***
< [Home](https://github.com/SeanOhAileasa) | [README](https://github.com/SeanOhAileasa/syp-governance-risk-and-compliance/blob/main/README.md) >

## CompTIA Security+ - Course Material 2022
###### Topic: ``Security Frameworks``
***

Course material for the ``CompTIA Security+`` module of the ``ICT Associate Apprenticeship (Cybersecurity)`` programme.

<a id="top"></a>
***
## Table of Contents
***

### [Security Frameworks](#a) <br/><br/>

- [Center for Internet Security](#b) <br/><br/>
    - [``CIS``](#b) <br/><br/>
        - [Critical Security Controls for Effective Cyber Defense](#b) <br/><br/>
            - [``CIS CSC``](#b) <br/><br/>
- [National Institute of Standards and Technology Risk Management Framework](#c) <br/><br/>
    - [``NIST RMF``](#c) <br/><br/>
        - [Categorise](#c) <br/><br/>
        - [Select](#c) <br/><br/>
        - [Implement](#c) <br/><br/>
        - [Assess](#c) <br/><br/>
        - [Authorise](#c) <br/><br/>
        - [Monitor](#c) <br/><br/>    
    - [``NIST CSF``](#d) <br/><br/>
        - [Framework Core](#d) <br/><br/>
        - [Framework Implementation Tiers](#d) <br/><br/>
        - [Framework Profile](#d) <br/><br/>    
- [ISO/IEC Frameworks](#e) <br/><br/>
- [SSAE SOC 2 Types I/II](#f) <br/><br/>
- [Cloud Security Alliance](#g) <br/><br/>
    - [``CSA``](#g) 
<hr width=50%;>

***
## END

< [Table of Contents](#top) | [References](#references) >
<a id="a"></a>
***
### Security Frameworks
***

If wondering, where do you even begin with the process of securing an organization’s data, what are the best practices available, and what can you do today to start down the path of providing additional security? 

Fortunately, there are frameworks available that can provide you with some of this information. 

A challenges with this is that every organization is going to be just a little bit different, for example, your organization may have unique requirements for security based on the line of work you happen to be in, there may be compliance and regulations that you have to follow, and internally, there will be a completely different set of security policies and tools than you might see at a different organization.

Fortunately, there are many different security frameworks that you can use to help guide you down this particular path - these frameworks can help you understand the different security processes available, and they can help you understand what you need to do to follow those particular processes. Many of these frameworks can help you build security processes from scratch, or you can build on the processes that you already are using - if you need help in determining what tasks you should undertake and which of these projects should take priority, you might want to refer to some of these frameworks.

< [Table of Contents](#top) | [References](#references) >
<a id="b"></a>
***
###### Center for Internet Security - ``CIS`` -  Critical Security Controls for Effective Cyber Defense - ``CIS CSC``
***

A framework you might want to consider is the Center for Internet Security (``CIS``) Critical Security Controls for Effective Cyber Defense [ [``CSC``](https://www.cisecurity.org/controls) ].

Fortunately, we often refer to this simply as the ``CIS CSC``. 

The ``CSC`` is designed to help you improve the security posture of your organization and these are focused into critical security controls in 20 different areas. 

Another nice feature of this framework is there are different recommendations depending on the size of the organization, because smaller organizations will have different requirements for security than large organizations.

One nice part about the CIS CSC is that it’s written by technologists so that it can be implemented by technologists - this contains practical information that you can apply to a project and begin implementing these controls in your environment.

< [Table of Contents](#top) | [References](#references) >
<a id="c"></a>
***
###### National Institute of Standards and Technology Risk Management Framework - ``NIST RMF``
***

If part of a United States Federal Government Agency, then you are required to follow the ``NIST RMF`` - this is the National Institute of Standards and Technology Risk Management Framework [ [``RMF``](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf) ] - if you are part of the federal government, or you’re handling data for the federal government, this is the framework you should follow to help with security and privacy.

This framework has six different steps to follow in the system lifecycle:

> ``Categorise``

- Categorize or define the environment that you’re working in. 

> ``Select``

- Pick appropriate controls for security and privacy. 

> ``Implement``

- Implement or define the proper implementation of these particular policies. 

> ``Assess`` 

- Determine if controls are working

> ``Authorise``

- Make a decision to authorise a system.

> ``Monitor``

- Check for ongoing compliance.


This is an extensive framework, and it’s available to download directly from ``NIST`` - the National Institute of Standards and Technology.

< [Table of Contents](#top) | [References](#references) >
<a id="d"></a>
***
###### National Institute of Standards and Technology Cybersecurity Framework - ``NIST CSF``
***

Another framework from ``NIST`` is the Cybersecurity Framework [ [``CSF``](https://www.nist.gov/cyberframework) ] - this framework is designed for commercial implementations, which have a slightly different security posture than a federal government implementation.

There are three major areas of the ``CSF``:

> ``Framework Core`` 

- Includes identify, protect, detect, respond, and recover. 

> ``Framework Implementation Tiers`` 

- This is the section where an organization will understand exactly what their approach will be to cybersecurity, and what tools and processes need to be in place to manage the risks that are identified.

> ``Framework Profile``

The alignment of policies, guidelines, and standards are compared to the implementations that are based on the ``Framework Core``.

If in a commercial environment and you’re implementing a high level view of cybersecurity, then you might want to consider the ``NIST CSF``.

< [Table of Contents](#top) | [References](#references) >
<a id="e"></a>
***
###### ISO/IEC Frameworks
***

There are also security frameworks that can be applied at an international level - this is from the International Organization for Standardization / International Electrotechnical Commission. 

> ``ISO/IEC 27001``

- Is a standard for Information Security Management Systems (``ISMS``). 

> ``ISO/IEC 27002``

- Is a code of practice for information security controls.

> ``ISO/IEC 27701``

- Focuses on privacy, with the Privacy Information Management Systems (``PIMS``).

> ``ISO 31000``

On the risk management side is the ``ISO 31000`` for the international standards for risk management practices. 

These are very detailed standards and have a very broad scope, so if you’re someone who needs to provide standardization on an international level, you may want to look at the ISO/IEC frameworks.

< [Table of Contents](#top) | [References](#references) >
<a id="f"></a>
***
###### ``SSAE SOC 2 Types I/II``
***

If your organization has undergone an audit, then you’re probably familiar with the ``SSAE SOC 2 Types I/II``.

This is from the American Institute of Certified Public Accountants (``AICPA``). It’s an auditing standard called the ``Statement on Standards for Attestation Engagements 18`` (``SSAE 18``). 

During these audits, there’s a series of reports that are created, and the name for the suite of reports that are associated with trust services criteria, or security controls, is the ``SOC 2``, that’s the ``System and Organization Controls 2`` - this audit focuses on topics that can include firewalls, intrusion prevention, or intrusion detection, or multi-factor authentication.

When performing these audits, you may receive a ``Type I`` audit or a ``Type II`` audit:

> Type I Audit

- Examines the controls in place at a particular date and time.

> Type II Audit

- Need a broader perspective of security controls, then you may undergo a Type II audit, which tests the controls over a period that will be at least six consecutive months in length. This is obviously a broad set of audits that cover a large number of security controls in your environment. We tend to see these types of audits in very large organizations, since smaller organizations don’t tend to have the same scope with their security controls.

< [Table of Contents](#top) | [References](#references) >
<a id="g"></a>
***
###### Cloud Security Alliance - ``CSA``
***

There’s a framework for cloud computing as well - this is from the Cloud Security Alliance (``CSA``), which is a not for profit organization that focuses on security in the cloud. 

The ``CSA`` creates a Cloud Controls Matrix framework [ [``CCM``](https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4/) ], where they map controls to standards, best practices, and regulations that you need to follow in the cloud. 

This matrix covers a broad scope of security for cloud computing including methodologies and tools that you can use, ways to assess your internal IT organization and the cloud providers that you’re going to use, how the security capabilities can be determined for a particular implementation, and how to build a roadmap so that you can continually improve the security for your cloud computing infrastructure.

![image.png](attachment:image.png)

***
## END

< [Table of Contents](#top) >
<a id="references"></a>
***
## References
***

J. "Professor" Messer, "CompTIA Security+ (SY0-601) Course Notes," [professormesser.com](https://web.archive.org/web/20220521181010/https://www.professormesser.com/security-plus/sy0-601/sy0-601-video/sy0-601-comptia-security-plus-course/), September 2021.

***
## END

< [Table of Contents](#top) | [References](#references) >
<a id="appendix"></a>
***
## Appendix
***

***
## END

In [1]:
from IPython.core.display import display,HTML
display(HTML("<style>.container { width:100% !important; }</style>"))

  from IPython.core.display import display,HTML


# END JUPYTER NOTEBOOK