Security Standards and Frameworks

The International Organization for Standardization developed the ISO 27000 Series. It is a flexible information security framework that can be applied to all types and sizes of organizations.
The ISO 27001 and 27002 standards, which are the two main ones, specify the conditions and steps for developing an information security management system (ISMS). An essential audit and compliance activity is having an ISMS. The requirements for the ISMS program are defined by ISO 27000, which also includes an overview and vocabulary. The code of practice for creating ISMS controls is outlined in ISO 27002.
Compliance with ISO 27000 Series standards is established through audit and certification processes, typically provided by third-party organizations approved by ISO and other accredited agencies.
The ISO 27000 Series has 60 standards covering a broad spectrum of information security issues, for example:
• ISO 27018 addresses cloud computing.
• ISO 27031 provides guidance on I.T. disaster recovery programs and related activities.
• ISO 27037 addresses the collection and protection of digital evidence.
• ISO 27040 addresses storage security.
• ISO 27799 defines information security in healthcare, which is useful for companies that require HIPAA compliance (Kirvan & Granneman, 2022).
NIST SP 800-53
N.I.S.T. has created a sizable library of information security-focused I.T. standards. The NIST SP 800 Series, first released in 1990, covers almost every facet of information security with an increasing emphasis on cloud security. The information security standard utilized by U.S. government entities is NIST SP 800-53, which is also frequently applied in the private sector. The N.I.S.T. Cybersecurity Framework and other information security frameworks have benefited from the implementation of SP 800-53. (CSF)

NIST SP 800-171
Due to demands made by the U.S. Department of Defense on contractor adherence to security frameworks, NIST SP 800-171 has grown in prominence. Due to their proximity to federal information networks, government contractors are frequently the subject of cyber assaults. To submit a bid for federal and state contracts, manufacturers and subcontractors working for the government must have an I.T. security framework.
Controls included in the NIST SP 800-171 framework are directly related to NIST SP 800-53 but are less detailed and more generalized. It is possible to build a crosswalk between the two standards if an organization must show compliance with NIST SP 800-53, using NIST SP 800-171 as the base. Smaller organizations can create flexibility and show compliance as they grow using the additional controls included in NIST SP 800-53 (Kirvan & Granneman, 2022).

NIST CSF
Executive Order 13636, published in February 2013, directed N.I.S.T. to create the N.I.S.T. Framework for Improving Critical Infrastructure Cybersecurity, or NIST CSF. It was created to address the essential infrastructure of the United States, including transportation, communications, water and food supplies, and energy production. Due to their significance, these industries have all been targeted by nation-state actors. Hence, they must all maintain a high level of readiness.
NIST CSF focuses on risk analysis and risk management, in contrast to other N.I.S.T. frameworks. The framework’s security measures are based on the five risk management phases: identification, protection, detection, response, and recovery. Like all I.T. security initiatives, these phases call for senior management backing. Both the public and private sectors can utilize NIST CSF.
NIST SP 1800 Series
The NIST SP 1800 Series is a guide that complements the NIST SP 800 Series of standards and frameworks. The SP 1800 Series of publications offers information on implementing and applying standards-based cybersecurity technologies in real-world applications.
The SP 1800 Series publications provide the following:
• examples of specific situations and capabilities;
• experience-based, how-to approaches using multiple products to achieve the desired result;
• modular guidance on the implementation of capabilities for organizations of all sizes; and
• specifications of required components and installation, configuration, and integration information so organizations can easily replicate the process themselves (Kirvan & Granneman, 2022).
NIST IR 8200 Series
A technical standard set of publications that details U.S. government procedures, policies, and guidelines on information systems developed by the National Institute of Standards and Technology

COBIT
COBIT is the acronym for Control Objectives for Information and Related Technologies. The C.O.B.I.T. framework was created by Information Systems Audit and Control Association (I.S.A.C.A.) to bridge the critical chasm between technical issues, business risks, and control requirements.
C.O.B.I.T. is a thoroughly recognized guideline that can be applied to any organization in any industry and ensures the quality, control, and reliability of information systems in an organization, which is also the most critical aspect of every modern business (Hanna, 2022)
Initially, C.O.B.I.T. concentrated on lowering I.T. risks. In C.O.B.I.T. 5, which was introduced in 2012, new business and technological developments are added to aid firms in balancing I.T. and business objectives. C.O.B.I.T. 2019 is the most recent version, and it is a widely
utilized framework for achieving Sarbanes-Oxley compliance. The criteria of C.O.B.I.T. are covered in numerous publications and professional certifications (Hanna, 2022).
C.I.S. Controls
Technical security and operational controls that can be used in any setting are listed in the Critical Security Controls, Version 8 from the Center for Internet Security (C.I.S.). It is entirely focused on lowering risk and boosting resilience for technical infrastructures, not risk analysis or risk management like NIST CSF.
• Controls include the following:
• Inventory and Control of Enterprise Assets
• Data Protection
• Audit Log Management
• Malware Defenses
• Penetration Testing
To help address identified risks, C.I.S. Controls integrate with current risk management systems. They are helpful resources for I.T. departments that lack technical information security skills.
HIPAA
The HIPAA standard applies to organizations that handle protected health information (PHI). This standard includes requirements for security controls and procedures, such as data encryption and access control. Compliance with the HIPAA standard can help ensure sensitive health information security.
H.I.T.R.U.S.T. Common Security Framework
Risk analysis, risk management frameworks, and operational requirements are part of the H.I.T.R.U.S.T. Common Security Framework. Healthcare organizations can use the framework, which has 14 different control types, in nearly any organization. Because of the extensive documentation and procedures, H.I.T.R.U.S.T. is a massive job for any firm. As a result, many businesses narrow the scope of their H.I.T.R.U.S.T. priorities. Adopting this framework involves additional labor and costs related to H.I.T.R.U.S.T. certification. The third-party audit of the certification adds an additional level of validity.
PCI DSS
The PCI DSS standard applies to any organization that processes, stores, or transmits credit card data. This standard includes requirements for security controls and procedures, such as data encryption and incident response. Compliance with the PCI DSS standard can help ensure credit card data security.

G.D.P.R.
The General Data Protection Regulation (G.D.P.R.) is a framework of security requirements that global organizations must implement to protect the security and privacy of E.U. citizens’ personal information. The G.D.P.R. requires access control methods like least privilege, role-based access, multifactor authentication, and safeguards for limiting unauthorized access to stored data (Kirvan & Granneman, 2022).
G.D.P.R. protect:
• Basic identity information such as name, address, and I.D. numbers
• Web data such as location, I.P. address, cookie data, and RFID tags
• Health and genetic data
• Biometric data
• Racial or ethnic data
• Political opinions
• Sexual orientation
C.O.S.O.
The C.O.S.O. Framework is a system that establishes internal controls to be integrated into business processes. Collectively, these controls provide reasonable assurance that the organization is operating ethically, transparently, and following established industry standards (Minniti, 2022)
The 5 Components of C.O.S.O.: C.R.I.M.E.
• Control Environment: How has management implemented policies and procedures that guide the organization? What kind of tone has management set in the organization so that everyone knows that they are supposed to ensure that your controls are operating effectively and achieving the expected results?
• Risk Assessment: How does your organization assess risk in order to identify the things that threaten the achievement of its objectives?
• Information and Communication: How does management communicate to their internal and external users what is expected of them? How do you make sure that you receive an acknowledgment from those people that they understand what you are asking them to do?
• Monitoring Activities: How does management oversee the functioning of the entire organization? How do you identify when things are not working correctly and correct those deficiencies as quickly as possible?
• Existing Control Activities: What are the controls that you currently have in place? Were they in place and operating effectively over a period of time (Kirkpatrick, 2022).

References
Hanna, K. 2022. “What Is A COBIT And Why Is It Important?”. Searchsecurity. https://www.techtarget.com/searchsecurity/definition/COBIT.
Jalali, M. S., & Kaiser, J. P. (2018). Cybersecurity in hospitals: a systematic, organizational perspective. Journal of medical Internet research, 20(5), e10059.
Kirkpatrick, J. 2022. “5 Components Of Internal Control”. https://kirkpatrickprice.com/video/5-components-internal-control/.
Kirvan, P, and J Granneman. 2022. “Top 10 IT Security Frameworks And Standards Explained”. https://www.techtarget.com/searchsecurity/tip/IT-security-frameworks-and-standards-Choosing-the-right-one.
Minniti, Dr. Robert. 2022. “Review Of The COSO Framework”. Mycpe. https://my-cpe.com/self-study/review-of-the-coso-framework.
“What Is COBIT? Understanding The COBIT Framework”. 2022. Simplilearn. https://www.simplilearn.com/what-is-cobit-significance-and-framework-rar309-article.
Whitman, Michael E, and Herbert J Mattord. n.d. Principles Of Information Security. 7th ed.
Zhu, X. (2021). Self-organized network management and computing of intelligent solutions to information security. Journal of Organizational and End User Computing (J.O.E.U.C.), 33(6), 1-16.