SBN

CySA+ domain #12: Frameworks, policies, controls and procedures

Introduction

The policy of any organization is the set of best practices and guidelines that protect business, customers and employees. Most often, the policy is created and based on the best practice frameworks established by popular industry groups, such as Payment Card Industry Data Security Standard (PCI-DSS) and National Institute of Standards and Technology (NIST). In addition, organization policy in several cases is also directed and influenced by the external compliance obligations that regulators impose on the company.

In this article, we will delve into frameworks, policies, controls and procedures, as well as their relations with one another. CySA+ candidates must understand and grasp these topics to take and pass the CySA+ exam.

Regulatory compliance

Regulatory compliance is the process of implementing security measures that are essential to comply with laws, regulations and guidelines that ensure business continuity. Organizations must adhere to regulatory compliance. Noncompliant organizations may have to face a legal punishment under laws such as the General Data Protection Regulation (GDPR).

Frameworks

A cybersecurity framework is the set of measures, practices and rules established with the help of governmental institutions and local businesses to ensure the safety of organizations’ IT environment by overseeing cybersecurity risks and vulnerabilities and helping them to understand and strengthen their management of cybersecurity risks. Below is a list of some objectives related to the cybersecurity framework:

  • Define the current security posture
  • Define target security posture
  • Continuous improvement
  • Measure progress towards target posture
  • Identify communication risks

From the CySA+ exam viewpoint, some important frameworks include the National Institute of Standards and Technology (NIST), International Standard Organization (ISO), Sherwood Applied Business Security Architecture (SABSA), Control Objectives for Information and related Technology (COBIT), Information Technology Infrastructure Library (ITIL) and lastly, The Open Group Architecture Framework (TOGAF).

Policies

An organization’s information security policy is a set of (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Fakhar Imam. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/1PZQSgNP4DI/