Standards and Frameworks Resources

This page is basically a directory of links. I have a hodgepodge of useful bookmarks accumulated over time in a yet-to-be-well-organized bookmark directory and I wanted to group up a few of them for specific topics (this page being for links related to standards/frameworks/policy stuff). I figured I might as well post it here for my own reference and so others might get use from it! These links are not necessarily in any particular order, though I’ll try to provide a brief description of each.

Note: For general infosec/cybersec resources, check out this post!

---

---

 

NIST:

(National Institute of Standards and Technology)

What is NIST?

• It’s a U.S. federal agency that develops and promotes measurement standards, guidelines, and technologies to enhance innovation, industrial competitiveness, and public safety across various sectors, including cybersecurity, manufacturing, and technology.

NIST Frameworks

• These frameworks provide guidance for organizations to address cybersecurity, privacy, AI, and other risks through various frameworks, including the Cybersecurity Framework and Risk Management Framework.

NIST CSF (Cybersecurity Framework)

• CSF is a set of guidelines designed to help organizations of all types manage and reduce cybersecurity risks through improved governance, risk management, and communication strategies.
• further summary details on the CSF

 

ISO:

(International Organization for Standardization)

What is ISO?

• It’s a global body that develops and publishes consensus-based standards to ensure interoperability, safety, and quality across diverse industries and sectors.

ISO 27001 (and ISO 27002)

• ISO 27001 is an international standard for information security management systems (ISMS) that provides a systematic approach to managing sensitive company information, ensuring its confidentiality, integrity, and availability.

• 27001 vs 27002: “the controls in ISO 27001 and ISO 27002 are exactly the same; the only difference is that ISO 27002 provides detailed guidance on how the controls could be implemented”.(page 3)
• The most current edition of this standard is available on the ISO site, but it costs about $150 as of the writing of this article. This most current 3rd edition was published in 2022. I’ve tried finding pdfs of the current edition around online, no luck. I also tried using my alumni access to various publications to get access to this elusive document - I contacted my alumni association to be sure. No luck… But, there is more information available about the previous edition published in 2013, and some information about what is different (lots of overlap):
• further details about ISO 27001
• list of the controls and a control checklist (2013 edition)
• whitepaper highlighting key changes in the 2022 edition
• article outlining what has changed in the 2022 edition
• tool to convert a control from the 2013 edition to corresponding control in the 2022 edition

 

SANS Institute:

What is The SANS Institute?

• It’s a leading organization providing information security training, certification, and research to individuals and organizations. “SANS” stands for SysAdmin, Audit, Network, and Security.
• SANS website

SANS Security Policy Templates

• Do you need to create/audit a security policy like an acceptable use policy or an incident response plan? This is a great resource for you!

SANS Security Awareness Planning Toolkit

(Free download found at this link, you just need to make a free account when prompted.)

• Fantastic resources if you want to build and/or improve a Security Awareness Program.
  • Of course, SANS (a for-profit company) want’s to sell you courses, certifications, and training services… Nonetheless I think this is a great free resource (I have no affiliation with SANS).
• The kit includes:
  • Example program charter and plan.
  • Customizable slide deck for presenting to stakeholders, a matrix tool to identify ways to measure security behaviors, culture, and impact of the program.
  • Phishing planning guide.
  • “Maturity Model” table to help identify program status and goals.
  • Templates of examples on how to document overall security awareness plan.
  • “SANS Security Awareness Report” to benchmark program against others.
  • “Working from Home Deployment Kit: Everything you need to quickly plan and deploy a Work-from-Home security awareness training program”.
    • “strategic planning guide, training videos, and additional materials…”

 

ITIL:

(Information Technology Infrastructure Library)

What is ITIL?

• It’s a framework of best practices for IT service management that provides guidelines for aligning IT services with business strategy.

A guide to ITIL and its place in modern ITSM (IT Service Management)

• There is also a lot of other ITSM info found at the above link.

 

PCI DSS:

(Payment Card Industry Data Security Standard)

What is PCI DSS?

• It’s a set of security standards designed to protect cardholder data and ensure secure payment processing by setting requirements for data security and risk management.
• further details about PCI DSS
• organization’s website
• PCI DSS Quick Reference Guide