Instructions
Cybersecurity Frameworks
Ed Moore
Lecture Outline
Faculty of Arts | Department of Security Studies and Criminology
2
What is a Cybersecurity Framework?
Types of Cybersecurity Frameworks
Implementation
Examples
What is a Cybersecurity Framework
3
What is a Cyber Security Framework?
A cyber security framework is a set of policies and procedures that are defined by leading cybersecurity organisations to enhance cybersecurity strategies in other enterprise environments
Most cyber security frameworks comprise a system of standards, guidelines and best practices to manage risks that arise in the digital world
Some frameworks target specific industries while others are more generic
Frameworks are designed to give security managers a reliable, systematic way to mitigate cyber risk no matter how complex the environment is
In some industries cyber security frameworks are mandatory whereas other may only be strongly encouraged
4
Confidentiality, Integrity & Availability (CIA)
Confidentiality
Measures designed to prevent sensitive information from reaching the wrong people
Integrity
Maintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle
Availability
Ensure the data is accessible to those who should be able to access it when
they need it
5
Types of frameworks
6
Types of frameworks
Control frameworks
A control framework is a framework that organises an organisation’s internal controls. It covers:
Identification of baseline controls
Assess the state of technical capabilities
Prioritise the implementation of controls
Development of an initial roadmap for the security team
Program frameworks
Program frameworks is a framework used to strengthen and secure the of a system. It includes:
Assessment of the overall security of a program
Building a comprehensive security program
Measure the maturity and conduct industry comparisons
Simplify (quantify) communications with business leaders
7
Types of frameworks
Risk Frameworks
A risk framework is a framework that is used by organisations to assess and control risks within the business. It helps organisations prioritise security activities to be more cost and time effective. It includes:
Defining key process steps for assessing and managing risk
Structure the risk management program
Identify, measure, and quantify risk
Prioritise risk activities
8
Implementation
9
Implementation
Benefits
Common Language
Adaptable
Collaboration Opportunities
Ability to Demonstrate Due Care
Easily Maintain Compliance
Secure Supply Chain
Cost Efficiency
10
Implementation
Tiers
Tier 1: Called partial implementation, organizations at Tier 1 have an ad-hoc and reactive cybersecurity posture. They have little awareness of organizational risk and any plans implemented are often done inconsistently.
Tier 2: Risk informed organizations may be approving cybersecurity measures, but implementation is still piecemeal. They are aware of risks, have plans, and have the proper resources to protect themselves but haven't quite gotten to a proactive point.
Tier 3: The third tier is called repeatable, meaning that an organization has implemented CSF standards company-wide and are able to repeatedly respond to crises. Policy is consistently applied, and employees are informed of risks.
Tier 4: Called adaptive, this tier indicates total adoption of the CSF. Adaptive organizations aren't just prepared to respond to threats—they proactively detect threats and predict issues based on cu
ent trends and their IT architecture.
11
Defense in depth
Defense in Depth (DiD) is an approach to cybersecurity in which a series of defensive mechanisms are layered in order to protect valuable data and information. If one mechanism fails, another steps up immediately to thwart an attack.
Also refe
ed to as the “castle approach”
Improves the ability to detect and prevent attacks
The concept is to “harden” a companies’ network
Hackers will lose momentum over time
Provides IT professionals time to detect
and response to an active attack
12
Approaches to security management
Top-down
Starts at the top and pushed down to employees from management
People with responsibility to protect assets (senior management) drive the program
Senior Management ensure funding and resource are in place and enforce rules and policies
Ideal way to implement a security policy
Bottom-up
Staff members (often a security or IT team) develop a security program without proper management support or direction
Responsibility of the security program is handed to IT department only
Far less effective
13
Frameworks
14
Frameworks
Essential Eight
Released by the Australian Signals Directorate (ASD) to be a baseline to secure an organisation against the most basic forms of attack
It is suggested that by implementing the “Essential Eight”, a company should be able to prevent 85% of attacks (which largely leverage these basic attacks.
The eight tips provided in this framework are:
Application whitelisting
Patching applications
Configure Microsoft Office macro settings
User application hardening
Restrict administrative privileges
Patch Operating System
Daily backups
15
Frameworks
PCI DSS
Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards that target any company that handles payment card transactions
This standard is applied to any company (regardless of size) that accepts, transmits or stores any cardholder information
As with many other certifications, compliance must be validated by an external assesso
Merchants get put into “levels” based on the number of transactions they process annually
Level Description
1 Merchants processing over 6 million card transactions per year.
2 Merchants processing 1 to 6 million transactions per year.
3 Merchants processing 20,000 to 1 million transactions per year.
4 Merchants handling fewer than 20,000 transactions per year.
16
Frameworks
PCI DSS - Requirements
Install and maintain a firewall to protect cardholder information
Change vendor supplied defaults for system passwords
Encryption of stationary credit card information
Encryption of credit card information in transit
Regular anti-virus updates
Development and maintenance of secure systems
Restriction of access to information (“Need to know”)
Reviews of access to system components
Restricting physical access to data
Detailed logging mechanisms
Testing the security of systems
Maintaining an information security policy
17
Frameworks
Information Security Manual
The information security manual is a document released by the Australian Signals Directorate
The manual focuses on minimising risk from threats and protecting information and assets
It discusses different attack vectors such as:
Social engineering against high ranking employees (CTO, CEO, etc)
Physical security of assets
Personnel security
Communications infrastructure
Mobile device management
Software development
Database security
18
Frameworks
NIST
The NIST Cybersecurity framework is a voluntary framework provided by the NIST organisation outlining best practices to manage cybersecurity-related risk.
It is designed to provide resilience to critical infrastructure and other services critical to national security.
Can also be applied to other industries to provide a high level of protection
19
Frameworks
RACGP
The Royal Australian College of General Practitioners has released a set of standards and guidelines to guide organisations storing sensitive medical data
It focuses on identifying the risks associated with the storage of medical data
It also provides some similar guidelines to the NIST framework with regards to business continuity
20
Frameworks
ISO27001
A standard produced by the ISO organisation
Focuses around risk management and security policy
Main sections are:
Risk assessment
Security policy
Organisation of information security
Asset management
Physical and environmental management
Access control
Incident management
Business continuity
Compliance
21
Frameworks
CobiT
COBIT stands for Control Objectives for Information and Related Technology
The framework created by the ISACA (Information Systems Audit and Control Association) who is a world recognised IT governance body
Cu
ently more than 110,000 bodies holding qualification
worldwide
COBIT 4.1 is an IT governance framework and supporting
toolset that allows managers to
idge the gap between
control requirements, technical issues and business risks
The framework outlines a set of generic processes for the
management and governance of IT systems.
22
Frameworks
Coso
The COSO framework was designed by a group of 5 organisations specialising in auditing and accounting
It is a joint initiative of the five private sector organizations and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud dete
ence
The five components work to support the achievement of an entity’s mission, strategies and related business objectives.
The components work to establish the foundation for internal
control within the
The various risks facing the company are identified and assessed
outinely. Control activities and other mechanisms are proactively
designed to address and mitigate the significant risks.
Information critical to identifying risks and meeting business
objectives is communicated through established channels up, down
and across the company. The entire system of internal control is
monitored continuously and problems are addressed timely.
23
Frameworks
ITIL
Information Technology Infrastructure Li
ary (ITIL) is a set of processes for aligning IT services with the needs of the business
Series of five books that outline various processes and stages
of the IT service lifecycle.
Helps businesses with the following tasks:
Manage risk
Strengthen customer relations
Improve cost-effectiveness
Stabilise IT environments
24
Frameworks
Six Sigma
Six sigma is a process aims to minimise costs through poor quality
Originally designed by Mikel Ha
y at Motorola in the late 1970s
Sigma levels are related to the percentage yield (non-faulty products)
After implementing six sigma into other areas, Motorola saw:
“a 58% reduction in the cost of quality, a 40% reduction in
e
ors, and a 60% reduction in the time it took to design a new
product ”
This concept works for manufacturing and other areas but not IT.
Due to the huge numbers of transactions we see in IT, it demands a
higher standard that six sigma (outlined by Pyzdek, 1999)
10,800,000 healthcare claims would be mishandled
18,900 U.S savings bonds would be lost every month
54,000 checks would be lost each night by a single bank
Sigma level Faults / million
1 691,462
2 308,538
3 66,807
4 6,210
5 233
6 3.4
7 0.019
25
Frameworks
Cmmi
Capability Maturity Model Integration (CMMI) helps assess the quality and capability businesses
Originally developed for the U.S Department of Defense to assess their software contractors
CMMI best practices focus on what needs to be done to improve performance
Outlines file “maturity levels” that demonstrate a visible path for improvement
26
The end
27
Resource List
http:
www.isaca.org/Knowledge-Cente
COBIT/Pages/Overview.aspx
https:
www.simplilearn.com/cobit-5-overview-and-key-features-of-tutorial-video
https:
securitycommunity.tcs.com/infosecsoapbox/articles/2018/08/09/defense-depth-%E2%80%93-what-strategy-follow
https:
info.knowledgeleader.com
id/161685/what-are-the-five-components-of-the-coso-framework
https:
www.cio.com/article/2439501/infrastructure-it-infrastructure-li
ary-itil-definition-and-solutions.html
https:
scm.ncsu.edu/scm-articles/article/six-sigma-where-is-it-now
http:
www.primvis.com/service-1
https:
www.techrepublic.com/article/how-to-choose-the-right-cybersecurity-framework
https:
www.techrepublic.com/article/nist-cybersecurity-framework-the-smart-persons-guide
https:
securesense.ca/what-cybersecurity-framework-important-your-organization
https:
www.cyber.gov.au/publications/essential-eight-explained
https:
preyproject.com
log/en/cybersecurity-frameworks-101
https:
originit.co.nz/the-strongroom/five-most-common-security-frameworks-explained/