CCSP Standards (ISO, NIST, Etc.)
Life cycle process
"1. Plan and Organize
Audit Scope Statements
"An audit scope statement offers the required level of information for the client or organization
Audit Scope Restrictions
"Audit Scope Restrictions
COBIT 5.0:
"COBIT 5.0:
CSA Star
"Created to establish a "first step" in displaying transparency and assurance for cloud-based environments. In an effort to ensure adoption and use throughout the cloud-computing industry, the CSA made the STAR a publicly available and accessible registry that provides a mechanism for users to assess the security of the cloud security provider.
Define an ISMS policy.
"Define an ISMS policy.
"
"EU Data Protection Directive Features:
Health Insurance Portability and Accountability Act (HIPAA)
"HIPAA (U.S. Act) sets out the requirements of the Department of Health and Human
ISO 27002 includes:
"ISO 27002 includes:
ITIL Benefits:
"ITIL Benefits:
Important FISMA Features:
"Important FISMA Features:
Important HIPAA Features:
"Important HIPAA Features:
Important HITECH Features:
"Important HITECH Features:
Audit Scope
"It provides both an independent and an objective review of overall adherence or effectiveness of processes and controls.
Key SLA Elements
"Key SLA Elements
SOX (Sarbanes-Oxley Act)
"Requires companies to review internal control and take responsibility for the accuracy and completeness of their financial reports. SOX is U.S. legislation enacted to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise. The act is administered by the Securities and Exchange Commission (SEC), which sets deadlines for compliance and publishes rules on requirements. SOX is not a set of business practices and does not specify how a business should store records; rather, it defines which records are to be
SABSA
"SABSA
the Stored Communications Act (SCA)
"SCA was enacted in the United States in 1986 as part of the Electronic Communications
Sarbanes-Oxley Act (SOX).
"SOX is U.S. legislation enacted to protect shareholders and the general public from
FIPS Level One
"Security Level 1: The lowest level of security. To meet Level 1 requirements,
FIPS Level Two
"Security Level 2: Enhances the required physical security mechanisms listed
FIPS Level Three
"Security Level 3: Looks to develop the basis of Level 1 and Level 2 to include preventing
FIPS Level Four
"Security Level 4: Represents the highest rating. Security Level 4 provides the
SP 800-53
"Security and controls for federal systems. The primary goal and objective of the 800-5323 standard is to ensure that appropriate security requirements and security controls are applied to all U.S. federal government information and information management systems.
TOGAF
"TOGAF
the Gramm-Leach-Bliley Act (GLBA)
"The GLBA (aka the Financial Modernization Act of 1999) is a federal law enacted in the
ISO IEC 27001:2013
"The standard provides "established guidelines and general principles for initiating, implementing,
ENISA
"You could think of European Union Agency for Network and Information Security (ENISA) as a European counterpart to NIST. It is a standard and model developed in Europe. While it is international in nature within the confines of Europe, it is not as globally accepted in the way ISO standards are.
ISO 28000:2007
"a set of requirements for a supply chain security management system that includes aspects of financing, manufacturing, information systems, and the facilities for packing, storing, and transferring goods between modes of transportation and locations.
SOC 3 Report
- SOC 3 reports are very similar in approach and substance to SOC 2 reports, but they are designed for general use and do not contain any sensitive information.
SABSA
...is a framework and methodology for enterprise security architecture and service management. It provides a life-cycle model so that the architecture can be constantly monitored and improved upon over time.
Six Sigma
...is a process improvement methodology. It is the "new and improved"
Zachman framework
...is a two-dimensional model that uses six basic communication interrogatives (What, How, Where, Who, When, and Why) intersecting with different viewpoints (Planner, Owner, Designer, Builder, Implementer, and Worker) to give a holistic understanding of the enterprise.
ITIL
...is the de facto standard of best practices for IT service management. It was created because of the increased dependence on information technology to meet business needs.
Capability Maturity Model Integration (CMMI)
...is to develop structured steps that can be followed so an organization can evolve from one level to the next and constantly improve its processes and security posture.
bottom-up approach
...refers to a situation in which staff members (usually IT) try to develop a security program without getting proper management support and direction.
TOGAF
...which has its origins in the U.S. Department of Defense. It provides an approach to design, implement, and govern an enterprise information architecture. Can be used with Business, Data, Applications and Technology Architecture
Wassenaar Arrangement
41 countries, military
Checksum
A checksum is the output of an algorithm processing a cryptographic hashing function against a piece of data or a file. The same algorithm can be run against a file at another time and compared to the original, known, true value to determine if the file has been altered at all from its original and correct state. Using a checksum is an easy and quick way to determine if a file has been altered or tampered with in any way.
Cloud Controls Matrix (CCM)
A list of security controls and principles appropriate for the cloud environment, cross-referenced to other control frameworks such as COBIT, ISO standards, and NIST pubs. You can download a copy of the current CCM from CSA at
PaaS (Platform as a Service)
A method that enables infrastructure and tools from the service provider so that the client does not need to manage them. With PaaS offering a full platform and framework, and just needing application code and data to function, auto-scaling is a prominent feature of the service category, and it's typically the service category being discussed with the topic.
IaaS (Infrastructure as a Service)
A method that provides network resources such as for storage and allow the client can deploy software and add network components such as firewalls. Most expensive
PLA (Privacy level agreement)
A privacy level agreement, or PLA, would set out in contractual terms how a third party provider will ensure that the information it hosts will not be seen by the wrong sets of eyes.
Consensus Assessments Initiative Questionnaire (CAIQ
A self-assessment performed by cloud providers, detailing their evaluation of the practice areas and control groups they use in providing their services
ISO/IEC 27034
Application security
ITAR
Arms export restrictions state department
APEC
Asia pacific Economic Cooperation Council
APP 11
Austalian - PII security
APP8
Australian - cross border PII
BS7799
BS7799 was created in 1995, by the British Standards Institution (BSI), as a standard to guide the development and implementation of an Information Security Management System, commonly known as an ISMS.
NIST SP 800-14
Baseline to establish and review IT security programs
ISO/IEC 27031
Business continuity
Corporate Governance
COSO
NIST SP 800-53
Catalog of baseline security and privacy controls for RMF. (53A = assessment guidelines)
ISO/IEC 15408-1:2009
Certificate test for assurance framework
ISO/IEC 27006
Certification body requirements
CCSM
Cloud Certification Schemes Metaframework
CAMP
Cloud application management platforms (CAMPs) are a set of specifications designed to ease management of applications, including packaging and deployment across public and private cloud platforms.
Security Controls Development
CobiT (Control Objectives for Information and Related Technology)
ISO/IEC 27002
Code of practice for information security controls
ISO/IEC 27002
Code of practice for information security management (recommendation of security control)
Confidentiality
Confidentiality pertains to the protection of sensitive information from disclosure to unauthorized parties, either through accidental disclosure or by the actions of malicious actors. It has a second component that is related to ensuring that data is available to authorized parties and provisioned for appropriate access.
NIST 800-37 Step 4
Continuous Monitoring Phase - ongoing security of the system is verified.
8 step in risk analysis process
Control Recommendations
4 step in risk analysis process
Control analysis
ITIL Service Operation
Covers IT operations control.
ISO/IEC 27032
Cybersecurity
TOGAF
Defacto standard for enterprise architecture. Develops and maintains the togaf standard and publishes successive versions at regular intervals.
Jerico Forum
Defines security capabilities that arise from the reality of the traditional in the data center technology environments (Security & Risk management)
NIST SP 800-145
Definition of cloud computing
ITIL Service Transition
Describes taking new projects and making them operational.
OCTAVE
Describes three phase process for managing risk. 1. ID staff knowledge, assets and threats. 2. ID vulnerabilities and evaluate safeguards. 3. Conduct risk analysis and develop risk mitigation strategy.
ITIL Continual Service Improvement
Describes ways to improve existing IT services.
ITIL Service Design
Details the infrastructure and architecture required to deliver IT services.
ISO/IEC 27037
Digital evidence collection and preservation
ENISA
European 2009 RMF - (like US ) 35 org risks and Top8: loss govrn, lockin, isloate fail, complaince, mgmnt interface, data protect, incomplete delete, bad insider.
EAR
Exports department converse
FedRAMP
FedRAMP is a government-wide program that provides for a standardized approach to security assessments, authorization, and continuous monitoring of cloud products and services. FedRAMP certification can be quite costly and difficult to achieve but is required if you want to host a U.S. government agency or subcontractor.
NIST FIPS 140-2
Four levels of security based on crypto levels. Level 1 (lowest) though Level 4 (highest)
ISO/IEC 27001:2013
Framework of domains for formal risk assessment program that defines an ISMS. (It is widely used) infosec policy, organization, human, asset, access, crypto, physical/environmental, ops, comms, acquisition/dev/maint, supplier, incident management, BC, compliance.
ISO/IEC 27008
Guidance for auditors
NIST SP 800-37, Rev. 1
Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Lifecycle Approach. Large collection of security publications
NIST 800-37
Guide for Security Certification and Accreditation of Federal Information Systems.
NIST 800 122
Guide to protecting PII
NIST SP 800-125
Guide to security for full virtualization technologies, (and 125B is security virtual network configuratins for VMs)
ISO/IEC 27003
Guideline for ISMS implementation
ISO/IEC 27031
Guideline for information and communications technology readiness for business continuity
ISO 27799
Guideline for information security management in health organizations
ISO/IEC 27004
Guideline for information security management measurement and metrics framework
ISO/IEC 27005
Guideline for information security risk management
ISO/IEC 27033-1
Guideline for network security
ISO/IEC 27006
Guidelines for bodies providing audit and certification of information security management systems
ITIL Service Strategy
Helps IT provide services
ISO/IEC 27007
ISMS auditing
ISO/IEC 27003
ISMS implementation
ISO/IEC 27001
ISMS requirements
ISO/IEC 27001
ISMS requirements (systematic approach to managing and securing company information)
ISO 14443: Smart card standardizations
ISO 14443: Smart card standardizations
ISO 15408: Common Criteria
ISO 15408: Common Criteria
ISO 22301: BCM - Business continuity
ISO 22301: BCM - Business continuity
ISO 27000: ISMS-Overview and Vocabulary
ISO 27000: ISMS-Overview and Vocabulary
ISO 27001: ISMS-Requirement
ISO 27001: ISMS-Requirement
ISO 27002: Code of practice
ISO 27002: Code of practice
ISO 27003: ISMS implementation
ISO 27003: ISMS implementation
ISO 27004: Measurement and metrics framework
ISO 27004: Measurement and metrics framework
ISO 27005: Risk management
ISO 27005: Risk management
ISO 27006: Certification body requirements
ISO 27006: Certification body requirements
ISO 27007: ISMS-Auditing
ISO 27007: ISMS-Auditing
ISO 27008: Information Security Control
ISO 27008: Information Security Control
ISO 27011: ISMS guideline telecom organization
ISO 27011: ISMS guideline telecom organization
ISO 27014: Governance of information security
ISO 27014: Governance of information security
ISO 27017: Use of cloud services
ISO 27017: Use of cloud services
ISO 27018: Cloud privacy protection overview
ISO 27018: Cloud privacy protection overview
ISO 27031: Communications technology readiness for business continuity
ISO 27031: Communications technology readiness for business continuity
ISO 27032: Cyber Security Resilience
ISO 27032: Cyber Security Resilience
ISO 27034: Security applications
ISO 27034: Security applications
ISO 27035: Security incident management
ISO 27035: Security incident management
ISO 27037: Covers identifying, gathering, and preserving digital evidence.
ISO 27037: Covers identifying, gathering, and preserving digital evidence.
ISO 27799: Directives on protecting personal health information
ISO 27799: Directives on protecting personal health information
ISO 28000: Supply Chain Management
ISO 28000: Supply Chain Management
ISO 31000: Risk Management Framework
ISO 31000: Risk Management Framework
ISO 42010: Systems and Software Engineering Architecture description
ISO 42010: Systems and Software Engineering Architecture description
ISO 7498: OSI Model
ISO 7498: OSI Model
IT Infrastructure Library (ITIL)
IT Infrastructure Library (ITIL) - service strategy, service design, service transition, service operations, and continuous service improvement. Processes to allow for IT service management developed by the United Kingdom's Office of Government Commerce
Process Management
ITIL
6 step in risk analysis process
Impact Analysis
contract
In the event of any litigation, either against the cloud customer's systems or services or against the cloud provider, the contract should clearly document the responsibilities and duties of each party as far as communication and compliance.
ISO/IEC 27035
Incident management
ISO/IEC 27004
Information Security Measurements
ISO/IEC 27014
Information security governance
ISO/IEC 27011
Information security management guidelines for telecommunications organizations
NIST 800-37 Step 1
Initiation Phase - IS and risk mitigation plan is researched.
CobiT
It defines goals for the controls that should be used to properly manage IT and to ensure that IT maps to business needs. CobiT is broken down into four domains: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate.
NIST SP 800-53
Its primary goal and objective is to ensure that appropriate security requirements and security controls are applied to all U.S. Federal Government information and information management systems.
CSA Star Level One:
Level One: Self-Assessment Requires the release and publication of due diligence assessments against the CSA's Consensus Assessment Initiative Questionnaire and/or Cloud Matrix (CCM)
CSA Star Level Three:
Level Three: CSA STAR Continuous Monitoring Requires the release and publication of results related to the security properties of monitoring based on the CloudTrust Protocol
CSA Star Level Two:
Level Two: CSA STAR Attestation Requires the release and publication of available results of an assessment carried out by an independent third party based on CSA CCM and ISO 27001:2013 or an AICPA SOC 3
5 step in risk analysis process
Likelihood Determination
ITIL (Information Technology Infrastructure Library)
Literally a library of open source issues that align to business processes
FIPS 200
Minimum security requirements
NIST 100 IS Handbook
NIST 100 IS Handbook
NIST 115 IS Security Testing and Assessment
NIST 115 IS Security Testing and Assessment
NIST 119 Guidelines for Secure Deployment of IPv6
NIST 119 Guidelines for Secure Deployment of IPv7
NIST 12 Handbook Intro to Computer Security
NIST 12 Handbook Intro to Computer Security
NIST 122 Protect PII
NIST 122 Protect PII
NIST 13 Telecomm Security Guidelines for Telecomm Mgmt. Network
NIST 13 Telecomm Security Guidelines for Telecomm Mgmt. Network
NIST 137 Information Security Continuous Monitoring (ISCM)
NIST 137 Information Security Continuous Monitoring (ISCM)
NIST 14 Generally Accepted Principles and Practices Securing Information
NIST 14 Generally Accepted Principles and Practices Securing Information
NIST 145 Cloud computing
NIST 145 Cloud computing
NIST 18 AUP / Rules of Behavior
NIST 18 AUP / Rules of Behavior
NIST 30 Risk Management/Assessments
NIST 30 Risk Management/Assessments
NIST 34 Contingency Planning
NIST 34 Contingency Planning
NIST 37 Risk Management Framework
NIST 37 Risk Management Framework
NIST 40 Creating a Patch and Vulnerability Management Program
NIST 40 Creating a Patch and Vulnerability Management Program
NIST 41 Guidelines on Firewalls and Firewall Policy
NIST 41 Guidelines on Firewalls and Firewall Policy
NIST 44 Guidelines on Securing Public Web Servers
NIST 44 Guidelines on Securing Public Web Servers
NIST 45 Guidelines on Electronic Mail Security
NIST 45 Guidelines on Electronic Mail Security
NIST 47 Security Guide for Interconnecting IT Systems
NIST 47 Security Guide for Interconnecting IT Systems
NIST 48 Guide to Securing Legacy IEEE 802.11 Wireless Networks
NIST 48 Guide to Securing Legacy IEEE 802.11 Wireless Networks
NIST 50 Building an IT Security Awareness and Training Program
NIST 50 Building an IT Security Awareness and Training Program
NIST 53 Security and Privacy Controls for Federal Information Systems
NIST 53 Security and Privacy Controls for Federal Information Systems
NIST 54 Border Gateway Protocol Security
NIST 54 Border Gateway Protocol Security
NIST 55 Security metrics IS
NIST 55 Security metrics IS
NIST 57 Recommendation for Key Management
NIST 57 Recommendation for Key Management
NIST 60 Guide for Mapping Types of Information and Information
NIST 60 Guide for Mapping Types of Information and Information
NIST 61 Computer Security Incident Handling
NIST 61 Computer Security Incident Handling
NIST 63 Electronic Authentication
NIST 63 Electronic Authentication
NIST 64 Security Considerations in SDLC
NIST 64 Security Considerations in SDLC
NIST 66 Healthcare privacy issues
NIST 66 Healthcare privacy issues
NIST 800-123
NIST 800-123, titled Guided to General Server Security, assists organizations in understanding the fundamental activities performed as part of securing and maintaining the servers that provide services over network communications as a main function.
NIST 800-53r4
NIST 800-53r4 describes ways to ensure the proper application of appropriate security requirements and security controls to all U.S. federal government information and information management. The others are legitimate NIST documents with different purposes.
NIST 82 Guide to Industrial Control Systems (ICS) Security
NIST 82 Guide to Industrial Control Systems (ICS) Security
NIST 83 Guide to Malware Incident Prevention and Handling
NIST 83 Guide to Malware Incident Prevention and Handling
NIST 86 Guide to Integrating Forensic Techniques into IR
NIST 86 Guide to Integrating Forensic Techniques into IR
NIST 86 Guide to Integrating Forensic Techniques into Incident Response
NIST 86 Guide to Integrating Forensic Techniques into Incident Response
NIST 88 Media Sanitization
NIST 88 Media Sanitization
NIST 94 IDS/1PS
NIST 94 IDS/1PS
SP 800-53
NIST Standard that controls that agencies need to put into place to be compliant with the Federal Information Security Management Act of 2002. The control categories (families) are the management, operational, and technical controls prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.
ISO/IEC 27033
Network Security
ISO/IEC 27034-1
ONF, ANF. And APSM (app security)
ISO/IEC 27001:2005
Old - outlines steps to create an ISMS (information security management system)
SCA stored communication act
Old, part of the electronic communications privacy act of 1986, update wiretap and computer fraud and abuse act
ISO/IEC 27000
Overview and vocabulary
ISO/IEC 27018
Practices for protection of PII in public clouds
FIPS 140-2
Primary goal is to accredit and distinguish secure and well-architect-ed cryptographic modules produced by private sector vendors who seek to have their solutions and services certified for use in regulated industries that collect, store, transfer, or share data that is deemed to be "sensitive" but not classified.
Sabsa
Proven framework and methodology used successfully around the glob e to meet a wide variety of enterprise needs including risk management, information assurance, governance and continuity management. Makes sure security is first. Enableg other existing standards to be integrated.
ISO 31000:2009
Provides an international standard for risk management as well as a generic approach to risk management applicable within any industry sector.
NIST SP 800-39
RISK ASSESSMENT Managing risk from Information Systems. Structured but flexible guidelines and flagship for FISMA pubs. FARM=Frame Assess Respond Monitor. Three tiers of risk 1) Org/Govern [strategic] 2) Mission/BP 3) infosys/ops [tactical]
NIST SP 800-37
RISK MANAGEMENT FRAMEWORK. Management is consistent with objectives/strategy. Integrated into SDLC. STart with FIPS 199 and SP 800-60. SLC = Categorize, Select, Implement, Assess, Authorize, Monitor
ISO/IEC 17789 : 2014
ROLES! Cloud computing refrence architecture: roles, activities, functional components and relationships
NIST SP 800-146
Recommendations for cloud computing
9 step in risk analysis process
Results Documentation
7 step in risk analysis process
Risk Determination
NIST 800-30
Risk Management Guide for Information Technology
CSA Cloud Controls Matrix
Risk Management Rool. List of controls to get assurance from provider
ISO/IEC 31000:2009
Risk Management guide and framework (RMF) to design and implement a risk management program. 11 principles. Protect value, all aspects of organization, part of all org decisions, RM mitigates uncertainty, integrated efficiently with processes, uses accurate data, tailored to business needs, include human elements, transparent, flexible, continual improvements.
Security Enterprise Architecture Development
SABSA model (Sherwood Applied Business Security Architecture)
Secure KVM
Secure data port, tamper label, fixed firmware, Souder circuits, reduce buffers, airgap buttons
NIST 800-37 Step 3
Security Accreditation Phase - Decision to accept the risk is made and documented by the approving authority.
NIST 800-37 Step 2
Security Certification Phase - security of the system is assessed and documented.
SABSA (Sherwood business Security Architecture)
Security capabilities from a business perspective
SOC 2
Security is mandatory. SOC 2 reports are relevant to a user entity's internal controls over the five security principles of Security, Processing Integrity, Availability, Confidentiality, and Privacy.
Sherwood Applied Business Security Architecture (SABSA) Framework
Sherwood Applied Business Security Architecture (SABSA) Framework - Chain of traceability
Six Sigma
Six Sigma: Business management strategy that can be used to carry out process improvement
ISO/IEC 27001
Specifies requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented information security management system
Payment Card Industry Data Security Standard (PCI DSS)
Standard for Payment Card Industry (Not a US Law). PCI DSS allows for cardholder information at rest to be secured with either tokenization or encryption, but the use of one is mandatory.
FIPS 140-2
Standard for cryptography of hardware and software. (Cloud and non-cloud) Levels 1-4 (1-lowest, 4-Highest)
ISO/IEC 27050:2016
Standard for eDiscovery processes and best practices. Process = identification, preservation, collection, processing, reviwe, analysis, and production. Data is produced, stored, shared, and destroyed.
ISO/IEC Common Criteria standard 15408
Standard of EAL (evaluation assurance levels) for organizations to make PP (protection profile) claims for their SFRs (sec functional reqs) and SARs (sec assurance reqs). EAL1= function test EAL2= structurally EAL3= methodically ... EAL7 = Formally verified design and tested
ISO/IEC 27017 :2015
Standards for information security controls which influences other regulations
ISO/IEC 28000 :2007
Supply chain
1 step in risk analysis process
System Characterization
TOGAF
TOGAF: Model and methodology for the development of enterprise architectures developed by The Open Group
ISO/IEC 27011
Telecommunications organizations
ISO/IEC 17788:2014
Terms and definitions for cloud computing
MODAF
The British Ministry of Defence Architecture Framework (MODAF) is an architecture framework which defines a standardised way of conducting enterprise architecture, originally developed by the UK Ministry of Defence.
Capability Maturity Model Integration (CMMI)
The Capability Maturity Model Integration (CMMI) is a process and behavioral model that helps organizations streamline process improvement and encourage productive, efficient behaviors that decrease risks in software, product and service development.
DoDAF
The Department of Defense Architecture Framework (DoDAF) is an architecture framework for the United States Department of Defense (DoD) that provides visualization infrastructure for specific stakeholders concerns through viewpoints organized by various views.
The European Union Data Protection Regulation of 2012 (EUGDP 2012)
The European Union Data Protection Regulation of 2012 (EUGDP 2012) introduced significant changes for data processors and controllers operating in and across the EU. Some of those changes included the concept of consent, transfers abroad, the right to be forgotten, establishment of the data protection officer, home state regulation, and increased sanctions.
FISMA
The Federal Information Security Management Act (FISMA) is United States legislation that defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats. FISMA was signed into law part of the Electronic Government Act of 2002.
the Federal Information Security Management Act (FISMA)
The Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002. The act recognized the importance of information security to the economic and national security interests of the United States.
ISO 27001
The ISO 27001 defines the cycle of the information security management system ISMS as PCDA: Plan-Do-Check-Act.
ITIL
The Information Technology Infrastructure Library (ITIL) is a set of practices that focus on aligning IT services with business needs. Information Technology operation and support (ITOS)
SOC 2 Report
The SOC 2 reports are composed of five principles: confidentiality, processing integrity, availability, privacy, and security. If a principle other than security is desired, the security principle must also be included, as it is required for all reports.
DoDAF
The focus of the architecture framework is on command, control, communications, computers, intelligence, surveillance, and reconnaissance systems and processes. It is not only important that these different devices communicate using the same protocol types and interoperable software components, but also that they use the same data elements.
top-down approach
The initiation, support, and direction come from top management; work their way through middle management; and then reach staff members.
2 step in risk analysis process
Threat Identification
Total Quality Management (TQM)
Total Quality Management (TQM) that hit the business sector in the 1980s. Was was developed by Motorola with the goal of identifying and removing defects in its manufacturing processes.
COSO
Treadway Commission in 1985 to deal with fraudulent financial activities and reporting. Control environment, risk assessment, control activities, information, communication and monitoring
COBIT (Control Objectives for Information and related Technology)
Used to help management align business goals with info tech and better managed risk. Established common ways using common terminology and to adapt to support business needs
3 step in risk analysis process
Vulnerability Identification
certifications
With a cloud customer having very limited insight into the configuration and operational practices of a cloud provider, certifications are often used to provide assurances that standards are being met, as well as specifics in regard to minimum settings and protection standards. With certification programs publishing publicly available standards and frameworks, having an independently verified audit to show adherence can provide a cloud customer with confidence in the cloud provider's practices; this can also serve as a means of compliance with their own regulations.
SaaS (Software as a Service)
Within a Software as a Service (SaaS) implementation, cloud customers are acquiring and paying for services that are explicitly tied to the use of a fully operational application package that is completely designed, maintained, and implemented by the cloud provider. Billing is often measured based on the number of users or the number of transactions the organization does with the application, rather than traditional computing resources associated with other service categories.Software as a Service (SaaS) solution will typically have the highest startup and licensing costs, as the customer is buying a fully developed, integrated, secured, and production-ready software application.
Zachman Framework
Zachman Framework - not specific to security architecture
Enterprise Architecture Development
Zachman framework
gap analysis
a marketing research method that measures the difference between a customer's expectation of a service quality and what actually occurred
Elasticity
a measure of the responsiveness of quantity demanded or quantity supplied to a change in one of its determinants
Safe Harbor Program
a private self-regulating policy and enforcement mechanism that meets the objectives of government regulators and legislation but does not involve government regulation or enforcement
Advanced Persistent Threat (APT)
a sophisticated, possibly long-running computer hack that is perpetrated by large, well-funded organizations such as governments
On-demand self-service
consumers can obtain computing capabilities such as server time or network storage as needed automatically on their own
COBIT 5 (2012)
control objectives for information and related technologies. Global. By ISACA (info systm audit and control assoc)
MODAF
crux of the framework is to be able to get data in the right format to the right people as soon as possible. Data needs to be captured and properly presented so that decision makers understand complex issues quickly, which allows for fast and hopefully accurate decisions.
Ediscovery
e Discovery is the process that requires searching, identifying, collecting, and securing electronic data or records, typically to be used for criminal or civil legal matters. It is similar to the discovery process typically used for evidence collection or document production in the course of a legal inquiry, just specifically focused on electronic records and the particular needs and processes required for them.
Plan - Do - Check - Act (PDCA)
establishing objectives and making plans implementation of the plans measuring results to understand if objectives are met direction on how to correct and improve plans to better achieve success
ISO/IEC 27015
financial sector
ISO/IEC 27799
health organizations
The Cloud Certification Schemes List (CCSL)
provides an overview of different existing certification schemes. It describes the main characteristics relevant to cloud computing and cloud computing customers. It also attempts to answer questions such as the following in an effort to provide the customer with adequate knowledge in order to make a well-informed decision about a cloud provider:
Common criteria assurance framework (ISO/IEC 15408-1:2009)
yet another international standard designed to provide assurances for security claims by vendors. It establishes a common criterion for evaluating those items.