The Importance of Frameworks, Policies,

Procedures, and Controls

Chapter 21

CompTIA CySA+ Cybersecurity Analyst (CS0-

002) with Brent Chapman and Michael
Solomon
 Episode 21.01
Frameworks

Objective: 5.3 Explain the importance of frameworks, policies, procedures, and controls.
• Frameworks
- Risk-based
- Prescriptive

CompTIA CySA+ Cybersecurity Analyst (CS0-

002) with Brent Chapman and Michael
Solomon
 NIST
• NIST Special Publication 800-53 (Recommended Security Controls for
Federal Information Systems)
• Cyber Security Framework (CSF)

CompTIA CySA+ Cybersecurity Analyst (CS0-

002) with Brent Chapman and Michael
Solomon
 Security Guidelines
• NIST Special Publication 800-53
• AKA - Recommended Security Controls for
Federal Information Systems
• Controls to be compliant with Federal
Information Processing Standards (FIPS)
• FIPS is used in government or military data
processing

CompTIA CySA+ Cybersecurity Analyst (CS0-

002) with Brent Chapman and Michael
Solomon
 NIST Special Publication 800-53

CompTIA CySA+ Cybersecurity Analyst (CS0-

002) with Brent Chapman and Michael
Solomon
 FIPS Controls
• Security Control Catalog (NIST 800-53, Appendix F)
• Management
• Operational
• Technical Safeguards
• Countermeasures to protect
• Confidentiality
• Integrity
• Availability

CompTIA CySA+ Cybersecurity Analyst (CS0-

002) with Brent Chapman and Michael
Solomon
 Cybersecurity Framework (CSF)
• Goals
• Flexible
• Scalable
• Repeatable
• Cost-effective
• Prioritization

CompTIA CySA+ Cybersecurity Analyst (CS0-

002) with Brent Chapman and Michael
Solomon
 Cybersecurity Framework (CSF)
• Framework core
• Common activities, outcomes, & references
• 5 functions, 22 categories, 98 subcategories
• Implementation tiers
• Categorize rigor and sophistication of cyber security practices
• Tiers 1-4
• 1 – Partial
• 2 – Risk Informed
• 3 – Repeatable
• 4 – Adaptive

CompTIA CySA+ Cybersecurity Analyst (CS0-

002) with Brent Chapman and Michael
Solomon
 Cyber Security Framework (CSF)
• Framework Profile
• State of an organization concerning CSF categories
• See where they are vs. where they can be

CompTIA CySA+ Cybersecurity Analyst (CS0-

002) with Brent Chapman and Michael
Solomon
 Framework Core

http://securityaffairs.co/wordpress/58163/laws-and-regulations/nist-cybersecurity-framework-2.html

CompTIA CySA+ Cybersecurity Analyst (CS0-

002) with Brent Chapman and Michael
Solomon
 Standardize Security Standards
• International Organization for Standardization (ISO)
• Largest developer of international standards
• Standards range from scientific, food technology, agriculture, space
engineering, mining, etc
• International Electrotechnical Commission (IEC)
• Standards for any electrical & electronic technologies
• ISO & IEC create global ISMS (Information Security Management
System) standards
• ISO/IEC 27000-series

CompTIA CySA+ Cybersecurity Analyst (CS0-

002) with Brent Chapman and Michael
Solomon
 International Organization for Standardization
(ISO)
• ISO/IEC 27000 Overview and vocabulary • ISMS
• ISO/IEC 27001 ISMS requirements • Responsible for security implementation across network

• ISO/IEC 27002 Security management • ISO 27001 certification

• Available, but not required
• ISO/IEC 27003 ISMS implementation
• ISO/IEC 27004 ISMS measurement • ISO 27000-series certification
• Assures adherence to industry standards
• ISO/IEC 27005 Risk management
• ISO/IEC 27006 Certification requirements
• ISO/IEC 27007 ISMS auditing
• ISO/IEC 27008 Guidance for auditors
• ISO/IEC 27031 Business continuity
• ISO/IEC 27033 Network security
• ISO/IEC 27034 Application Security
• ISO/IEC 27035 Incident Management
• ISO/IEC 27037 Digital Evidence Collection and
Preservation

CompTIA CySA+ Cybersecurity Analyst (CS0-

002) with Brent Chapman and Michael
Solomon
 COBIT
• Control Objectives for Information and Related Technology (COBIT)
• Framework and controls
• Developed by ISACA (formerly Information Systems Audit and Control
Association, now only known by its acronym)
• In collaboration with IT Governance Institute (ITGI)
• Defines control goals for IT & IS system management

CompTIA CySA+ Cybersecurity Analyst (CS0-

002) with Brent Chapman and Michael
Solomon
 Control Objectives for Information and
Related Technology (COBIT)

http://www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx

CompTIA CySA+ Cybersecurity Analyst (CS0-

002) with Brent Chapman and Michael
Solomon
 SABSA
• Strategic goals & tactical controls
Layer 1 Policy
• Chain of traceability through the goals

Layer 2
Decreased abstraction

Strategic
Increased detail

Layer 3
Auditing Conceptual

Layer 4
SABSA Lifecycle

Practical
Layer 5 implementation Metric Design

Layer 6
Implementation

CompTIA CySA+ Cybersecurity Analyst (CS0-

002) with Brent Chapman and Michael
Solomon
 SABSA

Layer 1

Layer 2

Layer 3

Layer 4

Layer 5

Layer 6

https://en.wikipedia.org/wiki/Sherwood_Applied_Business_Security_Architecture

CompTIA CySA+ Cybersecurity Analyst (CS0-

002) with Brent Chapman and Michael
Solomon
 The Open Group Architecture Framework
(TOGAF)
• Originated in Department of Defense
• Now run by The Open Group
• Standard for enterprise architecture
• Used by most Fortune 500 companies worldwide

CompTIA CySA+ Cybersecurity Analyst (CS0-

002) with Brent Chapman and Michael
Solomon
 TOGAF ADM (Architecture
Development Method)
• ADM
• Iterative & cyclic
• Focus on requirements
• Allows technology architect to
understand enterprise from four
different views:
• Business Architecture
• Data Architecture
• Applications Architecture
• Technology Architecture

http://pubs.opengroup.org/architecture/togaf9-doc/arch/chap05.html

CompTIA CySA+ Cybersecurity Analyst (CS0-

002) with Brent Chapman and Michael
Solomon
 ITIL
• Aligns IT services to reach
business goals
• 5 core elements:
• ITIL Service Strategy
• ITIL Service Design
• ITIL Service Transition
• ITIL Service Operation
• ITIL Continual Process
Improvement

http://media.cms.bmc.com/images/itil-processes.png

CompTIA CySA+ Cybersecurity Analyst (CS0-

002) with Brent Chapman and Michael
Solomon
 Episode 21.02
Policies and Procedures

Objective: 5.3 Explain the importance of frameworks, policies, procedures, and controls.
• Policies and procedures
- Code of conduct/ethics
- Acceptable use policy (AUP)
- Password policy
- Data ownership
- Data retention
- Account management
- Continuous monitoring
- Work product retention

CompTIA CySA+ Cybersecurity Analyst (CS0-

002) with Brent Chapman and Michael
Solomon
 Policies and Procedures
• Ethics and code of conduct
• Acceptable use policy (AUP)
• Password policy
• Data ownership
• Data retention
• Work product retention

CompTIA CySA+ Cybersecurity Analyst (CS0-

002) with Brent Chapman and Michael
Solomon
 Episode 21.03
Controls and Procedures

Objective: 5.3 Explain the importance of frameworks, policies, procedures, and controls.
• Control types
- Managerial
- Operational
- Technical
- Preventative
- Detective
- Responsive
- Corrective

CompTIA CySA+ Cybersecurity Analyst (CS0-

002) with Brent Chapman and Michael
Solomon
 Controls Overview
• Administrative
• Logical/technical
• Physical
• 3 types in each
• Preventative
• Detective
• Corrective

CompTIA CySA+ Cybersecurity Analyst (CS0-

002) with Brent Chapman and Michael
Solomon
 Controls
• Administrative
• Administered by management via policies or procedures
• Ex: requirements for accessing information system
• Logical/technical
• Software/hardware tools to restrict network or system access
• Ex: firewalls, ACLs, etc
• Goal: maintain resources’ availability, integrity, & confidentiality
• Physical
• Deter or delay an attacker
• Ex: safes, locks, walls, etc

CompTIA CySA+ Cybersecurity Analyst (CS0-

002) with Brent Chapman and Michael
Solomon
 Control Types
• Preventative
• Prevent incident from happening
• Detective
• Detect suspicious activity on the network
• Corrective
• Correct an identified vulnerability

CompTIA CySA+ Cybersecurity Analyst (CS0-

002) with Brent Chapman and Michael
Solomon
 Control Selection
• Organizationally Defined Parameters
• Internal
• External
• Governed by law or governmental regulations

CompTIA CySA+ Cybersecurity Analyst (CS0-

002) with Brent Chapman and Michael
Solomon
 Control Selection
• Selection Criteria
• Driven by risk assessment
• Confidentiality
• Integrity
• Availability of information resources
• Organization’s risk appetite

CompTIA CySA+ Cybersecurity Analyst (CS0-

002) with Brent Chapman and Michael
Solomon
 Procedures Overview
• Continuous monitoring
• Awareness of information security, vulnerability, threats, network trends
• Purpose: inform organizational risk decisions
• Evidence production
• Legal request for documents
• EDRM (Electronic Discovery Reference Model)
• Identification
• Preservation
• Collection
• Processing
• Review
• Analysis
• Production
• Presentation

CompTIA CySA+ Cybersecurity Analyst (CS0-

002) with Brent Chapman and Michael
Solomon
 EDRM Model
(Electronic Discovery Reference Model)
• Identification – Locating potential sources of ESI & determining its scope, breadth & depth.
• Preservation – Ensuring that ESI is protected against inappropriate alteration or destruction.
• Collection – Gathering ESI for further use in the e-discovery process (processing, review, etc.).
• Processing – Reducing the volume of ESI and converting it, if necessary, to forms more suitable for
review & analysis.
• Review – Evaluating ESI for relevance & privilege.
• Analysis – Evaluating ESI for content & context, including key patterns, topics, people &
discussion.
• Production – Delivering ESI to others in appropriate forms & using appropriate delivery
mechanisms.
• Presentation – Displaying ESI before audiences (at depositions, hearings, trials, etc.), especially in
native & near-native forms, to elicit further information, validate existing facts or positions, or
persuade an audience.

https://www.edrm.net/frameworks-and-standards/edrm-model/

CompTIA CySA+ Cybersecurity Analyst (CS0-

002) with Brent Chapman and Michael
Solomon
 Procedures Overview
• Continuous monitoring
• Evidence production
• Patching
• Identify and fix vulnerabilities
• Tasks:
• Identification
• Testing
• Application
• Validation
• Documentation

CompTIA CySA+ Cybersecurity Analyst (CS0-

002) with Brent Chapman and Michael
Solomon
 Procedures Overview
• Continuous monitoring
• Evidence production
• Patching
• Compensating control development
• Alternative control to substitute for control that’s too costly
• Control testing procedure
• Ensure the control won’t break the system

CompTIA CySA+ Cybersecurity Analyst (CS0-

002) with Brent Chapman and Michael
Solomon
 Procedures Overview
• Continuous monitoring
• Evidence production
• Patching
• Compensating control development
• Control testing procedures
• Exception management
• How to decide on compensating or technical controls
• Who granted the exception? Trace back for audit.
• Process for exception determination

CompTIA CySA+ Cybersecurity Analyst (CS0-

002) with Brent Chapman and Michael
Solomon
 Procedures Overview
• Continuous monitoring
• Evidence production
• Patching
• Compensating control development
• Control testing procedures
• Exception management
• Remediation plans
• Plan B

CompTIA CySA+ Cybersecurity Analyst (CS0-

002) with Brent Chapman and Michael
Solomon
 Episode 21.04
Verification

Objective: 5.3 Explain the importance of frameworks, policies, procedures, and controls.
• Audits and assessments
- Regulatory
- Compliance

CompTIA CySA+ Cybersecurity Analyst (CS0-

002) with Brent Chapman and Michael
Solomon
 Verification Overview
• Audits
• Assessments & evaluations
• Maturity models
• Certification

CompTIA CySA+ Cybersecurity Analyst (CS0-

002) with Brent Chapman and Michael
Solomon
 Audits
• Inspection of a system’s compliance to a policy
• External audit
• Conducted by independent 3rd party
• Guided by regulatory compliance requirements
• Internal audit
• Internal auditors should also be guided by regulatory compliance
requirements

CompTIA CySA+ Cybersecurity Analyst (CS0-

002) with Brent Chapman and Michael
Solomon
 Audits

CompTIA CySA+ Cybersecurity Analyst (CS0-

002) with Brent Chapman and Michael
Solomon
 Evaluations & Assessments
• Vulnerability assessment
• Penetration test
• Red team assessment
• Risk assessment
• Threat modeling
• Tabletop exercises

CompTIA CySA+ Cybersecurity Analyst (CS0-

002) with Brent Chapman and Michael
Solomon
 Evaluations & Assessments
• Vulnerability assessment
• Gather exhaustive info on vulnerabilities
• Open vulnerabilities
• Remediated vulnerabilities
• Vulnerability trends on the network
• Penetration test
• Achieves a specific goal – get into the system, steal, or exfiltrate data
• Red team assessment
• Pen testing is a discreet part
• Red teaming is ongoing
• Actively probing & testing to reveal vulnerabilities

CompTIA CySA+ Cybersecurity Analyst (CS0-

002) with Brent Chapman and Michael
Solomon
 Evaluations & Assessments
• Vulnerability assessment
• Penetration test
• Red team assessment
• Risk assessment
• Acceptable risk level
• How to bring risk level down
• Threat modeling
• Determine attacker trends
• Make security changes accordingly
• Accurately informs about threats & how to place countermeasures
• Tabletop exercises
• Get senior & technical leaders involved
• Everyone knows their role in an emergency

CompTIA CySA+ Cybersecurity Analyst (CS0-

002) with Brent Chapman and Michael
Solomon
 Maturity Models
• Capability Maturity Model
Integration (CMMI)
• Developed by Carnegie Mellon
University to improve processes
across organization

https://en.wikipedia.org/wiki/Capability_Maturity_Model_Integration

CompTIA CySA+ Cybersecurity Analyst (CS0-

002) with Brent Chapman and Michael
Solomon
 Certification & Accreditation
• Certification
• Technical assessment of a component to assure it’s ready for a system
• Checked against internal standard, or outside regulatory requirement
• Accreditation
• Managerial assessment & acceptance of a component
• Verified against business model

CompTIA CySA+ Cybersecurity Analyst (CS0-

002) with Brent Chapman and Michael
Solomon