Pass your certification exam. Faster. Guaranteed.

Control Frameworks Transcription

Welcome to our security governance principles module on control frameworks. Frameworks are proven best practices that you can use to develop the security program in your organization. If your security program does not have a good model, it is similar to a house that does not have a good foundation and will not be beneficial for your organization.

Control frameworks are tools that you can use for your communications to your employees and your security management. You can use it to standardize your administrative, technical, and physical controls. It will allow you to take proven best practices and then apply them to your company in order to achieve your goals.

And it's important to remember that your security plan must always support your organization's mission. If your security plan makes it harder for your organization to achieve your mission, then it will most likely not be successful. There are several common frameworks that will help you develop your security policy.

The International Organization for Standardization, or ISO, and the International Electrotechnical Commission, or IEC, have come up with a joint standard for information security management known as the 27000-series. 27001 is an information security management requirements to provide governance, and 27002 define security controls that can be used to achieve your mission.

You should remember the difference between these two standards for the CISSP examination, noting that 27001 provides information about governance, and 27002 defines security controls. You also have the Committee of Sponsoring Organizations, or COSO. This model emphasizes financial risks and also focuses on fraud protection by implementing a system of financial checks and balances.

The IT Infrastructure Library, or ITIL, focuses on information technology services and service management, and it's basically a document that provides a framework for various types of service businesses and offers them some best practices. The PCIDSS, or the Payment Card Industry Data Security Standards, provides standards that must be followed for organizations that accept credit cards or other types of electronic payments.

The ISO 27001 specification provides us with an information security management system. This framework focuses on your organization's risks, threats, and vulnerabilities, and uses this information to develop security policies. In order to manage risks, it is suggested to implement security controls which are defined in the ISO 27002 standard.

This standard focuses on the fact that it is a management process which must include your upper level management to make sure that your security controls are implemented and verified to be working properly and protecting your information on an ongoing basis. It also describes an international certification process with external audits to establish mandatory policies and assign responsibilities to your employees.

And it is what is known as a plan, do, check, and then act model, which means that you're going to measure twice and cut once. This should help to avoid any complications that may arise by failing to plan properly. The ISO IEC 27002 standard defines 12 different security controls and their objectives.

These controls include risk assessment, human resources security, access controls, and business continuity management. The goal here is to implement policies, assign responsibilities, and describe procedures to provide layered protection for your information systems in order to avoid any security complications. The Committee of Sponsoring Organizations, or COSO model, is a corporate governance model which is designed to support your business leadership.

It provides a risk management framework that is primarily focused on financial issues and deterring fraud. This model includes internal financial controls and auditing to deter employees from engaging in unacceptable practices relating to finance. The COBIT model is a business model for information security. There are four main elements of this model, the organizational design and strategy, your people, your processes, and your technology.

This model provides dynamic interconnection factors between the elements such as governance, emergence, and architecture. And the control objectives here are for information technology, and they provide a focus on governance and operational goals and regulatory compliance. You should be familiar with the COBIT model for the CISSP examination, remembering that it has four main elements and dynamic interconnection factors.

The plan, do, check, act model is part of the COBIT framework, and it's designed to provide continuous improvement to your processes. During the planning phase, you will establish your information security management systems. You will then move on to the second phase, where you actually implement the system. During the check phase, you will monitor the system to make sure that it is meeting your expectations and functioning properly.

And during the act phase, you will then maintain your information security management system and implement any necessary improvements to ensure that your organization is safe from security risks. There are some additional frameworks that are often used in information security. The SABSA model, or the Sherwood Applied Business Security Architecture, is a lifecycle model which focuses on risks, and this is an open standard for information security infrastructure development.

The Capability Maturity Model, or CMMI, is designed for software developers and provides maturity or quality ratings for different pieces of software. The ITIL, or Information Technology Infrastructure Library, is generally used for IT service management. And the Six Sigma Model was developed for identifying manufacturing defects, but it can also be used to test the success of information security controls. This concludes the module. Thank you for watching.