISO/IEC 27001 and US NIST Special Publication standards.

1 of 20
Downloaded 10 times
by Erlan Bakiev, Ph.D. Cyber security standards and Controls
 Cybersecurity standards are techniques generally set forth in published materials that attempt to protect the cyber environment of a user or organization.  This environment includes:  users themselves  networks  devices  all software  processes  information in storage or transit  applications  services  systems that can be connected directly or indirectly to networks Cybersecurity standards
 The principal objective:  to reduce the risks  including prevention or mitigation of cyber-attacks. These published materials consist of collections of:  tools,  Policies  security concepts  security safeguards  guidelines,  risk management approaches,  actions,  training,  best practices,  assurance and technologies. Cybersecurity standards cont.
 Cyber security frameworks are sets of documents describing guidelines, standards, and best practices designed for cyber security risk management. The frameworks exist to reduce an organization's exposure to weaknesses and vulnerabilities that hackers and other cyber criminals may exploit. What is a Cyber Security Framework?
 The NIST Cybersecurity Framework (NIST CSF) provides a policy framework of computer security guidance for how private sector organizations in the US can assess and improve their ability to prevent, detect, and respond to cyber attacks.  It provides a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes.  It is intended to help private sector organizations that provide critical infrastructure with guidance on how to protect it, along with relevant protections for privacy and civil liberties. NIST Cybersecurity Framework (NIST CSF)
 SO/IEC 27001, part of the growing ISO/IEC 27000 family of standards, is an information security management system (ISMS) standard, of which the last revision was published in October 2013 by the International Organization for Standardization (ISO) and the International Electro technical Commission (IEC).  Its full name is ISO/IEC 27001:2013 – Information technology – Security techniques – Information security management systems – Requirements.  ISO/IEC 27001 formally specifies a management system that is intended to bring information security under explicit management control. ISO/IEC 27001 and 27002
 ISO/IEC 27002 incorporates mainly part 1 of the BS 7799 good security management practice standard.  The latest versions of BS 7799 is BS 7799-3.  ISO/IEC 27002 is a high level guide to cybersecurity.  It is most beneficial as explanatory guidance for the management of an organization to obtain certification to the ISO/IEC 27001 standard.  The certification once obtained lasts three years.  Depending on the auditing organization, no or some intermediate audits may be carried out during the three years. ISO/IEC 27001 and 27002 Cont.
 The Payment Card Industry Data Security Standard (PCI DSS) is a global framework for any organization that processes, stores, or transmits cardholder information. Launched in 2004 by major credit card companies American Express, Discover, JCB, MasterCard, and VISA, the framework aims to keep cardholder information safe and reduce fraud.  To do this, PCI DSS outlines four compliance levels, depending on the organization’s transactions per annum, and 12 required steps that meet security best practices. PCI DSS
 HIPAA cybersecurity frameworks for patients’ protected health information (PHI).  The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal legislation for healthcare compliance. An act of the US Congress created by lawyers and lawmakers, HIPAA applies to “covered entities,” including health providers, health plans and insurance companies, and health clearinghouses. Although there’s no official certification, HIPAA compliance is enforced by the US Department of Health and Human Services’ Office for Civil Rights (OCR). HIPPA
 The Sarbane-Oxley IT General Controls (SOX ITGC) is a subset of the broader Sarbane-Oxley Act and sets financial report requirements for all companies preparing for an initial public offering (IPO) or publicly traded companies across all industries.  SOX ITGC attests to the integrity of the data and processes of internal financial reporting controls, including applications, operating systems, databases, and the supporting IT infrastructure. Controls in this framework encompass access to programs and data, program changes, computer operations, and program development. SOX
 The General Data Protection Regulation (GDPR) is a framework passed by the European Union (EU) to protect the data privacy and security of its citizens. Enacted in 2016, the GDPR impacts all organizations that collect and process the data of EU citizens, regardless of where the company is located. GDPR
 Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. Security controls
 According to the time that they act, relative to a security incident:  Before the event, preventive controls are intended to prevent an incident from occurring e.g. by locking out unauthorized intruders;  During the event, detective controls are intended to identify and characterize an incident in progress e.g. by sounding the intruder alarm and alerting the security guards or police;  After the event, corrective controls are intended to limit the extent of any damage caused by the incident e.g. by recovering the organization to normal working status as efficiently as possible. Classification of Security controls
 According to their nature:  Physical controls e.g. fences, doors, locks and fire extinguishers;  Procedural controls e.g. incident response processes, management oversight, security awareness and training;  Technical controls e.g. user authentication (login) and logical access controls, antivirus software, firewalls;  Legal and regulatory or compliance controls e.g. privacy laws, policies and clauses. Classification of Security controls Cont.
 ISO/IEC 27001 specifies 114 controls in 14 groups:  A.5: Information security policies  A.6: How information security is organized  A.7: Human resources security - controls that are applied before, during, or after employment.  A.8: Asset management  A.9: Access controls and managing user access  A.10: Cryptographic technology  A.11: Physical security of the organization's sites and equipment  A.12: Operational security  A.13: Secure communications and data transfer  A.14: Secure acquisition, development, and support of information systems  A.15: Security for suppliers and third parties  A.16: Incident management  A.17: Business continuity/disaster recovery (to the extent that it affects information security)  A.18: Compliance - with internal requirements, such as policies, and with external requirements, such as laws. International information security standards
 From NIST Special Publication SP 800-53 revision 4.  AC Access Control.  AT Awareness and Training.  AU Audit and Accountability.  CA Security Assessment and Authorization. (historical abbreviation)  CM Configuration Management.  CP Contingency Planning.  IA Identification and Authentication.  IR Incident Response.  MA Maintenance.  MP Media Protection.  PE Physical and Environmental Protection.  PL Planning.  PS Personnel Security.  RA Risk Assessment.  SA System and Services Acquisition.  SC System and Communications Protection.  SI System and Information Integrity.  PM Program Management. U.S. Federal Government information security standards
Standards & Framework.ppt
Standards & Framework.ppt
Standards & Framework.ppt
Thank you
Ad

Recommended

Cyber Families - Incident Response.pptx
Cyber Families - Incident Response.pptxCyber Families - Incident Response.pptx
Cyber Families - Incident Response.pptx
Kinetic Potential
 
S nandakumar_banglore
S nandakumar_bangloreS nandakumar_banglore
S nandakumar_banglore
IPPAI
 
S nandakumar
S nandakumarS nandakumar
S nandakumar
IPPAI
 
Compare and Contrast Security Controls and Framework Types
Compare and Contrast Security Controls and Framework TypesCompare and Contrast Security Controls and Framework Types
Compare and Contrast Security Controls and Framework Types
LearningwithRayYT
 
5 Standards And Recommendations For Information Security On Internet
5 Standards And Recommendations For Information Security On Internet5 Standards And Recommendations For Information Security On Internet
5 Standards And Recommendations For Information Security On Internet
Ana Meskovska
 
The IT Analysis Paralysis
The IT Analysis Paralysis The IT Analysis Paralysis
The IT Analysis Paralysis
PYA, P.C.
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
Anil
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
Anil
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
Mark Conway
 
Legal and Ethical Implications of Cybersecurity.pptx
Legal and Ethical Implications of Cybersecurity.pptxLegal and Ethical Implications of Cybersecurity.pptx
Legal and Ethical Implications of Cybersecurity.pptx
soulscout02
 
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
Chapter 1 Best Practices, Standards, and a Plan of Action.pptxChapter 1 Best Practices, Standards, and a Plan of Action.pptx
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
kevlekalakala
 
2008: Web Application Security Tutorial
2008: Web Application Security Tutorial2008: Web Application Security Tutorial
2008: Web Application Security Tutorial
Neil Matatall
 
Risk Management
Risk ManagementRisk Management
Risk Management
ijtsrd
 
Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016
Leon Blum
 
Automatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security StandardsAutomatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security Standards
automatskicorporation
 
CCA study group
CCA study groupCCA study group
CCA study group
IIBA UK Chapter
 
ISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochureISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochure
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
Introduction to ICT, POLICIES, FRAMEWORK
Introduction to ICT, POLICIES, FRAMEWORKIntroduction to ICT, POLICIES, FRAMEWORK
Introduction to ICT, POLICIES, FRAMEWORK
jannallenrefinnielld
 
Is iso 27001-an-answer-to-security
Is iso 27001-an-answer-to-securityIs iso 27001-an-answer-to-security
Is iso 27001-an-answer-to-security
Ramana K V
 
Is iso 27001, an answer to security
Is iso 27001, an answer to securityIs iso 27001, an answer to security
Is iso 27001, an answer to security
Raghunath G
 
ISO/IEC 27001.pdf
ISO/IEC 27001.pdfISO/IEC 27001.pdf
ISO/IEC 27001.pdf
LiiewaOfficial
 
What operational technology cyber security is?
What operational technology cyber security is?What operational technology cyber security is?
What operational technology cyber security is?
sohailAhmad304
 
Running Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxRunning Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docx
toltonkendal
 
Information Security
Information SecurityInformation Security
Information Security
chenpingling
 
1.1 Data Security Presentation.pdf
1.1 Data Security Presentation.pdf1.1 Data Security Presentation.pdf
1.1 Data Security Presentation.pdf
ChunLei(peter) Che
 
CISSP- Security & Risk Management-Domain 1 Overview-Edited.pptx
CISSP- Security & Risk Management-Domain 1 Overview-Edited.pptxCISSP- Security & Risk Management-Domain 1 Overview-Edited.pptx
CISSP- Security & Risk Management-Domain 1 Overview-Edited.pptx
macraaiclass
 
Cyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the follCyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the foll
AISHA232980
 
Security audits & compliance
Security audits & complianceSecurity audits & compliance
Security audits & compliance
Vandana Verma
 
Security Incident machnism Security Incident machnismSecurity Incident machni...
Security Incident machnism Security Incident machnismSecurity Incident machni...Security Incident machnism Security Incident machnismSecurity Incident machni...
Security Incident machnism Security Incident machnismSecurity Incident machni...
karthikvcyber
 
Security Information Event Management Security Information Event Management
Security Information Event Management Security Information Event ManagementSecurity Information Event Management Security Information Event Management
Security Information Event Management Security Information Event Management
karthikvcyber
 
Ad

More Related Content

Similar to Standards & Framework.ppt (20)

A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
Mark Conway
 
Legal and Ethical Implications of Cybersecurity.pptx
Legal and Ethical Implications of Cybersecurity.pptxLegal and Ethical Implications of Cybersecurity.pptx
Legal and Ethical Implications of Cybersecurity.pptx
soulscout02
 
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
Chapter 1 Best Practices, Standards, and a Plan of Action.pptxChapter 1 Best Practices, Standards, and a Plan of Action.pptx
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
kevlekalakala
 
2008: Web Application Security Tutorial
2008: Web Application Security Tutorial2008: Web Application Security Tutorial
2008: Web Application Security Tutorial
Neil Matatall
 
Risk Management
Risk ManagementRisk Management
Risk Management
ijtsrd
 
Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016
Leon Blum
 
Automatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security StandardsAutomatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security Standards
automatskicorporation
 
CCA study group
CCA study groupCCA study group
CCA study group
IIBA UK Chapter
 
ISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochureISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochure
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
Introduction to ICT, POLICIES, FRAMEWORK
Introduction to ICT, POLICIES, FRAMEWORKIntroduction to ICT, POLICIES, FRAMEWORK
Introduction to ICT, POLICIES, FRAMEWORK
jannallenrefinnielld
 
Is iso 27001-an-answer-to-security
Is iso 27001-an-answer-to-securityIs iso 27001-an-answer-to-security
Is iso 27001-an-answer-to-security
Ramana K V
 
Is iso 27001, an answer to security
Is iso 27001, an answer to securityIs iso 27001, an answer to security
Is iso 27001, an answer to security
Raghunath G
 
ISO/IEC 27001.pdf
ISO/IEC 27001.pdfISO/IEC 27001.pdf
ISO/IEC 27001.pdf
LiiewaOfficial
 
What operational technology cyber security is?
What operational technology cyber security is?What operational technology cyber security is?
What operational technology cyber security is?
sohailAhmad304
 
Running Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxRunning Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docx
toltonkendal
 
Information Security
Information SecurityInformation Security
Information Security
chenpingling
 
1.1 Data Security Presentation.pdf
1.1 Data Security Presentation.pdf1.1 Data Security Presentation.pdf
1.1 Data Security Presentation.pdf
ChunLei(peter) Che
 
CISSP- Security & Risk Management-Domain 1 Overview-Edited.pptx
CISSP- Security & Risk Management-Domain 1 Overview-Edited.pptxCISSP- Security & Risk Management-Domain 1 Overview-Edited.pptx
CISSP- Security & Risk Management-Domain 1 Overview-Edited.pptx
macraaiclass
 
Cyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the follCyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the foll
AISHA232980
 
Security audits & compliance
Security audits & complianceSecurity audits & compliance
Security audits & compliance
Vandana Verma
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
Mark Conway
 
Legal and Ethical Implications of Cybersecurity.pptx
Legal and Ethical Implications of Cybersecurity.pptxLegal and Ethical Implications of Cybersecurity.pptx
Legal and Ethical Implications of Cybersecurity.pptx
soulscout02
 
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
Chapter 1 Best Practices, Standards, and a Plan of Action.pptxChapter 1 Best Practices, Standards, and a Plan of Action.pptx
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
kevlekalakala
 
2008: Web Application Security Tutorial
2008: Web Application Security Tutorial2008: Web Application Security Tutorial
2008: Web Application Security Tutorial
Neil Matatall
 
Risk Management
Risk ManagementRisk Management
Risk Management
ijtsrd
 
Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016
Leon Blum
 
Automatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security StandardsAutomatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security Standards
automatskicorporation
 
CCA study group
CCA study groupCCA study group
CCA study group
IIBA UK Chapter
 
ISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochureISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochure
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
Introduction to ICT, POLICIES, FRAMEWORK
Introduction to ICT, POLICIES, FRAMEWORKIntroduction to ICT, POLICIES, FRAMEWORK
Introduction to ICT, POLICIES, FRAMEWORK
jannallenrefinnielld
 
Is iso 27001-an-answer-to-security
Is iso 27001-an-answer-to-securityIs iso 27001-an-answer-to-security
Is iso 27001-an-answer-to-security
Ramana K V
 
Is iso 27001, an answer to security
Is iso 27001, an answer to securityIs iso 27001, an answer to security
Is iso 27001, an answer to security
Raghunath G
 
ISO/IEC 27001.pdf
ISO/IEC 27001.pdfISO/IEC 27001.pdf
ISO/IEC 27001.pdf
LiiewaOfficial
 
What operational technology cyber security is?
What operational technology cyber security is?What operational technology cyber security is?
What operational technology cyber security is?
sohailAhmad304
 
Running Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxRunning Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docx
toltonkendal
 
Information Security
Information SecurityInformation Security
Information Security
chenpingling
 
1.1 Data Security Presentation.pdf
1.1 Data Security Presentation.pdf1.1 Data Security Presentation.pdf
1.1 Data Security Presentation.pdf
ChunLei(peter) Che
 
CISSP- Security & Risk Management-Domain 1 Overview-Edited.pptx
CISSP- Security & Risk Management-Domain 1 Overview-Edited.pptxCISSP- Security & Risk Management-Domain 1 Overview-Edited.pptx
CISSP- Security & Risk Management-Domain 1 Overview-Edited.pptx
macraaiclass
 
Cyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the follCyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the foll
AISHA232980
 
Security audits & compliance
Security audits & complianceSecurity audits & compliance
Security audits & compliance
Vandana Verma
 

More from karthikvcyber (20)

Security Incident machnism Security Incident machnismSecurity Incident machni...
Security Incident machnism Security Incident machnismSecurity Incident machni...Security Incident machnism Security Incident machnismSecurity Incident machni...
Security Incident machnism Security Incident machnismSecurity Incident machni...
karthikvcyber
 
Security Information Event Management Security Information Event Management
Security Information Event Management Security Information Event ManagementSecurity Information Event Management Security Information Event Management
Security Information Event Management Security Information Event Management
karthikvcyber
 
cybersecuritycybersecuritycybersecuritycybersecurity
cybersecuritycybersecuritycybersecuritycybersecuritycybersecuritycybersecuritycybersecuritycybersecurity
cybersecuritycybersecuritycybersecuritycybersecurity
karthikvcyber
 
Standards & Framework.pdf
Standards & Framework.pdfStandards & Framework.pdf
Standards & Framework.pdf
karthikvcyber
 
OSINT.pptx
OSINT.pptxOSINT.pptx
OSINT.pptx
karthikvcyber
 
Encrypto.pptx
Encrypto.pptxEncrypto.pptx
Encrypto.pptx
karthikvcyber
 
PID-PPID.pptx
PID-PPID.pptxPID-PPID.pptx
PID-PPID.pptx
karthikvcyber
 
Authentication.pptx
Authentication.pptxAuthentication.pptx
Authentication.pptx
karthikvcyber
 
SIEM.pptx
SIEM.pptxSIEM.pptx
SIEM.pptx
karthikvcyber
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptx
karthikvcyber
 
cryptography-Final.pptx
cryptography-Final.pptxcryptography-Final.pptx
cryptography-Final.pptx
karthikvcyber
 
fileanddirectory-PID.pptx
fileanddirectory-PID.pptxfileanddirectory-PID.pptx
fileanddirectory-PID.pptx
karthikvcyber
 
CS_Tuto.ppt
CS_Tuto.pptCS_Tuto.ppt
CS_Tuto.ppt
karthikvcyber
 
Vuln.ppt
Vuln.pptVuln.ppt
Vuln.ppt
karthikvcyber
 
IP_Subnet training.pptx
IP_Subnet training.pptxIP_Subnet training.pptx
IP_Subnet training.pptx
karthikvcyber
 
Authorisation.pptx
Authorisation.pptxAuthorisation.pptx
Authorisation.pptx
karthikvcyber
 
IPS NAT and VPN.pptx
IPS NAT and VPN.pptxIPS NAT and VPN.pptx
IPS NAT and VPN.pptx
karthikvcyber
 
CCNP.ppt
CCNP.pptCCNP.ppt
CCNP.ppt
karthikvcyber
 
subnet.pptx
subnet.pptxsubnet.pptx
subnet.pptx
karthikvcyber
 
OSI TCP-IP.pptx
OSI TCP-IP.pptxOSI TCP-IP.pptx
OSI TCP-IP.pptx
karthikvcyber
 
Security Incident machnism Security Incident machnismSecurity Incident machni...
Security Incident machnism Security Incident machnismSecurity Incident machni...Security Incident machnism Security Incident machnismSecurity Incident machni...
Security Incident machnism Security Incident machnismSecurity Incident machni...
karthikvcyber
 
Security Information Event Management Security Information Event Management
Security Information Event Management Security Information Event ManagementSecurity Information Event Management Security Information Event Management
Security Information Event Management Security Information Event Management
karthikvcyber
 
cybersecuritycybersecuritycybersecuritycybersecurity
cybersecuritycybersecuritycybersecuritycybersecuritycybersecuritycybersecuritycybersecuritycybersecurity
cybersecuritycybersecuritycybersecuritycybersecurity
karthikvcyber
 
Standards & Framework.pdf
Standards & Framework.pdfStandards & Framework.pdf
Standards & Framework.pdf
karthikvcyber
 
OSINT.pptx
OSINT.pptxOSINT.pptx
OSINT.pptx
karthikvcyber
 
Encrypto.pptx
Encrypto.pptxEncrypto.pptx
Encrypto.pptx
karthikvcyber
 
PID-PPID.pptx
PID-PPID.pptxPID-PPID.pptx
PID-PPID.pptx
karthikvcyber
 
Authentication.pptx
Authentication.pptxAuthentication.pptx
Authentication.pptx
karthikvcyber
 
SIEM.pptx
SIEM.pptxSIEM.pptx
SIEM.pptx
karthikvcyber
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptx
karthikvcyber
 
cryptography-Final.pptx
cryptography-Final.pptxcryptography-Final.pptx
cryptography-Final.pptx
karthikvcyber
 
fileanddirectory-PID.pptx
fileanddirectory-PID.pptxfileanddirectory-PID.pptx
fileanddirectory-PID.pptx
karthikvcyber
 
CS_Tuto.ppt
CS_Tuto.pptCS_Tuto.ppt
CS_Tuto.ppt
karthikvcyber
 
Vuln.ppt
Vuln.pptVuln.ppt
Vuln.ppt
karthikvcyber
 
IP_Subnet training.pptx
IP_Subnet training.pptxIP_Subnet training.pptx
IP_Subnet training.pptx
karthikvcyber
 
Authorisation.pptx
Authorisation.pptxAuthorisation.pptx
Authorisation.pptx
karthikvcyber
 
IPS NAT and VPN.pptx
IPS NAT and VPN.pptxIPS NAT and VPN.pptx
IPS NAT and VPN.pptx
karthikvcyber
 
CCNP.ppt
CCNP.pptCCNP.ppt
CCNP.ppt
karthikvcyber
 
subnet.pptx
subnet.pptxsubnet.pptx
subnet.pptx
karthikvcyber
 
OSI TCP-IP.pptx
OSI TCP-IP.pptxOSI TCP-IP.pptx
OSI TCP-IP.pptx
karthikvcyber
 
Ad

Recently uploaded (20)

Metamorphosis: Life's Transformative Journey
Metamorphosis: Life's Transformative JourneyMetamorphosis: Life's Transformative Journey
Metamorphosis: Life's Transformative Journey
Arshad Shaikh
 
SPRING FESTIVITIES - UK AND USA -
SPRING FESTIVITIES - UK AND USA -SPRING FESTIVITIES - UK AND USA -
SPRING FESTIVITIES - UK AND USA -
Colégio Santa Teresinha
 
Presentation on Tourism Product Development By Md Shaifullar Rabbi
Presentation on Tourism Product Development By Md Shaifullar RabbiPresentation on Tourism Product Development By Md Shaifullar Rabbi
Presentation on Tourism Product Development By Md Shaifullar Rabbi
Md Shaifullar Rabbi
 
apa-style-referencing-visual-guide-2025.pdf
apa-style-referencing-visual-guide-2025.pdfapa-style-referencing-visual-guide-2025.pdf
apa-style-referencing-visual-guide-2025.pdf
Ishika Ghosh
 
P-glycoprotein pamphlet: iteration 4 of 4 final
P-glycoprotein pamphlet: iteration 4 of 4 finalP-glycoprotein pamphlet: iteration 4 of 4 final
P-glycoprotein pamphlet: iteration 4 of 4 final
bs22n2s
 
UNIT 3 NATIONAL HEALTH PROGRAMMEE. SOCIAL AND PREVENTIVE PHARMACY
UNIT 3 NATIONAL HEALTH PROGRAMMEE. SOCIAL AND PREVENTIVE PHARMACYUNIT 3 NATIONAL HEALTH PROGRAMMEE. SOCIAL AND PREVENTIVE PHARMACY
UNIT 3 NATIONAL HEALTH PROGRAMMEE. SOCIAL AND PREVENTIVE PHARMACY
DR.PRISCILLA MARY J
 
Sinhala_Male_Names.pdf Sinhala_Male_Name
Sinhala_Male_Names.pdf Sinhala_Male_NameSinhala_Male_Names.pdf Sinhala_Male_Name
Sinhala_Male_Names.pdf Sinhala_Male_Name
keshanf79
 
Introduction to Vibe Coding and Vibe Engineering
Introduction to Vibe Coding and Vibe EngineeringIntroduction to Vibe Coding and Vibe Engineering
Introduction to Vibe Coding and Vibe Engineering
Damian T. Gordon
 
2541William_McCollough_DigitalDetox.docx
2541William_McCollough_DigitalDetox.docx2541William_McCollough_DigitalDetox.docx
2541William_McCollough_DigitalDetox.docx
contactwilliamm2546
 
Political History of Pala dynasty Pala Rulers NEP.pptx
Political History of Pala dynasty Pala Rulers NEP.pptxPolitical History of Pala dynasty Pala Rulers NEP.pptx
Political History of Pala dynasty Pala Rulers NEP.pptx
Arya Mahila P. G. College, Banaras Hindu University, Varanasi, India.
 
SCI BIZ TECH QUIZ (OPEN) PRELIMS XTASY 2025.pptx
SCI BIZ TECH QUIZ (OPEN) PRELIMS XTASY 2025.pptxSCI BIZ TECH QUIZ (OPEN) PRELIMS XTASY 2025.pptx
SCI BIZ TECH QUIZ (OPEN) PRELIMS XTASY 2025.pptx
Ronisha Das
 
How to Set warnings for invoicing specific customers in odoo
How to Set warnings for invoicing specific customers in odooHow to Set warnings for invoicing specific customers in odoo
How to Set warnings for invoicing specific customers in odoo
Celine George
 
Stein, Hunt, Green letter to Congress April 2025
Stein, Hunt, Green letter to Congress April 2025Stein, Hunt, Green letter to Congress April 2025
Stein, Hunt, Green letter to Congress April 2025
Mebane Rash
 
The ever evoilving world of science /7th class science curiosity /samyans aca...
The ever evoilving world of science /7th class science curiosity /samyans aca...The ever evoilving world of science /7th class science curiosity /samyans aca...
The ever evoilving world of science /7th class science curiosity /samyans aca...
Sandeep Swamy
 
Operations Management (Dr. Abdulfatah Salem).pdf
Operations Management (Dr. Abdulfatah Salem).pdfOperations Management (Dr. Abdulfatah Salem).pdf
Operations Management (Dr. Abdulfatah Salem).pdf
Arab Academy for Science, Technology and Maritime Transport
 
New Microsoft PowerPoint Presentation.pptx
New Microsoft PowerPoint Presentation.pptxNew Microsoft PowerPoint Presentation.pptx
New Microsoft PowerPoint Presentation.pptx
milanasargsyan5
 
K12 Tableau Tuesday - Algebra Equity and Access in Atlanta Public Schools
K12 Tableau Tuesday - Algebra Equity and Access in Atlanta Public SchoolsK12 Tableau Tuesday - Algebra Equity and Access in Atlanta Public Schools
K12 Tableau Tuesday - Algebra Equity and Access in Atlanta Public Schools
dogden2
 
Presentation of the MIPLM subject matter expert Erdem Kaya
Presentation of the MIPLM subject matter expert Erdem KayaPresentation of the MIPLM subject matter expert Erdem Kaya
Presentation of the MIPLM subject matter expert Erdem Kaya
MIPLM
 
Odoo Inventory Rules and Routes v17 - Odoo Slides
Odoo Inventory Rules and Routes v17 - Odoo SlidesOdoo Inventory Rules and Routes v17 - Odoo Slides
Odoo Inventory Rules and Routes v17 - Odoo Slides
Celine George
 
How to manage Multiple Warehouses for multiple floors in odoo point of sale
How to manage Multiple Warehouses for multiple floors in odoo point of saleHow to manage Multiple Warehouses for multiple floors in odoo point of sale
How to manage Multiple Warehouses for multiple floors in odoo point of sale
Celine George
 
Metamorphosis: Life's Transformative Journey
Metamorphosis: Life's Transformative JourneyMetamorphosis: Life's Transformative Journey
Metamorphosis: Life's Transformative Journey
Arshad Shaikh
 
SPRING FESTIVITIES - UK AND USA -
SPRING FESTIVITIES - UK AND USA -SPRING FESTIVITIES - UK AND USA -
SPRING FESTIVITIES - UK AND USA -
Colégio Santa Teresinha
 
Presentation on Tourism Product Development By Md Shaifullar Rabbi
Presentation on Tourism Product Development By Md Shaifullar RabbiPresentation on Tourism Product Development By Md Shaifullar Rabbi
Presentation on Tourism Product Development By Md Shaifullar Rabbi
Md Shaifullar Rabbi
 
apa-style-referencing-visual-guide-2025.pdf
apa-style-referencing-visual-guide-2025.pdfapa-style-referencing-visual-guide-2025.pdf
apa-style-referencing-visual-guide-2025.pdf
Ishika Ghosh
 
P-glycoprotein pamphlet: iteration 4 of 4 final
P-glycoprotein pamphlet: iteration 4 of 4 finalP-glycoprotein pamphlet: iteration 4 of 4 final
P-glycoprotein pamphlet: iteration 4 of 4 final
bs22n2s
 
UNIT 3 NATIONAL HEALTH PROGRAMMEE. SOCIAL AND PREVENTIVE PHARMACY
UNIT 3 NATIONAL HEALTH PROGRAMMEE. SOCIAL AND PREVENTIVE PHARMACYUNIT 3 NATIONAL HEALTH PROGRAMMEE. SOCIAL AND PREVENTIVE PHARMACY
UNIT 3 NATIONAL HEALTH PROGRAMMEE. SOCIAL AND PREVENTIVE PHARMACY
DR.PRISCILLA MARY J
 
Sinhala_Male_Names.pdf Sinhala_Male_Name
Sinhala_Male_Names.pdf Sinhala_Male_NameSinhala_Male_Names.pdf Sinhala_Male_Name
Sinhala_Male_Names.pdf Sinhala_Male_Name
keshanf79
 
Introduction to Vibe Coding and Vibe Engineering
Introduction to Vibe Coding and Vibe EngineeringIntroduction to Vibe Coding and Vibe Engineering
Introduction to Vibe Coding and Vibe Engineering
Damian T. Gordon
 
2541William_McCollough_DigitalDetox.docx
2541William_McCollough_DigitalDetox.docx2541William_McCollough_DigitalDetox.docx
2541William_McCollough_DigitalDetox.docx
contactwilliamm2546
 
Political History of Pala dynasty Pala Rulers NEP.pptx
Political History of Pala dynasty Pala Rulers NEP.pptxPolitical History of Pala dynasty Pala Rulers NEP.pptx
Political History of Pala dynasty Pala Rulers NEP.pptx
Arya Mahila P. G. College, Banaras Hindu University, Varanasi, India.
 
SCI BIZ TECH QUIZ (OPEN) PRELIMS XTASY 2025.pptx
SCI BIZ TECH QUIZ (OPEN) PRELIMS XTASY 2025.pptxSCI BIZ TECH QUIZ (OPEN) PRELIMS XTASY 2025.pptx
SCI BIZ TECH QUIZ (OPEN) PRELIMS XTASY 2025.pptx
Ronisha Das
 
How to Set warnings for invoicing specific customers in odoo
How to Set warnings for invoicing specific customers in odooHow to Set warnings for invoicing specific customers in odoo
How to Set warnings for invoicing specific customers in odoo
Celine George
 
Stein, Hunt, Green letter to Congress April 2025
Stein, Hunt, Green letter to Congress April 2025Stein, Hunt, Green letter to Congress April 2025
Stein, Hunt, Green letter to Congress April 2025
Mebane Rash
 
The ever evoilving world of science /7th class science curiosity /samyans aca...
The ever evoilving world of science /7th class science curiosity /samyans aca...The ever evoilving world of science /7th class science curiosity /samyans aca...
The ever evoilving world of science /7th class science curiosity /samyans aca...
Sandeep Swamy
 
Operations Management (Dr. Abdulfatah Salem).pdf
Operations Management (Dr. Abdulfatah Salem).pdfOperations Management (Dr. Abdulfatah Salem).pdf
Operations Management (Dr. Abdulfatah Salem).pdf
Arab Academy for Science, Technology and Maritime Transport
 
New Microsoft PowerPoint Presentation.pptx
New Microsoft PowerPoint Presentation.pptxNew Microsoft PowerPoint Presentation.pptx
New Microsoft PowerPoint Presentation.pptx
milanasargsyan5
 
K12 Tableau Tuesday - Algebra Equity and Access in Atlanta Public Schools
K12 Tableau Tuesday - Algebra Equity and Access in Atlanta Public SchoolsK12 Tableau Tuesday - Algebra Equity and Access in Atlanta Public Schools
K12 Tableau Tuesday - Algebra Equity and Access in Atlanta Public Schools
dogden2
 
Presentation of the MIPLM subject matter expert Erdem Kaya
Presentation of the MIPLM subject matter expert Erdem KayaPresentation of the MIPLM subject matter expert Erdem Kaya
Presentation of the MIPLM subject matter expert Erdem Kaya
MIPLM
 
Odoo Inventory Rules and Routes v17 - Odoo Slides
Odoo Inventory Rules and Routes v17 - Odoo SlidesOdoo Inventory Rules and Routes v17 - Odoo Slides
Odoo Inventory Rules and Routes v17 - Odoo Slides
Celine George
 
How to manage Multiple Warehouses for multiple floors in odoo point of sale
How to manage Multiple Warehouses for multiple floors in odoo point of saleHow to manage Multiple Warehouses for multiple floors in odoo point of sale
How to manage Multiple Warehouses for multiple floors in odoo point of sale
Celine George
 
Ad

Standards & Framework.ppt

  • 1. by Erlan Bakiev, Ph.D. Cyber security standards and Controls
  • 2.  Cybersecurity standards are techniques generally set forth in published materials that attempt to protect the cyber environment of a user or organization.  This environment includes:  users themselves  networks  devices  all software  processes  information in storage or transit  applications  services  systems that can be connected directly or indirectly to networks Cybersecurity standards
  • 3.  The principal objective:  to reduce the risks  including prevention or mitigation of cyber-attacks. These published materials consist of collections of:  tools,  Policies  security concepts  security safeguards  guidelines,  risk management approaches,  actions,  training,  best practices,  assurance and technologies. Cybersecurity standards cont.
  • 4.  Cyber security frameworks are sets of documents describing guidelines, standards, and best practices designed for cyber security risk management. The frameworks exist to reduce an organization's exposure to weaknesses and vulnerabilities that hackers and other cyber criminals may exploit. What is a Cyber Security Framework?
  • 5.  The NIST Cybersecurity Framework (NIST CSF) provides a policy framework of computer security guidance for how private sector organizations in the US can assess and improve their ability to prevent, detect, and respond to cyber attacks.  It provides a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes.  It is intended to help private sector organizations that provide critical infrastructure with guidance on how to protect it, along with relevant protections for privacy and civil liberties. NIST Cybersecurity Framework (NIST CSF)
  • 6.  SO/IEC 27001, part of the growing ISO/IEC 27000 family of standards, is an information security management system (ISMS) standard, of which the last revision was published in October 2013 by the International Organization for Standardization (ISO) and the International Electro technical Commission (IEC).  Its full name is ISO/IEC 27001:2013 – Information technology – Security techniques – Information security management systems – Requirements.  ISO/IEC 27001 formally specifies a management system that is intended to bring information security under explicit management control. ISO/IEC 27001 and 27002
  • 7.  ISO/IEC 27002 incorporates mainly part 1 of the BS 7799 good security management practice standard.  The latest versions of BS 7799 is BS 7799-3.  ISO/IEC 27002 is a high level guide to cybersecurity.  It is most beneficial as explanatory guidance for the management of an organization to obtain certification to the ISO/IEC 27001 standard.  The certification once obtained lasts three years.  Depending on the auditing organization, no or some intermediate audits may be carried out during the three years. ISO/IEC 27001 and 27002 Cont.
  • 8.  The Payment Card Industry Data Security Standard (PCI DSS) is a global framework for any organization that processes, stores, or transmits cardholder information. Launched in 2004 by major credit card companies American Express, Discover, JCB, MasterCard, and VISA, the framework aims to keep cardholder information safe and reduce fraud.  To do this, PCI DSS outlines four compliance levels, depending on the organization’s transactions per annum, and 12 required steps that meet security best practices. PCI DSS
  • 9.  HIPAA cybersecurity frameworks for patients’ protected health information (PHI).  The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal legislation for healthcare compliance. An act of the US Congress created by lawyers and lawmakers, HIPAA applies to “covered entities,” including health providers, health plans and insurance companies, and health clearinghouses. Although there’s no official certification, HIPAA compliance is enforced by the US Department of Health and Human Services’ Office for Civil Rights (OCR). HIPPA
  • 10.  The Sarbane-Oxley IT General Controls (SOX ITGC) is a subset of the broader Sarbane-Oxley Act and sets financial report requirements for all companies preparing for an initial public offering (IPO) or publicly traded companies across all industries.  SOX ITGC attests to the integrity of the data and processes of internal financial reporting controls, including applications, operating systems, databases, and the supporting IT infrastructure. Controls in this framework encompass access to programs and data, program changes, computer operations, and program development. SOX
  • 11.  The General Data Protection Regulation (GDPR) is a framework passed by the European Union (EU) to protect the data privacy and security of its citizens. Enacted in 2016, the GDPR impacts all organizations that collect and process the data of EU citizens, regardless of where the company is located. GDPR
  • 12.  Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. Security controls
  • 13.  According to the time that they act, relative to a security incident:  Before the event, preventive controls are intended to prevent an incident from occurring e.g. by locking out unauthorized intruders;  During the event, detective controls are intended to identify and characterize an incident in progress e.g. by sounding the intruder alarm and alerting the security guards or police;  After the event, corrective controls are intended to limit the extent of any damage caused by the incident e.g. by recovering the organization to normal working status as efficiently as possible. Classification of Security controls
  • 14.  According to their nature:  Physical controls e.g. fences, doors, locks and fire extinguishers;  Procedural controls e.g. incident response processes, management oversight, security awareness and training;  Technical controls e.g. user authentication (login) and logical access controls, antivirus software, firewalls;  Legal and regulatory or compliance controls e.g. privacy laws, policies and clauses. Classification of Security controls Cont.
  • 15.  ISO/IEC 27001 specifies 114 controls in 14 groups:  A.5: Information security policies  A.6: How information security is organized  A.7: Human resources security - controls that are applied before, during, or after employment.  A.8: Asset management  A.9: Access controls and managing user access  A.10: Cryptographic technology  A.11: Physical security of the organization's sites and equipment  A.12: Operational security  A.13: Secure communications and data transfer  A.14: Secure acquisition, development, and support of information systems  A.15: Security for suppliers and third parties  A.16: Incident management  A.17: Business continuity/disaster recovery (to the extent that it affects information security)  A.18: Compliance - with internal requirements, such as policies, and with external requirements, such as laws. International information security standards
  • 16.  From NIST Special Publication SP 800-53 revision 4.  AC Access Control.  AT Awareness and Training.  AU Audit and Accountability.  CA Security Assessment and Authorization. (historical abbreviation)  CM Configuration Management.  CP Contingency Planning.  IA Identification and Authentication.  IR Incident Response.  MA Maintenance.  MP Media Protection.  PE Physical and Environmental Protection.  PL Planning.  PS Personnel Security.  RA Risk Assessment.  SA System and Services Acquisition.  SC System and Communications Protection.  SI System and Information Integrity.  PM Program Management. U.S. Federal Government information security standards