Cyber Security Risk Management Frameworks

In a recent conversation with a colleague at Pluralsight we discussed what Cyber Security Risk Management Frameworks were in existence and what course coverage Pluralsight had. 

Those frameworks that came to mind were (I am sure there are others):

National Institute of Standards and Technology (NIST)

The National Institute of Standards and Technology (NIST) Risk Management Framework is designed to comply with the USA Federal Information Security Management Act (FISMA). The Risk Management Framework is a United States federal government policy and standard to help secure information systems. The two main publications that cover the details of RMF are NIST Special Publication 800-37, "Guide for Applying the Risk Management Framework to Federal Information Systems", and NIST Special Publication 800-53, "Security and Privacy Controls for Federal Information Systems and Organizations". Additionally NIST Special Publication 800-37, "Guide for Applying the Risk Management Framework to Federal Information Systems", developed by the Joint Task Force Transformation Initiative Working Group, transforms the traditional Certification and Accreditation process into the six-step Risk Management Framework (RMF).

ISO 31000 Risk Management Framework 

The ISO Risk Management Framework was published in 2009 by the International Organization for Standardization (ISO). This document contains principles and generic guidelines for risk management in the public, private and community sectors. ISO 27005 is the international standard that describes how to conduct an information security risk assessment in accordance with the requirements of ISO 27001. 

Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) 

OCTAVE is a framework for identifying and managing information security risks. It defines a comprehensive evaluation method that allows an organization to identify the information assets that are important to the mission of the organization, the threats to those assets, and the vulnerabilities that may expose those assets to the threats. By putting together the information assets, threats, and vulnerabilities, the organization can begin to understand what information is at risk. With this understanding, the organization can design and implement a protection strategy to reduce the overall risk exposure of its information assets.

Center for Internet Security (CIS)

CIS Benchmarks and CIS Controls are consensus-based guides curated by security practitioners focused on performance, not profit. The Benchmarks are best practices for the secure configuration of a target system. They have more than 140 technologies, CIS Benchmarks are developed through a unique consensus-based process comprised of cybersecurity professionals and subject matter experts around the world. The CIS Controls are a prioritized set of actions that collectively form a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks. The CIS Controls are developed by a community of IT experts who apply their first-hand experience as cyber defenders to create these globally accepted security best practices. 

NSCS’s Cyber Essentials

Cyber Essentials is a UK government information assurance scheme operated by the National Cyber Security Centre (NCSC) that encourages organisations to adopt good practice in information security. It includes an assurance framework and a simple set of security controls to protect information from threats coming from the internet.

COBIT (Control Objectives for Information and Related Technologies) 

COBIT is a framework created by ISACA for information technology (IT) management and IT governance. The framework defines a set of generic processes for the management of IT, with each process defined together with process inputs and outputs, key process-activities, process objectives, performance measures and an elementary maturity model.

 PCI DSS 

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes. The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud. Validation of compliance is performed annually or quarterly, either by an external Qualified Security Assessor (QSA) or by a firm specific Internal Security Assessor (ISA) that creates a Report on Compliance for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.

Sherwood Applied Business Security Architecture (SABSA)

SABSA is a framework and methodology for enterprise security architecture and service management. It is a model and a methodology for developing risk-driven enterprise information security architectures and for delivering security infrastructure solutions that support critical business initiatives. The primary characteristic of the SABSA model is that everything must be derived from an analysis of the business requirements for security, especially those in which security has an enabling function through which new business opportunities can be developed and exploited.

Information Risk Assessment Methodology 2 (with thanks to Danny Lynch, PWC, for highlighting this framework)

Information Risk Assessment Methodology 2 (IRAM2) was created by ISF and has been designed to help organisations better understand and manage their information risks. 

Associated Pluralsight courses:

Some of the Pluralsight courses that cover implementing and preparing for such Risk Management Frameworks include:

Security Controls and Control Frameworks by Kevin Henry

Information Security Manager: Information Risk Management by Bobby Rogers

IT Governance Implementation Fundamentals by Frederico Aranha

Implementing NIST’s Risk Management Framework (RMF) by Bobby Rogers

Preparing to Manage Security and Privacy Risk with NIST’s Risk Management Framework (RMF) by Bobby Rogers

Implementing and Performing Risk Management with ISO/IEC 27005:2018 by Taylor Jones

Implementing and Performing Risk Management with ISACA’s Risk IT Framework by Bobby Rogers

PCI DSS: The Big Picture by John Elliot