Security Frameworks – SY0-601 CompTIA Security+ : 5.2

The industry provides many options for determining best practices and frameworks for IT security. In this video, you’ll learn about the CIS CSC, NIST RMF, NIST CSF, ISO/IEC frameworks, SSAE SOC 2, and the CSA CCM.


If you’re just starting off in IT security, you may be wondering, where do you even begin with the process of securing an organization’s data, what are the best practices available, and what can you do today to start down the path of providing additional security? Fortunately, there are frameworks available that can provide you with some of this information. One of the challenges with this is that every organization is going to be just a little bit different. For example, your organization may have unique requirements for security. Based on the line of work you happen to be in, there may be compliance and regulations that you have to follow, and internally, there will be a completely different set of security policies and tools than you might see at a different organization.

Fortunately, there are many different security frameworks that you can use to help guide you down this particular path. These frameworks can help you understand the different security processes available, and they can help you understand what you need to do to follow those particular processes. Many of these frameworks can help you build security processes from scratch, or you can build on the processes that you already are using. If you need help in determining what tasks you should undertake and which of these projects should take priority, you might want to refer to some of these frameworks.

One framework you might want to consider is the Center for Internet Security, or CIS critical security controls for effective cyber defense. Fortunately, we often refer to this simply as the CIS CSC. The CSC is designed to help you improve the security posture of your organization. And these are focused into critical security controls in 20 different areas. Another nice feature of this framework is there are different recommendations depending on the size of the organization, because smaller organizations will have different requirements for security than large organizations.

One nice part about the CIS CSC is that it’s written by technologists so that it can be implemented by technologists. This contains practical information that you can apply to a project and begin implementing these controls in your environment. If you’re part of a United States Federal Government Agency, then you are required to follow the NIST RMF. This is the National Institute of Standards and Technology Risk Management Framework, or are RMF. If you are part of the federal government, or you’re handling data for the federal government, this is the framework you should follow to help with security and privacy.

This framework has six different steps to follow in the system lifecycle. The first step is to categorize or define the environment that you’re working in. The second is to select or pick appropriate controls for security and privacy. The third is to implement or define the proper implementation of these particular policies. The fourth is to determine if the policies you put in place are actually working properly, that is, the assess step. The fifth step is the authorize step, where you make a decision to authorize a particular system, and the sixth step is to constantly monitor to ensure that you are still in compliance. This is an extensive framework, and it’s available to download directly from NIST, the National Institute of Standards and Technology.

Another framework from NIST is the cybersecurity framework, or the CSF. This framework is designed for commercial implementations, which have a slightly different security posture than a federal government implementation. There are three major areas of the CSF. The first is the framework core. This includes identify, protect, detect, respond, and recover. The second area is the framework implementation tiers. This is the section where an organization will understand exactly what their approach will be to cybersecurity, and what tools and processes need to be in place to manage the risks that are identified. And the third area is the framework profile, where policies, guidelines, and standards are compared to the implementations that are based on the framework core. If you’re in a commercial environment and you’re implementing a high level view of cybersecurity, then you might want to consider the NIST CSF.

There are also security frameworks that can be applied at an international level. This is from the International Organization for Standardization, and International Electrotechnical Commission. The first framework is the ISO/IEC 27001, which is a standard for Information Security Management Systems, or ISMS. Along with the 27001 is the 27002, which is a code of practice for information security controls. There’s also the ISO/IEC 27701, which focuses on privacy, with the Privacy Information Management Systems, or PIMS. And on the risk management side is the ISO 31000 for the international standards for risk management practices. These are very detailed standards and have a very broad scope. So if you’re someone who needs to provide standardization on an international level, you may want to look at the ISO/IEC frameworks.

If your organization has undergone an audit, then you’re probably familiar with the SSAE SOC 2 types I and II. This is from the American Institute of Certified Public Accountants, or the AICPA. It’s an auditing standard called the Statement on Standards for Attestation Engagements number 18, or SSAE 18. During these audits, there’s a series of reports that are created, and the name for the suite of reports that are associated with trust services criteria, or security controls, is the SOC 2, that’s the System and Organization Controls number two. This audit focuses on topics that can include firewalls, intrusion prevention, or intrusion detection, or multi-factor authentication.

When performing these audits, you may receive a type I audit or a type II audit. A type I audit examines the controls in place at a particular date and time. If you need a broader perspective of security controls, then you may undergo a type II audit, which tests the controls over a period that will be at least six consecutive months in length. This is obviously a broad set of audits that cover a large number of security controls in your environment. We tend to see these types of audits in very large organizations, since smaller organizations don’t tend to have the same scope with their security controls.

And, of course, there’s a framework for cloud computing as well. This is from the cloud security alliance, or CSA, which is a not for profit organization that focuses on security in the cloud. The CSA creates a cloud controls matrix framework, or a CCM, where they map controls to standards, best practices, and regulations that you need to follow in the cloud. This matrix covers a broad scope of security for cloud computing including methodologies and tools that you can use, ways to assess your internal IT organization and the cloud providers that you’re going to use, how the security capabilities can be determined for a particular implementation, and how to build a roadmap so that you can continually improve the security for your cloud computing infrastructure.