CompTIA CYSA+ CS0-002 – Frameworks, Policies, and Procedures Part 1

1. Frameworks, Policies, and Procedures (Introduction)

In this section of the course, we’re going to cover frameworks, policies and procedures. We’re going to be covering domain five in this section, specifically, Objective 5. 3. Now, Objective 5. 3 states that you must be able to explain the importance of frameworks, policies, procedures, and controls. Now, as we move through this section, we’re going to start out by describing the use of enterprise security architectures inside our organizations.

Then we’re going to move into prescriptive frameworks like COBIT and maturity models, as well as some risk based frameworks like the NIST Cybersecurity Framework. After that, we’re going to cover audits and assessments within cybersecurity, and we’ll describe the use of continuous monitoring. Finally, we’ll demonstrate how to use risk management within some real world scenarios as a form of a demonstration to help us tie together everything from this section. So let’s go ahead and get started with frameworks, policies and procedures.

2. Enterprise Security Architecture (OBJ 5.3)

Enterprise security architecture. In this lesson, we are going to talk about the importance of enterprise security architecture. Now, the concept of enterprise security architecture goes back to It governance and It service management. When we talk about It service management or Information Technology service management, we’re really focused on the idea of stakeholders picking out the right technologies, deploying those technologies, and optimize operating those technologies for the best benefit of the organization. Now, to successfully do It service management, we use framework based governance. Framework based governance is going to seek to mitigate the risks that are associated with It service delivery.

Now, when we talk about all of this, we’re really talking about enterprise service architecture. As I mentioned at the beginning of this lesson, enterprise Service Architecture, or ESA, is a framework for defining the baseline, the goals, and the methods that are used to secure the business from all of those different risks that could go against our organization. Now, these different frameworks that we can put in place under ESA can provide us with a lot of different things. For example, they can provide us with a list of policies and provide us with checklists of procedures. They can provide us with activities, and they can even tell us what technologies we should be using as part of the framework and the overall architecture.

Now, when we deal with frameworks, these frameworks are there to help provide an externally verifiable statement of regulatory compliance. This is really important, especially in some industries where regulatory compliance is essential. For example, if you take credit cards, you need to make sure you’re in compliance with PCI DSS. If you’re a health care provider, you need to make sure you’re following HIPAA. If you’re a financial company or a publicly traded company, you might be affected by Sarbanes Oxley. These are things you have to think about as you start thinking about the frameworks, because these frameworks are going to help us achieve that regulatory compliance to make sure we are meeting all the requirements that lawmakers have put on us.

Now, there are lots of different frameworks that are used in the industry. Now, you can choose any of them that you want for your organization. This really does depend on your organization and its It governance structure. This can include things like idle COBIT, TOGAF and ISO 20,000. All of these are different frameworks that fit into this idea of enterprise service architecture. Personally, I’m a big fan of the Idle framework and I teach a lot of courses on the Idle framework, but all of these are valid choices to consider. Now, for the exam, you don’t have to memorize all the details of each of these different frameworks, but learning a wellknown framework like Idle can provide you with more career opportunities as you go into management and executive levels within your organization.

3. Prescriptive Frameworks (OBJ 5.3)

Prescriptive frameworks. In the last lesson, we brought up the concept of a framework and how it fits inside the world of It governance and It service management. In this lesson, we’re going to focus specifically on prescriptive frameworks. Now, when I talk about a prescriptive framework, this is a framework that stipulates control, selection and deployment. This is something that is going to be mandatory. That’s why it is prescriptive. A lot of times you see prescriptive frameworks. They’re going to be driven by regulatory compliance. As I mentioned in the last lesson, if you’re a healthcare provider, you’re going to be focused on meeting the requirements for regulatory compliance of HIPAA, and therefore, you might want to use a prescriptive framework to help you meet that.

Now, there are lots of different frameworks out there, as I mentioned before. For instance, we have Idol and COBIT an ISO 27,001, which is an Information Security framework or PCI DSS. Now, all of these different frameworks could be chosen depending on what your needs are. And again, that’s going to go back to your It governance structure. Depending on which one you’re using. That’s going to have different requirements that you as a cybersecurity analysts are going to have to fill for the exam. You don’t need to know the specifics of that, but in the real world, if your company is using one of these frameworks, you want to start learning about it so you can make sure that you’re meeting the requirements of that framework inside of the prescriptive framework itself.

Now, inside of these frameworks, we often use what’s known as a maturity model. Now, a maturity model is a component of an enterprise security architecture framework that’s used to assess the formality and optimization of security, control, selection and usage, and it addresses any gaps that you may have. Essentially, we’re going to take our organization and we’re going to do a baseline to figure out where we are, and then we can place it onto this maturity model and say we’re a level 1234 or five organization. And if we want to get to a higher level, there are certain things we have to do. Now, when we start out with a maturity model, generally most organizations start at tier one, and this is a very reactive posture.

Now what we want to do is get out of this reactive mode where we’re not firefighting all the time. If you ever worked in a new company and they’re very immature, things are just happening and you’re reacting to them as they’re happening, you’re not ever getting ahead of the game. What we want to do is move ourselves from this reactive posture into a proactive posture. And as you go up the maturity model scale, you’ll get more and more proactive. One of the most common models looks something like this. This is a five tier approach, and we’re going to start at level one. Level one is our initial maturity. This is where we first start out, and this is where we are highly reactive in nature. Then as we get a little bit more mature, we become managed.

This is level two, and in level two, we’re going to prepare to mitigate through risk assessments to be able to figure out what risks are out there. And we could try to get ahead of the game at least a little bit. Once we get into level three, we start being defined. Now, this is where we have defined policies and procedures for lots of different things across our organization. But we’re still not perfect. We’re still reacting a lot of the time. When we get into level four, we’re starting to do quantitative management here. This is where we have management oversight of all of our risks. We’ve captured them in our risk register. We know that risks exist and we know what we’re going to do to fix those things. But again, there are still some things that pop up that we didn’t think of.

And so we’re still only a level four organization. Once we get to level five, this is where we’re optimizing. We are fully proactive at this point. We’re using risk driven approaches to figure out what type of risk exists and what we can do about them. We are completely being proactive here and trying to stop all risks that we can and mitigate them down to an acceptable level. Now, when you look at these maturity models, they’re going to help you review your organization against the expected goals for that level of organization that you want to meet. This will help you determine the level of risk that the organization is exposed to based on those goals. If you’re a level five, that means you’re exposed to less risk than if you’re a level one.

Now, does that mean that we all want to be level fives? Well, no, you may not need to be a level five organization. This again goes back to your It governance. What is our risk appetite that our shareholders and stakeholders have developed for us in terms of risk? In my organization, we usually aim for a level three or a level four. We don’t need to be fully proactive because the cost associated with doing that is so excessive that it doesn’t make sense for our business model. But if we’re at a level three or a level four, that’s good enough to be able to keep a lot of the risk down to a low enough level that we can accept the rest based on our risk appetite.

4. Risk-based Frameworks (OBJ 5.3)

Riskbased frameworks. Now, the other type of framework we have is what’s known as a riskbased framework. When we’re dealing with a prescriptive framework, like we talked about in the last lesson, this could actually make it more difficult for us because the framework can’t keep pace with continually evolving threat landscapes. Prescriptive frameworks tend to be very matter of fact and very checklist driven, and so we may start doing things to be able to meet those prescriptive frameworks that doesn’t really help us in the real world. Let me give you an example of this. You might have a prescriptive framework that says you need to have ongoing monitoring done through a seam. And you think, well, that’s a great thing, right? Jason and I would agree having a seam is a good thing.

But if we start putting everything into the seam, we can create a situation where the seam starts raising hundreds of alerts every day, and that can start overwhelming our analysts because a lot of those might be false positives. That would be a big issue for us. And if we’re only doing it to meet the prescriptive framework requirements and not doing it because we have a real risk that we’re trying to address with that theme, then we’re wasting our time. And so we want to be thinking about these things as we’re figuring out, is this going to be something we’re doing because we’re told to, because it’s prescriptive, or are we doing it based on a risk that really exists? Well, when we deal with a risk based framework, we are dealing with a framework that uses risk assessment to prioritize security, control, selection and investment.

So maybe having that seam is a good thing, maybe it’s not, but we’ll be able to make an intelligent decision and not do it just because we’re being told to. Now, all of this comes down to regulatory compliance, right? When we’re dealing with regulatory compliance, we are told things that we must do. So those things are going to be falling much more in the prescriptive category. If I’m running an organization and HIPAA says you must have a seam, then I better have a seam, right, because I need to be within the constraints of that law. But if I’m not barred into this regulatory compliance because I’m an organization that doesn’t fall into one of those categories, then it’s much better to use a risk based framework.

By using a risk based framework, this can allow businesses to develop their own way of doing things while minimizing risk. In my organization, we don’t have a lot of regulatory compliance requirements. The only ones we really have is PCI, DSS for our credit card payments. Everything else we can really do under a risk based framework. And that is what we do. We think about what risk exists and then we put mitigations in place based on the prioritization to help us meet our needs. Now, one of the best ways to do this is by using something known as the NIST Cybersecurity Framework. This is a relatively new framework that’s come out in the last couple of years. The NIST Cybersecurity Framework is a risk based framework that’s focused on It security, over, It service provisioning.

And this framework covers three core areas. There’s the framework core, the implementation tiers, and the framework profiles. Now, when we talk about the framework core, this is going to identify the five cybersecurity functions, which are identify, protect, Detect, respond, and Recover. And then for each of these five functions, they can then be divided into categories and subcategories. This makes up the core of the framework, and it gives you lots of different controls that you can pick from under these five categories. When we look at the implementation tiers, this is going to assess how closely those core functions, those five areas are integrated into the organization’s overall risk management process.

And for each of those tiers, they’re going to be categorized as partial, risk informed, repeatable, or adaptive. Now, if you’re partial, that’s low on the scale. If you’re adaptive, that’s very high on the scale. And so you want to try to get higher on the scale as you start getting more and more of this integrated into your organization and the way you do business. And then the final thing we’re going to look at is our framework profiles. These are used to supply statements of current cybersecurity outcomes and target cybersecurity outcomes to identify investments that will be the most productive in closing the gap in cybersecurity capabilities, shown by the comparison of the current and the target profiles.

Now, that is a lot of words to say this. Essentially, you want to look at your organization and you want to capture a baseline of where you are in terms of the framework. Right now, are you at a very high quality or low quality? Now, if you’re at a low quality and you want to get to a high quality, that is your target cybersecurity outcome. You want to be at this higher level. So what things need to do, you can identify those things based on the profiles, so you can then start adding those things over time and getting your organization to that higher level. That’s the idea here. And again, all of this is risk informed. This is a riskbased framework. When you’re dealing with the NIST cybersecurity framework.

• Category: Uncategorized