ISC
1
Regulations, Standards, and
Frameworks
Module
1 National Institute of Standards and
Technology Frameworks 3
2 Privacy and Data Security Standards 15
3 Center for Internet Security Critical Security Controls:
Part 1 21
4 Center for Internet Security Critical Security Controls:
Part 2 33
5 COBIT 2019 Framework 43
, NOTES
S1–2 © Becker Professional Education Corporation. All rights reserved.
,1
MODULE
National Institute of
Standards and Technology
Frameworks ISC 1
Overview
The application of information technology (IT) in an organization is the systematic
implementation of hardware and software so that data can be transmitted, modified, accessed,
and stored both securely and efficiently. As the field of information science advances, the speed
at which IT devices can perform these tasks has rapidly increased, and organizations must
reevaluate their technology on a regular basis.
Organizations adopt technology to enhance or support business operations, protect digital
records and assets, and safeguard physical assets. This makes the selection and deployment of
management information systems critical to the success of any organization.
1 National Institute of Standards and Technology (NIST)
Cybersecurity Framework (CSF)
1.1 NIST Background
The National Institute of Standards and Technology (NIST) was established in 1901 to remove
barriers to industrial competitiveness and improve access to resources to promote U.S. research
capabilities. In 1995, the NIST branched out into the cybersecurity field with the NIST Special
Publication 800-12, An Introduction to Information Security. To date, three of the most prolific sets
of standardized frameworks promulgated by NIST include the NIST Cybersecurity Framework
(CSF), NIST Privacy Framework, and NIST SP 800-53 Security and Privacy Controls for Information
Systems and Organizations.
1.2 Cybersecurity Framework
Introduction
The NIST Cybersecurity Framework is a voluntary framework that includes three primary
components to manage cybersecurity risk:
1. Framework Core
2. Framework Implementation Tiers
3. Framework Profile
© Becker Professional Education Corporation. All rights reserved. Module 1 National
S1–3Institute of Standards
, 1 National Institute of Standards and Technology Frameworks ISC 1
Tier 1 Tier 2 Tier 3 Tier 4
(Partial) (Risk Informed) (Repeatable) (Adaptive)
CORE TIERS
PROFILE
Source: Reprinted courtesy of the National Institute
of Standards and Technology, U.S. Department of
Commerce. Not copyrightable in the United States.
1.2.1 Framework Core
The NIST CSF was a legislative imperative for NIST aimed at developing a set of plain language
controls for the protection of critical IT infrastructure. Specifically, the focus of the NIST CSF is
to develop a program to identify, assess, and manage cybersecurity risks in a cost-effective and
repeatable manner.
The framework core consists of five areas of focus, or functions, which represent different points
in the security risk management life cycle that help enhance cybersecurity protection. These
components are not ordered steps; they are functions that should be performed concurrently.
The five components are Identify, Protect, Detect, Respond, and Recover.
1. Identify: This function focuses on creating canonical records of the assets an organization
uses to support information processing operations, users who are both internal and
external to an organization, and systems.
2. Protect: This function focuses on safeguards and access controls to networks, applications,
and other devices deployed as well as regular updates to security software, including
encryption for sensitive information, data backups, plans for disposing of files or unused
devices, and training for those with access to a company's network.
3. Detect: This function identifies the tools and resources needed to detect active
cybersecurity attacks, which includes monitoring network access points, user devices,
unauthorized personnel access, and high-risk employee behavior or the use of high-risk
devices.
4. Respond: This function outlines how a company should contain a cybersecurity event, react
using planned responses that mitigate losses, and notify all affected parties.
5. Recover: This function focuses on supporting the restoration of a company's network to
normal operations through repairing equipment, restoring backed up files or environments,
and positioning employees to rebound with the right response.
S1–4 Module 1 National
© Becker InstituteEducation
Professional of Standards and Technology
Corporation. Frameworks
All rights reserved.