Course Learning Outcomes for Unit VII Upon completion of this unit, students should be able to:
2. Explain risk management approaches that can prevent or eliminate vulnerability threats. 2.1 Identify International Organization for Standardization (ISO) standards.
3. Analyze the procedures utilized in the implementation of organizational information security management.
3.1 Analyze and resolve security issues in networks and computer systems to secure an information technology (IT) infrastructure. Course/Unit Learning Outcomes Learning Activity 2.1 Unit Lesson Chapter 13 Unit VII Assessment 3.1 Unit Lesson Chapter 13 Unit VII Assessment Required Unit Resources Chapter 13: Security Standards Unit Lesson Cybersecurity Standards and Frameworks From the very first ransomware attack, which took place in 1989, there are now more than 3 billion attacks every year targeted against individuals, businesses, and organizations (Graham, 2018). With the increase in cybercrimes, there has been an increased focus on the security tactics, techniques, and procedures used to counter them. An increase in security measures comes with a need to ensure that those measures are fit for the purpose and that they meet the standards required to counter the various cyber threats to your organization (Chrisman, 2019). Security needs differ across business sectors and even across organizations within the same industry. So, how do you decide if your security measures are fit for purpose?
Make Your Cybersecurity Meet the Standard Today, it is essential that you protect your organization’s information if you want that organization to function smoothly and successfully (Kumar, 2019). Adhering to a set of standards will ensure that you are applying the correct cybersecurity measures at the right level. There are various cybersecurity standards available on the market, each with the capability of protecting your data, networks, and information technology (IT) systems (Sinha, 2020). Cybersecurity standards provide a set of reference points that enable you to assess whether your organization is sufficiently protected against cyber threats. UNIT VII STUDY GUIDE Security Standards CIS 4101, Internet and Network Security 2 UNIT x STUDY GUIDE Title Cybersecurity standards generally set out a minimum level of security that you must achieve to be protected (Kumar, 2019).
Achieving such standards not only affords you protection from cybercriminals, but it also gives your clients, customers, staff, and others confidence that you take cybersecurity seriously and have taken action to reduce the risk of a cyber attack. Cybersecurity standards can also assist your organization in meeting its regulatory requirements. By adopting such standards and using them as the foundation for securing and managing your IT systems, your organization will be able to meet its regulatory requirements much easier (Perry, 2019). In recent years, the increase in cybercrime has not gone unnoticed by regulators across different sectors and in various countries. Depending on the sector in which your organization operates, there are now more standards to meet to demonstrate your awareness of cyber threats and your ability to protect against them (Herberger, 2018).
Different Cybersecurity Standards and Bodies Worldwide, there are around 250 different cybersecurity standards and frameworks covering various sectors, organizations, and practices (Wild, 2018). Here, we will only cover a small selection of the more commonly used cybersecurity standards. National Institute of Standards and Technology (NIST) One of the primary standards against which organizations measure their preparedness to defend against cyber attacks is provided by NIST. As the threats posed by hackers and cybercriminals increase, it is more important than ever for organizations to have an effective policy to manage cyber risks. NIST standards and frameworks help to achieve this (Hall, 2020). The NIST Cybersecurity Framework provides several standards that are freely available to help American private-sector organizations assess their protection against a cyber attack and to bolster that protection if needed (Dodt, 2018). Such standards are listed below.
● SP 500 – Information Technology
● SP800 – Computer Security
● SP 1800 – Cybersecurity Practice Guides Center for Internet Security (CIS) The CIS is a nonprofit organization that was set up in 2000 with two clear aims, which are listed below (RSI Security, 2020).
● Identify, develop, validate, promote, and sustain cyber defense best practices.
● Build, design, and lead communities to create an environment of trust within cyberspace. CIS has its headquarters in New York, and the organization includes hundreds of IT security professionals within governmental agencies, corporations, academic institutions, and the military.
It has established itself as one of the leading authorities in cybersecurity and an exemplar for cybersecurity best practices, as outlined in CIS Controls and Benchmarks (RSI Security, 2020). The organizations listed below participate in CIS.
● ISC2 (International Information Systems Security Certification Consortium)
● AICPA (American Institute of Certified Public Accountants)
● IIA (Institute of Internal Auditors)
● SANS (Systems Administrations, Networking and Security) Institute British Standards Institution (BSI) BSI is the United Kingdom’s national body for technical standards. BSI produces several standards covering a wide range of products and services. BSI also supplies certifications and services related to standards to businesses and organizations (Kidman, 2020). BSI became involved in Information Security standards in CIS 4101, Internet and Network Security 3 UNIT x STUDY GUIDE Title 1995 when they issued BS7799 (laterally ISO/IEC 27001), which became one of the most widely used and internationally recognized standards for information security management. International Organization of Standardization (ISO) In conjunction with the International Electrotechnical Commission, ISO issued a standard for information security management systems, ISO 27001. Implementation of this cybersecurity standard demonstrates that your organization is serious about the security of its information and customer data (Dawson, 2019).
American Institute of Certified Public Accountants (AICPA): System and Organization Controls (SOC) 2 The AICPA takes credit for delivering system and organization controls (SOC) 2, a standard specifically designed to assist in securing customer data that is held in the cloud. As such, SOC 2 applies to almost every SaaS (software as a service) company and any other company that uses cloud storage for its customers’ data. Prior to 2014, SOC 1 was the standard to be obtained for cloud vendors; however, SOC 2 standards now go above and beyond those laid out in its predecessor (Moore, 2019). SOC 2 is effectively a technical audit, requiring organizations to set up policies and procedures regarding information security and ensuring that those standards are adhered to. These policies and procedures cover aspects of cybersecurity, such as processing customer data, security, availability of data, and confidentiality. Following SOC 2 standards ensures that an organization’s information security measures adhere to the unique requirements of cloudbased hosting.
As cloud solutions become more popular, SOC 2 compliance is becoming more widespread, taking in a wide range of organizations from various sectors (Moore, 2019). Internet Engineering Task Force (IETF) The IETF was set up as the organization that sets the standard for internet operating protocols including Transmission Control Protocol/Internet Protocol (TCP/IP). The IETF comes under the supervision of the Internet Society Internet Architecture Board (IAB), and its members form the Internet Society’s membership, both individuals and organizations. IETF standards are published as RFCs (Requests for Comments). The IETF is an open organization, and it has no formal membership requirements. It creates and promotes internet standards, which are voluntary and are not backed by any regulatory or government body. Their particular focus is on the standards for the TCP/IP suite of protocols. The IETF organization is divided into working groups, each with its emphasis on areas, including applications, internet, operations, management, infrastructure, routing, transport, and security (Banks, 2017). North American Electric Reliability Corporation (NERC) NERC was founded initially to provide general security standards for bulk power system organizations, given that the power network is of such critical importance to society. Some of the measures that NERC covers deal with maintaining continuity of systems, network security, and administrative practices, as well as ensuring that security patches are swiftly and correctly installed. NERC 1300 is one of their latest cybersecurity standards. This standard is continuously being assessed as to relevance and effectiveness in dealing with an everdeveloping cybersecurity threat (Dawson, 2019). Industry-Specific Standards In addition to the common standards and frameworks outlined above, there are various industry-specific standards, which are listed below.
● PCI DSS (Payment Card Industry Data Security Standard)
● HIPAA (Health Insurance Portability and Accountability Act)
● HISO (Health Information Security Framework)
● European GDPR (General Data Protection Regulation)
● Individual National Privacy Acts CIS 4101, Internet and Network Security 4 UNIT x STUDY GUIDE
Title Adopting one of these general security standards and frameworks may not make you fully compliant with specific standards or regulations; however, doing so will help you move toward compliance (Wild, 2018). Conclusion As the risk of cyber attacks continues to grow, so too will the security measures which are available to counter such attacks (Graham, 2018). It is critical that your organization’s cybersecurity is developed in a way that makes it effective and that it is set to the correct standard (Kumar, 2019). Adherence to the right set of standards will not only help secure your organization from cyber attack, but it will also assist with you achieving regulatory compliance (Perry, 2019). Ultimately, adherence to the correct set of cybersecurity standards will give your customers, staff, and stakeholders confidence in your ability to keep their data secure. There is an incredible amount of cybersecurity standards out there, covering various industry sectors and national requirements (Wild, 2018). Every organization has differing needs in terms of their cybersecurity, and hopefully, this lesson will have given you a better idea of the ones to which you should be adhering.