[Jessica Jagerson]

Choose 2 of the frameworks and discuss in more detail each of these.  Use the text, video, and at least 1 additional reference to explain each of these.

[Marcena Davis]

NIST Cybersecurity Framework
ISO/IEC 27001:2013

1. NIST Cybersecurity Framework
The National Institute of Standards and Technology (NIST) Cybersecurity Framework provides a comprehensive approach to managing cybersecurity risks. It is a risk-based framework that is used by organizations to identify, assess, and manage cybersecurity risks to their operations and assets. The framework consists of five core functions: Identify, Protect, Detect, Respond, and Recover.

The Identify function helps organizations to understand their assets, systems, data, and capabilities. This is important because it provides a foundation for developing an effective cybersecurity risk management strategy. The Protect function involves implementing safeguards to protect critical infrastructure and sensitive data. The Detect function focuses on identifying cyber threats and vulnerabilities to the organization. The Respond function outlines the procedures to be followed in the event of a cybersecurity incident. The Recover function involves restoring normal operations after a cybersecurity incident has occurred.

You can learn more about the NIST Cybersecurity Framework by reading the official documentation available on the NIST website.

2. ISO/IEC 27001:2013
ISO/IEC 27001:2013 is a globally recognized information security management standard. It provides a systematic approach to managing information security risks. The standard provides a framework for establishing, implementing, maintaining, and continually improving an information security management system (ISMS).

The standard consists of 14 control categories and 35 control objectives. These categories and objectives are used to help organizations identify and implement appropriate controls to manage their information security risks. Some of the key control categories include Information Security Policies, Organization of Information Security, Asset Management, Access Control, Cryptography, Physical and Environmental Security, and Incident Management.

ISO/IEC 27001:2013 is a comprehensive framework that provides a structured approach to managing information security risks. You can learn more about the standard by reading the official documentation available on the ISO website.

Overall, both of these frameworks are widely recognized and used by organizations around the world to manage cybersecurity risks and protect their assets.

Reference:
“CISSO_Student_Workbook_v19_vol2.” Mile2.com, mile2.com/m2-courses/cisso/version-18/ebooks/volume2/index.html#p=41. Accessed 16 Apr. 2023.
“OCU Information Systems Security Officer D.” Mile2 Cybersecurity Certifications, mile2.com/courses/ocu-information-systems-security-officer-d/lessons/cisso-lesson-06-operations-security/. Accessed 16 Apr. 2023.

[Kelly Crooks]

Marcena, nice job on the framework discussion. It was interesting to me how many frameworks there are and which ones are used the most. Your reference to the NIST website was extremely helpful to me. It has great information on the framework as well as some history about the program. It helped me understand the NIST framework better.

I also found the ISO website helpful as well. Thanks for sharing those references, especially for someone like me who isn’t that knowledgeable about frameworks.

[Kevin Mehok]

Hello Class,

I feel that we must first ask ourselves, “What is specifically cybersecurity framework?” Frame in the IT realm can literally means countless things. Cybersecurity framework provides a common language and establishes a clear set of standards for cybersecurity professionals (Cisternelli, 2023).

The goal for such framework is to reduce and mitigate cyber criminal activity. This week I have discovered seven different frameworks:

1.NIST
2. ISO27001 & ISO27002
3. SOC2
4. NERC-CIP
5. HIPAA
6. GDPR
7. FISMA

For the sake of this discussion, let’s pick only two to elaborate upon, shall we?

First let’s discuss SOC2. Service Organization Control (SOC)Type 2; specifies more than 60 compliance requirements and extensive auditing processes for 3rd party systems and controls (Cisternelli, 2023).

Secondly, let’s dive into NERC-CIP North American Electric Reliability Corporation- Critical Infrastructure Protection: Designed to assists folks in the utility and power sector reduce cyber risk and ensure reliability of bulk electric systems (Cisternelli, 2023). The framework consists of a range of controls by categorizing and prioritizing systems critical assets and having recovery plans in place in the event of a cyber attack (Cisternelli, 2023). This framework must implement several vulnerability assessments to stay informed.

This is a super fun topic.

God Bless,

Kevin

References:

Cisternelli, E. (2023) 7 Cybersecurity Frameworks That Help Reduce Cyber Risk. BitSight; https://www.bitsight.com

[Kelly Crooks]

The first framework I chose is the John Zachman Framework, a two-dimensional scheme identifying levels of architecture and interest. The Zachman Framework is an enterprise architecture ontology that uses a schema for organizing architectural artifacts. The Zachman Framework considers and synergizes both the artifact targets and particular issues being addressed.

The John Zachman Framework was introduced in the 1980s by John Zachman. Zachman introduced six descriptive areas of focus. Data, function, network, people, time, and motivation were included. Zachman also proposed six perspectives, also known as players. They are planners, owners, designers, builders, subcontractors, and enterprises.

Zachman developed his framework because he believed that systems were bringing about complex data that needed to be mapped in a clearer classification and interfaces. John Zachman Framework creates a “blueprint” of IT components across an enterprise.

Reference GmbH, L. I. X. (n.d.). The Zachman Framework – a definitive guide. LeanIX. http://www.leanix.net/en/wiki/ea/zachman-framework?

The second framework is the SABSA or Sherwood Applied Business Security Architecture. The SABSA Framework focuses on a similar building block approach but is more related to the ESA concept. The SABSA focuses on contextual security architecture, conceptual security architecture, logical security architecture, physical security architecture, and component security architecture.

The SABSA Framework is used for developing risk-driven enterprise information security and information assurance architecture. SABSA also aids in delivering security infrastructure solutions that support critical business initiatives.

Key facts about SABSA are:
SABSA is Open standard, generic, and vendor-neutral.
SABSA is owned, governed, protected, and maintained by the SABSA Institute.
SABSAs framework is scalable and can be used by any industry or organization.
SABSA was designed for the development of security architectures and solutions.
SABSA integrates with TOGAF, ITIL, and COBIT, as well as other governance, compliance, and audit frameworks.

Reference What is SABSA?: Orbus Software. Orbus 2021 Website. (n.d.). https://www.orbussoftware.com/solutions/governance-risk-and-compliance/sabsa/what-is-sabsa.

[Author]

Posts