Frameworks to Help You Evolve Your Cybersecurity Program - mccright/FCCSCybersecurityInput GitHub Wiki

Process and Control Emphasis

Readiness/Attack Resistance amounts to some combination of controls:

• directive
• preventive
• detective
• corrective
• deterrent
• compensating
• responsive
• recovery

Example Frameworks

• PCI DSS - Payment Card Industry Data Security Standard: https://www.pcisecuritystandards.org/pci_security/standards_overview and https://www.pcisecuritystandards.org/document_library
• ISO 27001/27002 (paywall) ISO/IEC 27000 family - Information security management systems: https://www.iso.org/isoiec-27001-information-security.html
• CIS Critical Security Controls - Center for Internet Security Best Practices (Controls & Benchmarks): https://www.cisecurity.org/cybersecurity-best-practices/
• The NIST Cybersecurity Framework 2.0 (Draft) https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.ipd.pdf
• NIST Framework for Improving Critical Infrastructure Security: https://www.nist.gov/publications/framework-improving-critical-infrastructure-cybersecurity-version-11
  (employs NIST SP 800-53 rev. 4: 1,683 specific Controls organized into 257 Control Sections, rolled up into 17 Control Families)
• NIST AI Risk Management Framework (RMF): https://www.nist.gov/itl/ai-risk-management-framework
• and the accompanying NIST AI RMF Playbook: https://airc.nist.gov/AI_RMF_Knowledge_Base/Playbook
• NISTIR 8286D: "Using Business Impact Analysis to Inform Risk Prioritization and Response." https://csrc.nist.gov/publications/detail/nistir/8286d/final provides a rationale and guidance for integrating Business Impact Analysis (BIA) and focused cybersecurity risk management processes. Where BIA is already in place, this resource may be of material interest.
• Financial Services Sector "Cybersecurity Profile:" https://www.fsscc.org/Financial-Sector-Cybersecurity-Profile 280 "diagnostic statements"
• "Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework (SSDF)." By Donna Dodson, Murugiah Souppaya, and Karen Scarfone, NIST, 06-11-2019 https://csrc.nist.gov/CSRC/media/Publications/white-paper/2019/06/07/mitigating-risk-of-software-vulnerabilities-with-ssdf/draft/documents/ssdf-for-mitigating-risk-of-software-vulns-draft.pdf

EXAMPLE - NIST 800-53 Control Families:

https://github.com/mccright/rand-notes/blob/master/NIST-Pub-800-53-Rev4-Controls-List.htm

• Access Control
• Audit And Accountability
• Awareness And Training
• Configuration Management
• Contingency Planning
• Identification And Authentication
• Incident Response
• Maintenance
• Media Protection
• Personnel Security
• Physical And Environmental Protection
• Planning
• Program Management
• Risk Assessment
• Security Assessment And Authorization
• System And Communications Protection
• System And Information Integrity
• System And Services Acquisition

For one example of how to map these, see: https://github.com/mccright/rand-notes/blob/master/Developer-Related-NIST-Pub-800-53-Rev4-Controls.htm

EXAMPLE - Build Security In Maturity Model (BSIMM)

BSIMM is a software security framework used to organize 116 activities in 12 practices organized into four domains.

• Governance

1. Strategy & Metrics (SM)
2. Compliance & Policy (CP)
3. Training (T)

• Intelligence

4. Attack Models (AM)
5. Security Features & Design (SFD)
6. Standards & Requirements (SR)

• SSDL Touchpoints

7. Architecture Analysis (AA)
8. Code Review (CR)
9. Security Testing (ST)

• Deployment

10. Penetration Testing (PT)
11. Software Environment (SE)
12. Configuration Management & Vulnerability Management (CMVM)
    https://www.bsimm.com/framework.html and https://www.bsimm.com/content/dam/bsimm/reports/bsimm9.pdf

EXAMPLE - World Economic Forum (WEF)

• Global Coalition to Fight Financial Crime https://www.weforum.org/projects/coalition-to-fight-financial-crime
• Centre for Cybersecurity https://www.weforum.org/platforms/the-centre-for-cybersecurity
• International Strategy for Cybersecurity and the Global Financial System (2021-2024) https://carnegieendowment.org/specialprojects/fincyber/about/ and
• International Strategy to Better Protect the Financial System Against Cyber Threats https://carnegieendowment.org/2020/11/18/international-strategy-to-better-protect-financial-system-against-cyber-threats-pub-83105 and the report https://carnegieendowment.org/files/Maurer_Nelson_FinCyber_final1.pdf
• FinCyber: Cybersecurity Strategy for the Global Financial System https://www.weforum.org/projects/fincyber-cybersecurity-strategy-for-the-global-financial-system
• Systems of Cyber Resilience: Secure and Trusted FinTech https://www.weforum.org/reports/systems-of-cyber-resilience-secure-and-trusted-fintech and http://www3.weforum.org/docs/WEF_Systems_Cyber_Resilience_2020.pdf
• Cyber Risk and Corporate Governance https://www.weforum.org/projects/cyber-risk-leadership-and-corporate-governance

LEARNER Resources:

Software Assurance Maturity Model (SAMM) https://owaspsamm.org/, https://github.com/OWASP/samm and https://www.owasp.org/index.php/OWASP_SAMM_Project
OWASP Cheat Sheet Collection: https://github.com/OWASP/CheatSheetSeries/blob/master/Index.md
"Threat Modeling Cheat Sheet (OWASP)" https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Threat_Modeling_Cheat_Sheet.md
Mitre Att&ck threat list https://mitre.github.io/attack-navigator/enterprise/. ATT&CK is a catalog of techniques and tactics that describe post-compromise adversary behavior on typical enterprise IT environments. The core use cases involve using the catalog to analyze, triage, compare, describe, relate, and share post-compromise adversary behavior. See the descriptions of all 244 Attack Techniques at: https://attack.mitre.org/techniques/enterprise/; and the 13 more that are specific to mobile environments at: https://attack.mitre.org/tactics/mobile/.
For a Q1 2019 Thread Overview using the MITRE ATT&CK framework, see: https://www.rapid7.com/research/report/2019-q1-threat-report/#MITRE-ATTCK-Framework
"NIST Special Publication 800-181 - National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework." By William Newhouse, Stephanie Keith, Benjamin Scribner, and Greg Witte. NIST, 2017. This publication describes the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (NICE Framework), a reference structure that describes the interdisciplinary nature of the cybersecurity work. It serves as a fundamental reference resource for describing and sharing information about cybersecurity work and the knowledge, skills, and abilities (KSAs) needed to complete tasks that can strengthen the cybersecurity posture of an organization.
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-181.pdf
Zero Trust Engineering: "NSA | Embracing a Zero Trust Security Model." "NSA | Advancing Zero Trust Maturity Throughout the User Pillar." "NSA | Advancing Zero Trust Maturity Throughout the Device Pillar." "NSA | Advancing Zero Trust Maturity Throughout the Network and Environment Pillar." Along with other related cybersecurity documents from the National Security Agency/Central Security Service.