Last updated on August 9, 2019
When cyber security professionals talking about related frameworks, it always comes to two which is ISO and NIST. There are lots of confusions between them and also between Frameworks and Security architecture methodology. Here is some discussion for those topics I collected from online which I believe at certain points, it clarified some of my confusions.
A Cyber Security Framework is a risk-based compilation of guidelines designed to help organizations assess current capabilities and draft a prioritized road map toward improved cyber security practices. (From Arnab Chattopadhaya ‘s Enterprise Security Architecture)
Well Known Cyber Security Frameworks
• Sherwood Applied Business Security Architecture (SABSA)
• ISO/IEC 27001 & 27002 (formerly ISO 17799)
• ISO/IEC 31000
• NIST SP 800-53: Security and Privacy Controls for Federal Information Systems and Organizations
• NIST SP 800-39: Risk Management Framework
|Essential security and risk concepts and their position in the TOGAF ADM (Source: TOGAF Security Guide)|
Other standards / frameworks related to Cyber Security Frameworks
• Other Major IT Cyber Security Frameworks
SABSA is a proven methodology for developing business-driven, risk and opportunity focused Security Architectures at both enterprise and solutions level that traceably support business objectives. It is also widely used for Information Assurance Architectures, Risk Management Frameworks, and to align and seamlessly integrate security and risk management into IT Architecture methods and frameworks.
SABSA is a ‘Through-Life’ method and framework: it applies throughout the entire lifecycle from Business Requirements Engineering to management of the solutions delivered.
SABSA certification is widely requested by employers globally and is a mandatory requirement for Security Architects and Enterprise Architects alike in numerous large-scale and national financial sector bodies. SABSA is also widely referenced in other security and IT certification programmes and throughout the tertiary academic world.
• Comprises of six layers
• Based on Zachman framework/taxonomy
• The Security Service Management Architecture has been placed vertically across the other five layers
– Security management issues arises in every horizontal layer
• Each horizontal layers are made of a series of vertical communication interrogatives
– What (Assets)
– Why (Motivation)
– How (Process and Technology)
– Who (People)
– Where (Location)
– When (Time)
• Strategy and Planning
• Manage and Measure
Reference: SABSA vs. TOGAF
How SABSA can be integrated with TOGAF
ISO27001 / ISO31000
How ISO 27001 Integrated with TOGAF
“ISO/IEC 27001:2013 is a standard that specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of the organization. This International Standard also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization.”
In January 2016, the TOGAF Security Guide was published. It addresses security and risk management at a conceptual level, which matches with the way that TOGAF defines architecture. This enables the integration of both processes in the architecture. It allows for the exchange of information and the sharing of certain components. Thus, enterprise architecture and security architecture can co-exist and collaborate.
The TOGAF Security Guide is based on an enterprise security architecture that includes two successful standards, namely ISO 27001 (security management) and ISO 31000 (risk management). In line with ISO 31000, the definition of risk is broad and is close to that of ‘uncertainty’. This means that risk can be positive or negative. The broad definition makes it possible to use it for (positive) business opportunities as well as (negative) security threats. The latter is, of course, the most common within IT-security.
ISO 31000:2009 sets out principles, a framework, and a process for the management of risk that are applicable to any type of organization in the public or private sector. It does not mandate a “one size fits all” approach, but rather emphasizes the fact that the management of risk must be tailored to the specific needs and structure of the particular organization. It has a related standard IEC 31010:2009 that describes examples of qualitative risk assessment methods.
PDCA – Plan , Do, Check Act
Content Coverage Differences from NIST CSF
From A Content Perspective, NIST CSF < ISO 27002 < NIST 800-53 < Secure Controls Framework (from Compliance Forge page – NIST 800-53 vs ISO 27002 vs NIST Cybersecurity Framework):
- NIST Cybersecurity Framework (NIST CSF) covers a lot, but it is not inclusive of all ISO 27002 controls.
- ISO 27002 addresses most of what you need to comply with NIST CSF and a few other requirements.
- NIST 800-53 includes what ISO 27002 addresses, as well as a whole host of other requirements.
This framework aims to help organizations in critical infrastructure sectors to reduce risk, and protect their critical infrastructure. The NIST Cybersecurity Framework groups security functions into these five areas: Identify, Protect, Detect, Respond, and Recover.
The Framework defines four implementation tiers: partial (0), risk-informed (1), repeatable (2), and adaptive (3).
Differences from NIST 800 and Other Frameworks
While the Framework was written primarily by NIST, the same organization behind 800-53, there are several differences between them.
- The Framework is more high-level in its scope compared to existing frameworks like NIST 800-53.It focuses on how to access and prioritize security functions, and references existing documents like NIST 800-53, COBIT 5, and ISO 27000 for more detail on how to implement specific controls and processes.This allows the Framework to be a much more concise document at 40 pages as opposed to NIST 800-53’s 460 pages.
- NIST 800-53 is a regulatory document, encompassing the processes and controls needed for a government-affiliated entity to comply with the FIPS 200 certification. In contrast, the Framework is voluntary for organizations and therefore allows more flexibility in its implementation.
800-61 : Computer Security Incident handling Guide– PDCP life cycle (Preparation, Detection & Analysis, Containment Eradication & Recovery, Post-incident Activity)
“COBIT 5 provides a comprehensive framework that assists enterprises in achieving their objectives for the governance and management of enterprise IT. Simply stated, it helps enterprises create optimal value from Information Technology (IT) by maintaining a balance between realizing benefits and optimizing risk levels and resource use. COBIT 5 for Information Security builds on the COBIT 5 framework in that it focuses on information security and provides more detailed and more practical guidance for information security professionals and other interested parties at all levels of the enterprise.”
The Information Technology Infrastructure Library is a customisable framework of best practices that promote quality computing services in the information technology (IT) sector. ITIL was originally created by a UK government agency Central Computer and Telecommunications Agency (CCTA) and is now adopted and used worldwide as a standard for best practice in provisioning IT Services.
A component of ITIL—ITIL Security Management, based on ISO 17799—is of particular relevance to the application of the information security principles. The ITIL Security Management component is procedure based and includes ITIL standard processes such as service level, incident and change management processes. A key concept is that security should be perceived as a service and be incorporated into Service Level Agreements (SLAs).
The US Committee of Sponsoring Organizations (COSO) of the Treadway Commission published an internal control framework in 1994 which subsequently served as a basis for standards such as COBIT. Key concepts developed in this framework are prevalent in a number of contemporary risk management and corporate governance approaches. COSO requires that a formal risk assessment be performed to evaluate the internal and external factors that impact an organisation’s performance. The results of the risk assessment will determine the controls that need to be implemented. COSO focuses on financial controls but also has implications for functions like information security.
The Open Enterprise Security Architecture (O-ESA) standard, published by The Open Group in 2011, is a reference Security Architecture and guide to building a security program. While it contains useful information on information security governance, security principles, and technology components and services needed in Security Architectures, this reference architecture can be also applied to support the implementation of security and risk in Enterprise Architectures using the TOGAF standard.
The Open Information Security Management Maturity Model (O-ISM3) standard, published by The Open Group in 2011, describes a process-based approach towards building and operating an Information Security Management System (ISMS). Successful operation of the ISMS is generally a prerequisite for Enterprise Architectures to meet the security objectives established by an organization. A chapter of the Security Architecture Practitioners Guide will be devoted to the relationship between Enterprise Architecture, the TOGAF standard, and ISMSs. The O-ISM3 standard defines security services as strategic, tactical, or operational processes, and provides a metrics-based approach to continuous improvement of the processes. Many of the services or processes described in the O-ISM3 standard are expected to be referenced in the Security Services Catalog Project as well.
The Open FAIR Body of Knowledge comprises the Risk Taxonomy (O-RT) Standard and the Risk Analysis (O-RA) Standard. These standards help organizations to better measure their information security and operational risks. The Open FAIR quantitative risk analysis approach is highly useful during threat assessments and helps to understand the impact of threat mitigation options during the ADM cycle. Open FAIR can be thought of as a tool or technique in analyzing risk throughout the TOGAF ADM.