Читать книгу (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide - Mike Chapple - Страница 55

One of the first and most important security planning steps is to consider the overall security control framework or structure of the security solution desired by the organization. You can choose from several options in regard to security concept infrastructure; however, one of the more widely used security control frameworks is Control Objectives for Information and Related Technology (COBIT). COBIT is a documented set of best IT security practices crafted by the Information Systems Audit and Control Association (ISACA). It prescribes goals and requirements for security controls and encourages the mapping of IT security ideals to business objectives. COBIT is based on six key principles for governance and management of enterprise IT:

 Provide Stakeholder Value

 Holistic Approach

 Dynamic Governance System

 Governance Distinct from Management

 Tailored to Enterprise Needs

 End-to-End Governance System

COBIT is used not only to plan the IT security of an organization but also as a guideline for auditors. COBIT is a widely recognized and respected security control framework.

Fortunately, COBIT is only modestly referenced on the exam, so further details are not necessary. However, if you have interest in this concept, please visit the ISACA website (www.isaca.org/cobit), or if you want a general overview, read the COBIT entry on Wikipedia.

There are many other standards and guidelines for IT security. Here are a few:

 NIST 800-53 Rev. 5, “Security and Privacy Controls for Information Systems and Organizations” (csrc.nist.gov/publications/detail/sp/800-53/rev-5/final), contains U.S. government–sourced general recommendations for organizational security.

 The Center for Internet Security (CIS) provides OS, application, and hardware security configuration guides at www.cisecurity.org/cis-benchmarks.

 NIST Risk Management Framework (RMF) (csrc.nist.gov/projects/risk-management/rmf-overview) establishes mandatory requirements for federal agencies. The RMF has six phases: Categorize, Select, Implement, Assess, Authorize, and Monitor.

 NIST Cybersecurity Framework (CSF) (www.nist.gov/cyberframework) is designed for critical infrastructure and commercial organizations, and consists of five functions: Identify, Protect, Detect, Respond, and Recover. It is a prescription of operational activities that are to be performed on an ongoing basis for the support and improvement of security over time.

 International Organization for Standardization (ISO)/ International Electrotechnical Commission (IEC) 27000 family group (www.itgovernanceusa.com/iso27000-family) is an international standard that can be the basis of implementing organizational security and related management practices.

 Information Technology Infrastructure Library (ITIL) (itlibrary.org), initially crafted by the British government, is a set of recommended best practices for optimization of IT services to support business growth, transformation, and change. ITIL focuses on understanding how IT and security need to be integrated with and aligned to the objectives of an organization. ITIL and operational processes and is often used as a starting point for the crafting of a customized IT security solution within an established infrastructure.