They are many different
approaches to helping a company look at protection of assets and data for a repeatable
process.
There is Cobit
by ISACA, COBIT stands for Control Objectives for Information and Related
Technology. It is a framework created by the ISACA (Information Systems Audit
and Control Association) for IT governance and management. It was designed to
be a supportive tool for managers—and allows bridging the crucial gap between
technical issues, business risks, and control requirements. You can learn about
COBIT here.
The National Institute of Standards and Technology (NIST) SP 800
The NIST SP 800 documents are a series of publications put forth by the
National Institute of Standards and Technology (NIST), which is a
non-regulatory agency of the United States Department of Commerce. The SP 800
series was established in 1990 and has grown quite a bit since then,
encompassing a large, in-depth, and ever-growing set of computer security
documents seen by many as industry leading. Additionally, the NIST SP 800
documents have been well-known to many professionals within the field of
information technology - particularly that of information security -as they
gained additional recognition with the Federal Information Security Management
Act of 2002, known as FISMA. You can see the SP 800 files here.
Cybersecurity Framework Version 1.1 CSF. This voluntary
Framework consists of standards, guidelines, and best practices to manage
cybersecurity-related risk. The Cybersecurity Framework’s prioritized,
flexible, and cost-effective approach helps to promote the protection and
resilience of critical infrastructure and other sectors important to the
economy and national security. You can learn about CSF here.
The ISO/IEC 27000 family of standards helps organizations
keep information assets secure. Using this family of standards will help your
organization manage the security of assets such as financial information,
intellectual property, employee details or information entrusted to you by
third parties. ISO/IEC 27001 is the best-known standard in the family
providing requirements for an information security management system (ISMS). There
are more than a dozen standards in the 27000 family, you can see them here.
Most of us know about MITRE CVE’s
who sole purpose is to provide common vulnerability identifiers called “CVE
Entries.” CVE does not provide severity scoring or prioritization ratings for
software vulnerabilities. However, while separate, the CVSS standard can be
used to score the severity of CVE Entries.
One you might not know about is MITRE ATT&CK™
MITRE also has the ATT&CK™ is a globally-accessible
knowledge base of adversary tactics and techniques based on real-world
observations. The ATT&CK knowledge base is used as a foundation for the
development of specific threat models and methodologies in the private sector,
in government, and in the cybersecurity product and service community. With the creation of ATT&CK, MITRE is
fulfilling its mission to solve problems for a safer world — by bringing
communities together to develop more effective cybersecurity. ATT&CK is
open and available to any person or organization for use at no charge. You can
find out more here.
