The Official (ISC)2 CISSP CBK Reference. Aaron Kraus

The Official (ISC)2 CISSP CBK Reference - Aaron Kraus


Скачать книгу
security programs.

      As of this writing, the most recent revision to ISO/IEC 27001 was in 2013, though its parent, ISO/IEC 27000, was revised in 2018. ISO 27001:2013 contains 114 controls across 14 domains, as follows:

       Information security policies

       Organization of information security

       Human resource security

       Asset management

       Access control

       Cryptography

       Physical and environmental security

       Operations security

       Communications security

       System acquisition, development, and maintenance

       Supplier relationships

       Information security incident management

       Information security aspects of business continuity management

       Compliance

      ISO/IEC 27002

      ISO/IEC 27002 (again, often referred to as just ISO 27002) is titled “Security Techniques — Code of practice for information security controls.” This standard builds on ISO 27001 by providing guidelines for organizations to select, implement, and manage security controls based on their own security risk profile. In other words, ISO 27002 is a bit more prescriptive than ISO 27001, as it provides best-practice recommendations for organizations to build and maintain their ISMSs.

      NIST 800-53

       Access control (AC)

       Awareness and training (AT)

       Audit and accountability (AU)

       Security assessment and authorization (CA)

       Configuration management (CM)

       Contingency planning (CP)

       Identification and authentication (IA)

       Incident response (IR)

       Maintenance (MA)

       Media protection (MP)

       Physical and environmental protection (PE)

       Planning (PL)

       Personnel security (PS)

       Risk assessment (RA)

       System and services acquisition (SA)

       System and communications protection (SC)

       System and information integrity (SI)

       Program management (PM)

      NOTE The latest revision of NIST 800-53, Rev. 5, was released in September 2020.

      NIST Cybersecurity Framework

      The NIST Cybersecurity Framework (CSF), first published in 2014, is a collection of standards, guidelines, and best practices to manage cybersecurity risk. As of this writing, NIST CSF v1.1 is the current version and was released in 2018. NIST CSF was initially developed with a focus on industries considered “critical infrastructure” — industries such as banking, energy, and communications. It has since become a go-to controls framework for companies of all sizes and across all business sectors.

Schematic illustration of NIST Cybersecurity Framework.

       FIGURE 1.2 NIST Cybersecurity Framework

      The five core functions within NIST CSF are intended to be performed simultaneously and continuously to form a culture of assessing and addressing cybersecurity risk. NIST defines the purpose of each of the five core functions as follows:

       Identify (ID): Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.

       Protect (PR): Develop and implement appropriate safeguards to ensure delivery of critical services.

       Detect (DE): Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.

       Respond (RS): Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.

       Recover (RC): Develop and implement appropriate activities to maintain plans for resilience and restore any capabilities or services that were impaired due to a cybersecurity incident.

      CIS Critical Security Controls

      The CIS Critical Security Controls (or CIS Controls) is a publication of 20 best-practice guidelines for information security. The publication was initially created by SANS Institute but was transferred to the Center for Internet Security (CIS) in 2015. Today, you may see these 20 critical controls labeled CIS CSC, CIS 20, Sans Top 20, or other variants.

      CIS Controls v7.1 was released in April 2019, and identifies the basic, foundational, and organizational controls that CIS recommends mitigating the most common attacks against networks and systems. According to the Center for Internet Security, the 20 Critical Security Controls are as follows:

       CIS Control 1: Inventory and Control of Hardware Assets

       CIS Control 2: Inventory and Control of Software Assets

       CIS Control 3: Continuous Vulnerability Management

       CIS Control 4: Controlled Use of Administrative Privileges

       CIS Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

       CIS Control 6: Maintenance, Monitoring, and Analysis of Audit Logs

       CIS Control 7: Email and Web Browser Protections

       CIS Control 8: Malware Defenses

       CIS Control 9: Limitation and Control of Network Ports, Protocols, and Services

       CIS Control 10: Data Recovery Capabilities


Скачать книгу