Introduction to Cybersecurity¶
Cybersecurity vs. Information Security (InfoSec)¶
Information security programs and policies are designed to protect the confidentiality, integrity, and availability of data within an organisation. Organisations are rarely self-contained, and the price of connectivity is exposure to attack. Every organisation is a potential target.
Cybersecurity is the process of protecting information by preventing, detecting, and responding to attacks. It builds upon traditional information security programs and includes:
Cyber risk management and oversight
Threat intelligence and information sharing
Third-party organisation, software, and hardware dependancy management
Incident response and resiliency
The NIST Cybersecurity Framework¶
https://www.nist.gov/cyberframework
The National Institute of Standards and Technology (NIST) is a well-known U.S. Department of Commerce. Their goal is to develop & promote measurement, standards, and technology to enhance productivity, facilitate trade, improve quality of life. Their framework is a collection of industry standards and best practices to help organisations manage cybersecurity risks and acts as a blueprint for any organisation. The Computer Security Division (CSD) is one of seven divisions within NIST’s IT lab.
Additional NIST Guidance and Documents¶
There are currently more than 500 NIST InfoSec docs:
Federal Information Processing Standards (FIPS): This is the official publication series for standards and guidelines.
Special Publication (SP) 800 series: This series reports on ITL research, guidelines, and outreach efforts in information system security and its collaborative activities with industry, government, and academic organisations. SP 800 series documents can be downloaded from https://csrc.nist.gov/publications/sp800.
NIST Internal or Interagency Reports (NISTIR): These reports focus on research findings, including background information for FIPS and SPs.
ITL bulletins: Each bulletin presents an in-depth discussion of a single topic of significant interest to the information systems community. Bulletins are issued on an as-needed basis.
The International Organisation of Standards (ISO)¶
ISO is a network of the national standards institutes of more than 160 countries. ISO has developed more than 13,000 international standards on a variety of subjects, ranging from country codes to passenger safety.
The ISO/IEC 27000 series (also known as the ISMS Family of Standards, or ISO27k for short) comprises information security standards published jointly by the ISO and the
International Electrotechnical Commission (IEC). The first six documents in the ISO/IEC 27000 series provide recommendations for “establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System”: ISO 27001 is the specification for an Information Security Management System (ISMS). ISO 27002 describes the Code of Practice for information security management. ISO 27003 provides detailed implementation guidance. ISO 27004 outlines how an organisation can monitor and measure security using metrics. ISO 27005 defines the high-level risk management approach recommended by ISO. ISO 27006 outlines the requirements for organisations that will measure ISO 27000 compliance for certification.
ISO 27001 is the specification for an Information Security Management System (ISMS).
ISO 27002 describes the Code of Practice for information security management.
ISO 27003 provides detailed implementation guidance.
ISO 27004 outlines how an organisation can monitor and measure security metrics.
ISO 27005 defines the high-level risk management approach recommended by ISO.
ISO 27006 outlines the requirements for organisations that will measure ISO 27000 compliance for certification.
There are 20 docs in the series and more in development. The framework is for all organisations. According to the ISO website, “the ISO standard gives recommendations for information security management for use by those who are responsible for initiating, implementing or maintaining security in their organization. It is intended to provide a common basis for developing organisational security standards and effective security management practice and to provide confidence in inter-organizational dealings.”