1 00:00:00,005 --> 00:00:03,000 - [Instructor] Security professionals have a wide variety 2 00:00:03,000 --> 00:00:05,005 of responsibilities, and typically oversee the design, 3 00:00:05,005 --> 00:00:09,004 implantation, and management of many different controls 4 00:00:09,004 --> 00:00:14,007 that protect confidentiality, integrity, and availability. 5 00:00:14,007 --> 00:00:17,001 It's important to make sure that these controls provide 6 00:00:17,001 --> 00:00:19,000 adequate levels of protection, 7 00:00:19,000 --> 00:00:21,009 and cover many different risks. 8 00:00:21,009 --> 00:00:23,004 It's quite a challenge to build 9 00:00:23,004 --> 00:00:26,003 a comprehensive security program. 10 00:00:26,003 --> 00:00:29,007 Fortunately, security professionals in an organization 11 00:00:29,007 --> 00:00:31,008 don't have to start with a blank piece of paper 12 00:00:31,008 --> 00:00:34,003 when they design security programs. 13 00:00:34,003 --> 00:00:37,009 They can use security control frameworks to help ensure 14 00:00:37,009 --> 00:00:40,007 that they're covering all the bases, and building controls 15 00:00:40,007 --> 00:00:43,001 that protect the organization 16 00:00:43,001 --> 00:00:46,000 against many foreseeable risks. 17 00:00:46,000 --> 00:00:47,005 There are many different control frameworks 18 00:00:47,005 --> 00:00:49,009 covering information security. 19 00:00:49,009 --> 00:00:53,004 Let's take a look at a few of the most common ones. 20 00:00:53,004 --> 00:00:56,008 The control objectives for information technology, or COBIT, 21 00:00:56,008 --> 00:00:59,005 is a security control framework developed by 22 00:00:59,005 --> 00:01:03,009 the Information Systems Audit and Control Association. 23 00:01:03,009 --> 00:01:06,005 This framework is very often used by auditors, 24 00:01:06,005 --> 00:01:08,008 and has a strong focus on linking business goals 25 00:01:08,008 --> 00:01:12,001 with the functions of information security. 26 00:01:12,001 --> 00:01:14,006 As you can see here, the COBIT standard 27 00:01:14,006 --> 00:01:16,007 is a detailed document. 28 00:01:16,007 --> 00:01:19,008 It covers five different principles. 29 00:01:19,008 --> 00:01:22,008 Meeting stakeholder needs, covering the enterprise 30 00:01:22,008 --> 00:01:26,005 end to end, applying a single integrated framework, 31 00:01:26,005 --> 00:01:29,005 enabling a holistic approach, 32 00:01:29,005 --> 00:01:30,003 and separating governance from management. 33 00:01:30,003 --> 00:01:35,001 It also contains implementation guidelines to help 34 00:01:35,001 --> 00:01:37,007 organizations who are trying to implement the COBIT 35 00:01:37,007 --> 00:01:40,007 framework in their enterprise. 36 00:01:40,007 --> 00:01:43,004 The International Organization for Standardization also 37 00:01:43,004 --> 00:01:47,004 publishes a control frameworks for information security. 38 00:01:47,004 --> 00:01:50,006 The full title of the standard is Information Technology 39 00:01:50,006 --> 00:01:54,006 Security Techniques Information Security Management Systems 40 00:01:54,006 --> 00:01:56,005 Requirements, but most people know it 41 00:01:56,005 --> 00:02:00,004 by it's designation, ISO 27001. 42 00:02:00,004 --> 00:02:03,000 This is a very commonly used standard, 43 00:02:03,000 --> 00:02:05,007 as many organizations follow ISO standards 44 00:02:05,007 --> 00:02:09,003 for a wide variety of business functions. 45 00:02:09,003 --> 00:02:10,009 Government agencies and contractors 46 00:02:10,009 --> 00:02:13,007 have a standard all their own. 47 00:02:13,007 --> 00:02:16,007 The National Institute for Standards and Technology, NIST, 48 00:02:16,007 --> 00:02:19,008 publishes a document called the Security and Privacy 49 00:02:19,008 --> 00:02:24,002 Controls for Federal Information Systems and Organizations. 50 00:02:24,002 --> 00:02:28,008 It's known as NIST Special Publication 800-53, 51 00:02:28,008 --> 00:02:32,003 or more commonly just NIST 800-53. 52 00:02:32,003 --> 00:02:34,006 While this standard is mandatory for federal 53 00:02:34,006 --> 00:02:37,006 government agencies, many other organizations 54 00:02:37,006 --> 00:02:40,001 use this standard as well. 55 00:02:40,001 --> 00:02:41,007 Let's take a look at the detailed contents 56 00:02:41,007 --> 00:02:44,009 of NIST Special Publication 800-53. 57 00:02:44,009 --> 00:02:48,006 It contains over 400 pages of information 58 00:02:48,006 --> 00:02:49,007 about building a security program for 59 00:02:49,007 --> 00:02:57,008 government agencies and other organizations. 60 00:02:57,008 --> 00:03:00,000 If we take a quick look at the table of contents, 61 00:03:00,000 --> 00:03:01,006 you'll see that after an introduction, 62 00:03:01,006 --> 00:03:05,003 it goes through the fundamentals of information security, 63 00:03:05,003 --> 00:03:07,003 talking about multitiered risk management, 64 00:03:07,003 --> 00:03:11,006 security control structures, baselines, and designations, 65 00:03:11,006 --> 00:03:14,007 the use of external service providers, and how to assess 66 00:03:14,007 --> 00:03:19,001 assurance and trustworthiness for information systems. 67 00:03:19,001 --> 00:03:21,007 It then goes into the process of implementing security 68 00:03:21,007 --> 00:03:24,006 and privacy controls, talking about selecting an appropriate 69 00:03:24,006 --> 00:03:27,007 security control baseline, and then tailoring that baseline 70 00:03:27,007 --> 00:03:31,007 to the specific needs of an organization, creating overlays 71 00:03:31,007 --> 00:03:34,008 and documenting the control selection process for 72 00:03:34,008 --> 00:03:38,003 both new development, and legacy systems. 73 00:03:38,003 --> 00:03:40,007 Security control frameworks play an 74 00:03:40,007 --> 00:03:44,000 important role in information security. 75 00:03:44,000 --> 00:03:45,009 While most organizations don't follow them 76 00:03:45,009 --> 00:03:48,009 letter for letter, these frameworks do provide 77 00:03:48,009 --> 00:03:51,009 a useful tool for designing the appropriate controls 78 00:03:51,009 --> 00:03:54,002 for any organization.