CISSP Training Series – Frameworks
Frameworks According to ISC2 CISSP Training
Welcome to our inaugural entry in our new CISSP training series of blogs. Domain 1 of the CISSP deals with security and risk management. As you may be aware, the CISSP exam outline contains the domains and associated domain objectives. A key objective of the first domain is objective 7 which covers frameworks. In this entry, I’m going to cover the frameworks discussed. I’m also limiting this coverage to the content covered in the official courseware as part of preparing for your CISSP exam.
You’ll also notice that I try to include links to source documentation where possible. Material referred to in these links are not required study material! You won’t be tested on anything that a particular framework states. The exam is based on the CISSP material, not references that CISSP uses. CISSP covers a lot as it is. Don’t add to your study time if you don’t have to!
Different Types of Frameworks
The official CISSP textbook addresses privacy, cybersecurity, risk, and security control frameworks. Frameworks guide organizations in adapting their operational systems to address information security needs. These needs can be mandated by external regulations or arise from internal factors and market conditions. As organizations navigate the system’s life cycle, from analyzing requirements to deploying systems, they face an evolving threat landscape. Amidst these continuous changes, organizations implement security measures to remain compliant with the relevant frameworks and requirements.
The bottom line is that when it comes to frameworks, they serve as a starting point of data security (and privacy) requirements. They can also be used to assess the in-use system and its controls for compliance and security assessment purposes.
Privacy frameworks consist of a set of privacy principles, standards and or guidelines. As with everything else when it comes to standards, there is a variety of privacy frameworks. Privacy frameworks are usually designed for a certain jurisdiction or industry.
As an example of privacy frameworks, the CISSP text covers the Privacy Management Framework (PMF) by the AICPA. The only key element they highlight about the PMF is the addressing of GDPR and updated Trust Services Criteria (also by AICPA).
A security framework is a “notional construct” (meaning something that can be used to draw from) outlining the organization’s approach to cybersecurity, including a list of specific security processes, policies, procedures and solutions that the organization can choose from.
The official courseware mentions that a cybersecurity professional (e.g. a CISSP) should have a working knowledge of the following cybersecurity frameworks:
This certification is the global heavyweight when it comes to cybersecurity frameworks. If you’re American, you might think this statement is misguided, but if you check out the ISO survey, you’ll see the U.K. has roughly 3 times the amount of ISO 27001 certifications than the U.S..
ISO 27001 certification of an Information Security Management System (ISMS) is focused on governance and mainly focuses on policies. ISO 27001 has a companion document labelled ISO 27002. ISO 27002 is a document that gives expanded guidance regarding the controls found in ISO 27001. ISO 27002 itself is not a certification.
NIST Risk Management Framework
Next up, we have the National Institute of Science and Technology (NIST). Like ISO, there is myriad of documents NIST creates. The two cybersecurity frameworks that work together are the NIST Risk Management Framework (RMF) which is labelled 800-37 and the controls catalog (800-53). You can think of the relationship between the RMF and 800-53 much as the relationship between ISO 27001 and 27002.
Although NIST is pervasive throughout the U.S. Government, many large organizations use the NIST RMF as their cybersecurity framework. All NIST documentation is free of charge, but there is no certification available against the NIST RMF.
Often confused with HIPAA compliance (more on this later), HITRUST Alliance is a private organization that has created a cybersecurity framework called the Common Security and Privacy Framework (HITECH CSF) that works with other standards (such as HIPAA). The goal of the CSF is to have one framework, one certification and one assessment as a globally recognized standard for exchanging attestations of trust between organizations, public or private.
Basically, the HITRUST CSF maps to a bunch of different standards and certifications. Many companies that require HIPAA certification happen to use the HITRUST CSF. That’s the link between HIPAA and HITRUST. HIPAA is a U.S. federal law while HITRUST CSF is a cybersecurity framework developed by a for-profit company.
Cloud Security Alliance
The CISSP textbook also calls out the Security, Trust, Assurance and Risk (STAR) registry by the Cloud Security Alliance (CSA) as a cybersecurity framework. Personally, I can’t see there being questions on this, because quite frankly, I think this is a mistake. The STAR registry is a collection of Consensus Assessment Initiative Questionnaire (CAIQ) responses by Cloud Service Providers (CSPs).
I can see the Cloud Controls Matrix (CCM) being a cybersecurity framework (because that’s what it is called by the CSA itself), but I personally don’t see the STAR registry as a cybersecurity framework.
Risk management frameworks are used to optimize the organization’s response to risk. In many large organizations, this effort defines the organization’s strategy in terms of balancing business risks and opportunities. This is often referred to as Enterprise Risk Management (ERM).
As with the cybersecurity frameworks covered before, ISC2 lists some leading risk frameworks. These are:
The CISSP textbook calls out both ISO 31000 for a holistic view of risk the organization faces and 27005 documents to address Information Technology (IT) risk.
Committee of Sponsoring Organizations (COSO)
The thing to note about COSO and risk management is the more recent document released called Enterprise Risk Management—Integrated Framework. They state this document is seen as a definitive guide to the topic, so it’s worth remembering even if your organization doesn’t use it.
ISACA RISK IT
ISACA created the RISK IT framework to address all aspects of risk associated with the use of IT in a company.
NIST 800-37 is the Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy to remember. Hopefully, you also remember this was addressed in the cybersecurity framework discussion.
Security Control Frameworks
Don’t mistake the cybersecurity controls covered earlier and security control frameworks. Security control frameworks (SCFs) provide minimum acceptable practices for implementation and operation of security controls. Think of the PCI DSS for example. PCI DSS isn’t a “notional construct”, rather it is a clear list of controls and processes that are minimal acceptable practices for implementation and operation of security controls. That’s the big difference.
Security Control Frameworks and Gap Analysis
The courseware also discusses the use of gap analysis with security control frameworks. As you can imagine, the gap analysis can be used by an organization as an evaluation and assessment tool to determine what security control gaps exist in an organization.
Of course, this information (and much more!) is part of our CISSP Training. We offer Official CISSP Training from the ISC2. Your options include On-Demand CISSP Training, Live Online CISSP Training and In-Person CISSP Training. If you are interested in team training, please contact us for a quote!