World of Cybersecurity, Audit & Privacy Frameworks & Standards (30+ covered)
Over the years, I have worked on multiple frameworks & standards covering audit, privacy & cyber security. I recently refreshed my personal knowledge base & reviewed all of them again to see their applicability in the current environment & latest coverage.
Most of us would have followed multiple standards in our professional careers & may have personal favorites. Each of these standards brings value in its unique way & helps us build mature systems.
I hope every cybersecurity, audit & privacy professional will find them useful.
FIRST (Forum of Incident Response and Security Teams) - CSIRT Services Framework
The Computer Security Incident Response Team (CSIRT) Services Framework is a high-level document describing in a structured way a collection of cyber security services and associated functions that Computer Security Incident Response Teams and other teams providing incident management related services may provide. The framework is developed by recognized experts from the FIRST community with strong support from the Task Force CSIRT (TF-CSIRT) Community, and the International Telecommunications Union (ITU).
FIRST (Forum of Incident Response and Security Teams) - Product Security Incident Response Team (PSIRT)
A Product Security Incident Response Team (PSIRT) is an entity within an organization which, at its core, focuses on the identification, assessment and disposition of the risks associated with security vulnerabilities within the products, including offerings, solutions, components and/or services which an organization produces and/or sells.
MITRE's ATT&CK framework
MITRE ATT&CK? is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
RE&CT Framework
The RE&CT Framework is designed for accumulating, describing and categorizing actionable Incident Response techniques. RE&CT's philosophy is based on the MITRE's ATT&CK framework.
RE&CT Navigator https://atc-project.github.io/atc-react/
Open Software Supply Chain Attack Reference (OSC&R)
OSC&R is a MITRE-like framework designed to provide a common language and structure for understanding and analyzing the tactics, techniques, and procedures (TTPs) used by adversaries to compromise the security of software supply chains. It aims to give the security community a single point of reference to proactively assess their own strategies for securing their software supply chains and to compare solutions.
The Microsoft Security Adoption Framework (SAF)
The SAF provides guidance for organizations through end-to-end security modernization across a 'hybrid of everything' multi-cloud and multi-platform technical estate. The SAF framework is similar the Cloud Adoption Framework (CAF) and Well Architected Framework (WAF) as it includes both public guidance and also takes the form of Microsoft Unified workshops where Microsoft experts help customers plan and execute security modernization.
SAF incorporates current guidance for strategy and program modernization (CISO Workshop) and end to end technical architectures (Microsoft Cybersecurity Reference Architectures or MCRA), driving business scenarios/outcomes, as well as some new elements related to security capability adoption planning, and more.
Secure Controls Framework / Common Controls Framework
The SCF is a comprehensive catalog of controls that is designed to enable companies to design, build and maintain secure processes, systems and applications. The SCF addresses both cybersecurity and privacy, so that these principles are designed to be “baked in” at the strategic, operational and tactical levels.
CISA - Hardware Bill of Materials (HBOM) Framework for Supply Chain Risk Management
The Hardware Bill of Materials (HBOM) Framework for Supply Chain Risk Management product provides a framework that includes a consistent naming methodology for attributes of components, a format for identifying and providing information about the different types of components, and guidance of what HBOM information is appropriate depending on the purpose for which the HBOM will be used.
SLSA - Supply-chain Levels for Software Artifacts
It’s a security framework, a checklist of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure. It’s how you get from "safe enough" to being as resilient as possible, at any link in the chain.
SLSA is a set of incrementally adoptable guidelines for supply chain security, established by industry consensus. The specification set by SLSA is useful for both software producers and consumers: producers can follow SLSA’s guidelines to make their software supply chain more secure, and consumers can use SLSA to make decisions about whether to trust a software package.
CIS Critical Security Controls
CIS Controls Version 8 combines and consolidates the CIS Controls by activities, rather than by who manages the devices. Physical devices, fixed boundaries, and discrete islands of security implementation are less important; this is reflected in v8 through revised terminology and grouping of Safeguards, resulting in a decrease of the number of Controls from 20 to 18.
NIST Cybersecurity Framework 2.0
The Framework has been used widely to reduce cybersecurity risks since its initial publication in 2014. Many organizations have told NIST that CSF 1.1 remains an effective framework for addressing cybersecurity risks. There is also widespread agreement that changes are warranted to address current and future cybersecurity challenges and to make it easier for organizations to use the Framework. NIST is working with the community to ensure that CSF 2.0 is effective for the future while fulfilling the CSF’s original goals and objectives.
NIST SP 800-30 - Guide for Conducting Risk Assessments
It provides guidance for conducting risk assessments of federal information systems and organizations, amplifying the guidance in Special Publication 800-39. Risk assessments, carried out at all three tiers in the risk management hierarchy, are part of an overall risk management process—providing senior leaders/executives with the information needed to determine appropriate courses of action in response to identified risks.
NIST SP 800-37 - Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy
It describes the Risk Management Framework (RMF) and provides guidelines for applying the RMF to information systems and organizations. The RMF provides a disciplined, structured, and flexible process for managing security and privacy risk that includes information security categorization; control selection, implementation, and assessment; system and common control authorizations; and continuous monitoring. The RMF includes activities to prepare organizations to execute the framework at appropriate risk management levels.
NIST SP 800-53- Security and Privacy Controls for Information Systems and Organizations
It provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks.
NIST SP 800-53A - Assessing Security and Privacy Controls in Information Systems and Organizations
It provides a methodology and set of procedures for conducting assessments of security and privacy controls employed within systems and organizations within an effective risk management framework. The assessment procedures, executed at various phases of the system development life cycle, are consistent with the security and privacy controls in NIST Special Publication 800-53, Revision 5.
NIST SP 800-53B - Control Baselines for Information Systems and Organizations
It provides security and privacy control baselines for the Federal Government. There are three security control baselines (one for each system impact level—low-impact, moderate-impact, and high-impact), as well as a privacy baseline that is applied to systems irrespective of impact level. In addition to the control baselines, this publication provides tailoring guidance and a set of working assumptions that help guide and inform the control selection process. Finally, this publication provides guidance on the development of overlays to facilitate control baseline customization for specific communities of interest, technologies, and environments of operation.
NIST SP 800-61 - Computer Security Incident Handling Guide
It assists organizations in establishing computer security incident response capabilities and handling incidents efficiently and effectively. This publication provides guidelines for incident handling, particularly for analyzing incident-related data and determining the appropriate response to each incident. The guidelines can be followed independently of particular hardware platforms, operating systems, protocols, or applications.
NIST SP 800-161 - Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
It publication provides guidance to organizations on identifying, assessing, and mitigating cybersecurity risks throughout the supply chain at all levels of their organizations. The publication integrates cybersecurity supply chain risk management (C-SCRM) into risk management activities by applying a multilevel, C-SCRM-specific approach, including guidance on the development of C-SCRM strategy implementation plans, C-SCRM policies, C-SCRM plans, and risk assessments for products and services.
HITRUST CSF
The HITRUST CSF provides the structure, transparency, guidance, and cross-references to authoritative sources that organizations globally need to be certain of their data protection compliance. The initial development of the HITRUST CSF leveraged nationally and internationally accepted security and privacy-related regulations, standards, and frameworks – including ISO, NIST, PCI, HIPAA, and GDPR – to ensure a comprehensive set of security and privacy controls. HITRUST continually incorporates additional authoritative sources as they are released and accepted in industry and global sectors. The HITRUST CSF standardizes these requirements across authoritative sources to provide clarity and consistency and reduce the burden of compliance.
CSA - Cloud Controls Matrix (CCM)
It is composed of 197 control objectives that are structured in 17 domains covering all key aspects of cloud technology. It can be used as a tool for the systematic assessment of a cloud implementation, and provides guidance on which security controls should be implemented by which actor within the cloud supply chain. The controls framework is aligned to the CSA Security Guidance for Cloud Computing, and is considered a de-facto standard for cloud security assurance and compliance.
FedRAMP
The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security authorizations for Cloud Service Offerings. FedRAMP is a government-wide program that promotes the adoption of secure cloud services across the federal government by providing a standardized approach to security and risk assessment for cloud technologies and federal agencies.
MobSF: Mobile Security Framework
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. MobSF is a versatile mobile application security testing framework that streamlines static and dynamic analysis. Its automated features make it a valuable asset for identifying vulnerabilities in Android applications and APIs, helping to fortify the security of mobile software.
OWASP MASVS (Mobile Application Security Verification Standard)
The OWASP MASVS (Mobile Application Security Verification Standard) is the industry standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results.
OWASP Mobile Application Security Testing Guide (MASTG)
The Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes the technical processes for verifying the controls listed in the OWASP Mobile Application Security Verification Standard (MASVS).
OSWAR - Open Standard Web3 Attack Reference
OSWAR (Open Standard Web3 Attack Reference) is a comprehensive framework that identifies, categorizes, and mitigates Web3-related attacks and vulnerabilities. Inspired by the MITRE ATT&CK framework, OSWAR provides a structured, comprehensive, and actionable understanding of attacker behaviors, techniques, and vulnerabilities related to decentralized systems like blockchain platforms and decentralized applications (dApps).
Download https://github.com/CyVers-AI/oswar
Cyber Underground General Intelligence Requirements (CU-GIRs)
The Cyber Underground General Intelligence Requirements framework (CU-GIR) is a baseline tool to assist in organizing, prioritizing, producing and measuring production of cyber underground intelligence. Central to this framework are General Intelligence Requirements (GIRs) — a compilation of frequently asked questions applicable to the cyber underground (i.e., illicit forums, instant messaging channels, marketplaces, products, services and adversaries). Each GIR includes a definition and the essential elements of information (EEIs) needed to answer the basic questions who, what, when, where, why and how. This will allow practitioners to ingest the GIRs directly into their organizations’ intelligence platforms and supercharge their threat intelligence programs. The open source release of the CU-GIR framework is in JavaScript Object Notation (JSON) Structured Threat Information Expression (STIX) version 2.1 format.
ISO/IEC 27001:2022
It is a globally recognized standard for information security management systems (ISMS), setting the criteria these systems must fulfill. This standard offers comprehensive guidance for businesses of all sizes and across various sectors on establishing, implementing, maintaining, and consistently enhancing their information security management system.
ISO 31000:2018
It is an international standard that provides principles and guidelines for risk management. It outlines a comprehensive approach to identifying, analyzing, evaluating, treating, monitoring and communicating risks across an organization.
ISO 22301:2019 - Security and resilience
It is the international standard for Business Continuity Management Systems (BCMS). It provides a framework for organizations to plan, establish, implement, operate, monitor, review, maintain, and continually improve a documented management system to protect against, reduce the likelihood of, and ensure recovery from disruptive incidents.
COBIT
Control Objectives for Information and Related Technologies (COBIT), is a framework designed for IT governance. It assists businesses in adopting, overseeing, and enhancing best practices in IT management. Developed by ISACA, COBIT serves to connect technical challenges, business risks, and control needs.
Katakri
It is created by Finland’s National Security Authority, is designed to ensure that the target organization maintains sufficient security measures. This is to prevent the exposure of classified information from an authority in all settings where this information is processed.
PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) is a security standard for managing credit card information from major card issuers. Overseen by the Payment Card Industry Security Standards Council (PCI SSC), this standard is required by card brands. Its purpose is to enhance the management of cardholder data and minimize credit card fraud. Compliance with this standard is verified either annually or quarterly.
Singapore - AI Verify Framework
Launched by the Infocomm Media Development Authority (IMDA) – a statutory board under the Singapore Ministry of Communications and Information, and the PDPC, AI Verify is an AI governance testing framework and toolkit. By using AI Verify, organizations are able to use a combination of technical tests and process-based checks to conduct a voluntary self-assessment of their AI systems. The system, in turn, helps companies attempt to objectively and verifiably demonstrate to stakeholders that their AI systems have been implemented in a responsible and trustworthy manner.
The launch of AI Verify Foundation will support the development and use of AI Verify to address risks of AI. AI Verify is an AI governance testing framework and software toolkit. first developed by IMDA in consultation with companies from different sectors and different scales. The Foundation will help to foster an open-source community to contribute to AI testing frameworks, code base, standards and best practices and create a neutral platform for open collaboration and idea-sharing on testing and governing AI.
Google SAIF - Secure AI Development and Use Framework
SAIF is inspired by the security best practices — like reviewing, testing and controlling the supply chain — that we’ve applied to software development, while incorporating our understanding of security mega-trends and risks specific to AI systems. The Google SAIF (Secure AI Framework) is designed to provide a security framework or ecosystem for the development, use and protection of AI systems. Google has based its SAIF framework on the experience of 10-years in the development and use of AI in its own products. The company hopes that making public its own experience in AI will lay the groundwork for secure AI – just as its BeyondCorp access model led to the zero trust principles which are industry standard today.
This ORIGINAL article is written by Prakash Padariya, Please provide credits if you use this article.
Started career in IT Security & enjoying every bit of it for 20+ years now.
Global CISO, Mentor, Investor, Board Advisor; Deep Interests in Cyber Security, Drones, CleanTech, AgriTech
All views are personal.
#Cybersecurity #Audit #Privacy #frameworks #Standards #2024 #CSIRT #PSIRT #MITRE #CISA #CIS #NIST #HITRUST #CSA #OWASP #ISO #PCIDSS #AI
Associate Director @ PwC | Naval Veteran | Risk Consulting | Cybersecurity | CISSP | CCSP | AWS SAA | MBA(ITSM) | ISO 27001 LA
9 个月Thank you for this great compilation Prakash Padariya