Controls, Frameworks, Laws

COBIT 4.1

Framework for IT Governance and Control Information Assurance

OCED

Organization for Economic Co-operation and Development - privacy Principles

ISO 27033

(-1 thru -6)

Quantitative Risk Equation

Annualized rate of occurrence x Single loss expectancy = annual loss expectancy (ARO x SLE = ALE)

NIST SP 800-50

Building an Information Technology Security Awareness and Training Program provides guidance for building an effective information technology (IT) security program and supports requirements specified in the Federal Information Security Management Act (FISMA)

ISO 22301

Business Continuity Management Systems

ISO 22313

Business continuity management systems — Guidance for business continuity management systems provides guidance based on good international practice for planning, establishing, implementing, operating, monitoring, reviewing, maintaining and continually improving a documented management system that enables organizations to prepare for, respond to and recover from disruptive incidents when they arise.

ISO 22317

Business continuity management systems — Guidelines for business impact analysis (BIA) provides guidance for an organization to establish, implement, and maintain a formal and documented business impact analysis (BIA) process. This Technical Specification does not prescribe a uniform process for performing a BIA, but will assist an organization to design a BIA process that is appropriate to its needs.

ISO 22318

Business continuity management systems — Guidelines for supply chain continuity gives guidance on methods for understanding and extending the principles of BCM embodied in ISO 22301 and ISO 22313 to the management of supplier relationships.

ISO 27034-1

Application security — Part 1: Overview and concepts provides guidance to assist organizations in integrating security into the processes used for managing their applications.

OSI Model Protocol Stack: 7 layers

Application, Presentation, Session, Transport, Network, Data, Physical

TCP/IP Protocol Stack

Application, Transport, Internetwork (Internet), Link, Physical layer (Network Access)

NIST SP 800-53A

Assessing Security and Privacy Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans provides a set of procedures for conducting assessments of security controls and privacy controls employed within federal information systems and organizations. The assessment procedures, executed at various phases of the system development life cycle, are consistent with the security and privacy controls in NIST Special Publication 800-53, Revision 4.

ASD ISM

Australian Signals Directorate: Information Security Manual to outline a cyber security framework that organisations can apply, using their risk management framework, to protect their systems and information from cyber threats.

IEEE 802.1AF

Authentication for Keys at MAC session security Confidentiality of data

NIST SP 800-160 Vol. II

Developing Cyber Resilient Systems [draft] can be viewed as a handbook for achieving the identified cyber resiliency outcomes based on a systems engineering perspective on system life cycle processes in conjunction with risk management processes, allowing the experience and expertise of the organization to help determine what is correct for its purpose.

NIST SP 800-60

Guide for Mapping Types of Information and Information Systems to Security Categories (Vol. II is Appendix) addresses the FISMA direction to develop guidelines recommending the types of information and information systems to be included in each category of potential security impact. This guideline is intended to help agencies consistently map security impact levels to types of: (i) information (e.g., privacy, medical, proprietary, financial, contractor sensitive, trade secret, investigation); and (ii) information systems (e.g., mission critical, mission support, administrative). This guideline applies to all Federal information systems other than national security systems.

GDPR

General Data Protection Regulation EU law on data protection and privacy for all individuals within nEU as well as the European Economic Area. The primary purpose of GDPR is to give back control of personal data to citizens and residents. Contains providions and requirements controlling the processing of PII.

ISO 27014

Governance of information security provides guidance on concepts and principles for the governance of information security, by which organizations can evaluate, direct, monitor and communicate the information security related activities within the organization.

NIST SP 800-167

Guide for Application Whitelisting to assist organizations in understanding the basics of application whitelisting (also known as application control). All other forms of whitelisting, such as email, network traffic, and mobile code whitelisting, are out of the scope of this publication.

NIST 800-30

Guide for Conducting Risk Assessments this document provides guidance for carrying out each of the steps in the risk assessment process (i.e., preparing for the assessment, conducting the assessment, communicating the results of the assessment, and maintaining the assessment) and how risk assessments and other organizational risk management processes complement and inform each other. This publication also provides guidance to organizations on identifying specific risk factors to monitor on an ongoing basis, so that organizations can determine whether risks have increased to unacceptable levels (i.e., exceeding organizational risk tolerance) and different courses of action should be taken.

NIST SP 800-18

Guide for Developing Security Plans for Federal Information Systems This document provides guidance for federal agencies for developing system security plans for federal information systems. The purpose of the system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The system security plan also delineates responsibilities and expected behavior of all individuals who access the system.

ISO 27037

Guidelines for identification, collection, acquisition and preservation of digital evidence provides guidelines for specific activities in the handling of digital evidence, which are identification, collection, acquisition and preservation of potential digital evidence that can be of evidential value. It provides guidance to individuals with respect to common situations encountered throughout the digital evidence handling process and assists organizations in their disciplinary procedures and in facilitating the exchange of potential digital evidence between jurisdictions.

ISO 27031

Guidelines for information and communication technology readiness for business continuity describes the concepts and principles of information and communication technology (ICT) readiness for business continuity, and provides a framework of methods and processes to identify and specify all aspects (such as performance criteria, design, and implementation) for improving an organization's ICT readiness to ensure business continuity.

ISO 27008

Guidelines for the assessment of information security controls provides guidance on reviewing and assessing the implementation and operation of information security controls, including the technical assessment of information system controls, in compliance with an organization's established information security requirements including technical compliance against assessment criteria based on the information security requirements established by the organization. This document offers guidance on how to review and assess information security controls.

NIST SP 800-144

Guidelines on Security and Privacy in Public Cloud Computing provides an overview of the security and privacy challenges pertinent to public cloud computing and points out considerations organizations should take when outsourcing data, applications, and infrastructure to a public cloud environment.

IEEE 802.1AS

Hardware stack that enables the simple and rapid development of time-aware nodes

HITECH

Health Information Technology for Economic and Clinical Health Act created to promote the adoption and meaningful use of health information technology. This law significantly modifies HIPAA by adding new requirements concerning privacy and security for patient health information. It also expands the scope and privacy and security protections available under HIPAA, increases the potential legal liability for noncompliance, and provides for more enforcement.

HIPAA

Health Insurance Portability and Accountability Act improves the efficiency and effectiveness of the US healthcare system by requiring the adoption of national standards for electronic healthcare transactions and code sets.

NIST SP 800-137

Information Security Continuous Monitoring for Federal Information Systems and Organizations Ongoing monitoring is a critical part of that risk management process. In addition, an organization's overall security architecture and accompanying security program are monitored to ensure that organization-wide operations remain within an acceptable level of risk, despite any changes that occur.

ISF

Information Security Forum Standard of Good Practice for Information Security provides business-orientated focus on current and emerging information security topics. This includes enhanced coverage of the following hot topics: Agile system development, alignment of information risk with operational risk, collaboration platforms, Industrial Control Systems (ICS), information privacy and threat Intelligence.

NIST SP 800-100

Information Security Handbook: A Guide for Managers provides a broad overview of information security program elements to assist managers in understanding how to establish and implement an information security program.

NIST SP 800-39

Managing Information Security Risk: Organization, Mission, and Information System View the flagship document in the series of information security standards and guidelines developed by NIST in response to FISMA. The purpose of this publication is to provide guidance for an integrated, organization-wide program for managing information security risk to organizational operations (i.e., mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of federal information systems.

ISO 27017

Code of practice for information security controls based on ISO/IEC 27002 for cloud services gives guidelines for information security controls applicable to the provision and use of cloud services.

ISO 27018

Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.

COSO

Committee of Sponsoring Organizations

NIST 800-61

Computer Security Incident Handling Guide assists organizations in establishing computer security incident response capabilities and handling incidents efficiently and effectively. This publication provides guidelines for incident handling, particularly for analyzing incident-related data and determining the appropriate response to each incident. The guidelines can be followed independently of particular hardware platforms, operating systems, protocols, or applications.

Qualitative Risk Equation

Mapping the perceived impact to a risk rating less accurate but uses interrelated elements

IEEE 802.1AE

Media Access Control (MAC) Security

FIPS 200

Minimum Security Requirements for Federal Information and Information Systems FISMA directed the promulgation of federal standards for: (i) the security categorization of federal information and information systems based on the objectives of providing appropriate levels of information security according to a range of risk levels; and (ii) minimum security requirements for information and information systems in each such category. This standard addresses the specification of minimum security requirements for federal information and information systems.

NIST SP 800-34

Contingency Planning Guide for Federal Information Systems provides instructions, recommendations, and considerations for federal information system contingency planning. Contingency planning refers to interim measures to recover information system services after a disruption. Interim measures may include relocation of information systems and operations to an alternate site, recovery of information system functions using alternate equipment, or performance of information system functions using manual methods. This guide addresses specific contingency planning recommendations for three platform types and provides strategies and techniques common to all systems.

NIST SP 800-70

National Checklist Program for IT Products: Guidelines for Checklist Users and Developers [This does not appear on the NIST SP 800 page, OBSOLETED on February 15, 2018.] A security configuration checklist is a document that contains instructions or procedures for configuring an information technology (IT) product to an operational environment, for verifying that the product has been configured properly, and/or for identifying unauthorized changes to the product. Using these checklists can minimize the attack surface, reduce vulnerabilities, lessen the impact of successful attacks, and identify changes that might otherwise go undetected. To facilitate development of checklists and to make checklists more organized and usable, NIST established the National Checklist Program (NCP). This publication explains how to use the NCP to find and retrieve checklists, and it also describes the policies, procedures, and general requirements for participation in the NCP.

NIST SP 800-181

National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework describes the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (NICE Framework), a reference structure that describes the interdisciplinary nature of the cybersecurity work. It serves as a fundamental reference resource for describing and sharing information about cybersecurity work and the knowledge, skills, and abilities (KSAs) needed to complete tasks that can strengthen the cybersecurity posture of an organization. As a common, consistent lexicon that categorizes and describes cybersecurity work, the NICE Framework improves communication about how to identify, recruit, develop, and retain cybersecurity talent.

NERC-CIP

North American Electric Reliability Corporation (NERC) critical infrastructure compliance The North American Electric Reliability Corporation (NERC) is a not-for-profit international regulatory authority whose mission is to assure the effective and efficient reduction of risks to the reliability and security of the grid. NERC develops and enforces Reliability Standards; annually assesses seasonal and long‐term reliability; monitors the bulk power system through system awareness; and educates, trains, and certifies industry personnel. NERC's area of responsibility spans the continental United States, Canada, and the northern portion of Baja California, Mexico. NERC is the electric reliability organization (ERO) for North America, subject to oversight by the Federal Energy Regulatory Commission (FERC) and governmental authorities in Canada. NERC's jurisdiction includes users, owners, and operators of the bulk power system, which serves more than 334 million people.

IEEE 802.1AH

On Provider Backbone Bridges

OWASP

Open Web Application Security Project (OWASP) a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. Our mission is to make software security visible, so that individuals and organizations are able to make informed decisions. OWASP is in a unique position to provide impartial, practical information about AppSec to individuals, corporations, universities, government agencies, and other organizations worldwide.

PCI DSS

Payment Card Industry Data Security Standard developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. Provides a baseline of technical and operational requirements designed to protect account data. Applies to all entities involved in payment card processing, including merchants, processors, acquires, issuers, and service providers.

NIST SP 800-171

Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations provides federal agencies with a set of recommended security requirements for protecting the confidentiality of CUI when such information is resident in nonfederal systems and organizations; when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency; and where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category or subcategory listed in the CUI Registry.

ISO 9000

Quality Management this family of standards addresses various aspects of quality management and contains some of ISO's best known standards. The standards provide guidance and tools for companies and organizations who want to ensure that their products and services consistently meet customer's requirements, and that quality is consistently improved.

NIST SP 800-67

Recommendation for the Triple Data Encryption Algorithm Block Cipher This Recommendation provides a description of a mathematical algorithm for cryptographically protecting binary coded information (e.g., using encryption and authentication). The algorithm described in this Recommendation specifies cryptographic operations that are based on a binary number called a key.

RMF

Risk Management Framework provides a process that integrates security and risk management activities into the system development life cycle. The risk-based approach to security control selection and specification considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations.

NIST SP 800-37

Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy describes the Risk Management Framework (RMF) and provides guidelines for applying the RMF to information systems and organizations. The RMF provides a disciplined, structured, and flexible process for managing security and privacy risk that includes information security categorization; control selection, implementation, and assessment; system and common control authorizations; and continuous monitoring.

ISO 31000

Risk management - Guidelines, provides principles, framework and a process for managing risk. It can be used by any organization regardless of its size, activity or sector.

FIPS 199

Standards for Security Categorization of Federal Information and Information Systems Title III of the E-Government Act, entitled the Federal Information Security Management Act of 2002 (FISMA), tasked NIST with responsibilities for standards and guidelines. This publication addresses the first task cited—to develop standards for categorizing information and information systems.

SSAE 16

Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization the authoritative guidance for reporting on service organizations. Formally issued in April 2010 and became effective on June 15, 2011. Drafted with the intention and purpose of updating the US service organization reporting standard so that it mirrors and complies with the new international service organization reporting standard - ISAE 3402. Establishes a new Attestation Standard called AT 801 which contains guidance for performing the service auditor's examination.

NIST SP 800-160 Vol. I

Systems Security Engineering addresses the engineering-driven perspective and actions necessary to develop more defensible and survivable systems, inclusive of the machine, physical, and human components that compose the systems and the capabilities and services delivered by those systems. It starts with and builds upon a set of well-established International Standards for systems and software engineering published by the International Organization for Standardization (ISO), the International Electrotechnical Commission (IEC), and the Institute of Electrical and Electronics Engineers (IEEE) and infuses systems security engineering methods, practices, and techniques into those systems and software engineering activities. The objective is to address security issues from a stakeholder protection needs, concerns, and requirements perspective and to use established engineering processes to ensure that such needs, concerns, and requirements are addressed with appropriate fidelity and rigor, early and in a sustainable manner throughout the life cycle of the system.

IEEE 802.1AR

Secure Device Identity

NIST SP 800-64

Security Considerations in the System Development Life Cycle (Withdrawn on May 31, 2019.) The purpose of this guideline is to assist agencies in building security into their IT development processes. This should result in more cost-effective, risk-appropriate security control identification, development, and testing. This guide focuses on the information security components of the System Development Life Cycle (SDLC).

NIST SP 800-115

Technical Guide to Information Security Testing and Assessment a guide to the basic technical aspects of conducting information security assessments. It presents technical testing and examination methods and techniques that an organization might use as part of an assessment, and offers insights to assessors on their execution and the potential impact they may have on systems and networks. For an assessment to be successful and have a positive impact on the security posture of a system (and ultimately the entire organization), elements beyond the execution of testing and examination must support the technical process. Suggestions for these activities—including a robust planning process, root cause analysis, and tailored reporting—are also presented in this guide.

NIST SP 800-26

Security Self-Assessment Guide for Information Technology Systems (Withdrawn on December 19, 2007. Superseded by FIPS 200; SP 800-53A; SP 800-53 Rev. 1) This self-assessment guide utilizes an extensive questionnaire containing specific control objectives and techniques against which an unclassified system or group of interconnected systems can be tested and measured. The guide does not establish new security requirements. The control objectives and techniques are abstracted directly from long-standing requirements found in statute, policy, and guidance on security.

NIST SP 800-53

Security and Privacy Controls for Federal Information Systems and Organizations provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors. The controls are customizable and implemented as part of an organization-wide process that manages information security and privacy risk.

NIST SP 800-114

User's Guide to Telework and Bring Your Own Device (BYOD) Security provides recommendations for securing BYOD devices used for telework and remote access, as well as those directly attached to the enterprise's own networks.

SABSA

Sherwood Applied Business Security Architecture enterprise needs SABSA is a proven methodology for developing business-driven, risk and opportunity focused Security Architectures at both enterprise and solutions level that traceably support business objectives. It is also widely used for Information Assurance Architectures, Risk Management Frameworks, and to align and seamlessly integrate security and risk management into IT Architecture methods and frameworks.

Zachman Framework

an enterprise ontology and is a fundamental structure for Enterprise Architecture which provides a formal and structured way of viewing and defining an enterprise. The ontology is a two dimensional classification schema that reflects the intersection between two historical classifications. The first are primitive interrogatives: What, How, When, Who, Where, and Why. The second is derived from the philosophical concept of reification, the transformation of an abstract idea into an instantiation. The reification transformations are: Identification, Definition, Representation, Specification, Configuration and Instantiation

COBIT 5

2019 Framework: Governance and Management Objectives a framework for the governance and management of enterprise information and technology, aimed at the whole enterprise. Enterprise IT means all the technology and information processing the enterprise puts in place to achieve its goals, regardless of where this happens in the enterprise. In other words, enterprise IT is not limited to the IT department of an organization, but certainly includes it.

CIS Controls

Center for Internet Security Critical Security Controls for Effective Cyber Defense a recommended set of actions for cyber defense that provide specific and actionable ways to stop today's most pervasive and dangerous attacks. Basic CIS Controls 1. Inventory and Control of Hardware Assets 2. Inventory and Control of Software Assets 3. Continuous Vulnerability Management 4. Controlled Use of Administrative Privileges 5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers 6. Maintenance, Monitoring and Analysis of Audit Logs Foundational CIS Controls 7. Email and Web Browser Protections 8. Malware Defenses 9. Limitation and Control of Network Ports, Protocols and Services 10. Data Recovery Capabilities 11. Secure Configuration for Network Devices, such as Firewalls, Routers and Switches 12. Boundary Defense 13. Data Protection 14. Controlled Access Based on the Need to Know 15. Wireless Access Control 16. Account Monitoring and Control Organizational CIS Controls 17. Implement a Security Awareness and Training Program 18. Application Software Security 19. Incident Response and Management 20. Penetration Tests and Red Team Exercises

FFIEC

Federal Financial Institutions Examination Council (FFIEC) The Council is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB), and to make recommendations to promote uniformity in the supervision of financial institutions.

FISMA

Federal Information Security Modernization Act codifies the Department of Homeland Security's role in administering the implementation of information security policies for federal Executive Branch civilian agencies, overseeing agencies' compliance with those policies, and assisting OMB in developing those policies. The legislation provides the Department authority to develop and oversee the implementation of binding operational directives to other agencies, in coordination and consistent with OMB policies and practices.

NIST 800-40

Guide to Enterprise Patch Management Technologies to assist organizations in understanding the basics of enterprise patch management technologies. This publication is based on the assumption that the organization has a mature patch management capability and is focused on increasing its automation level.

NIST SP 800-86

Guide to Integrating Forensic Techniques into Incident Response provides detailed information on establishing a forensic capability, including the development of policies and procedures. Its focus is primarily on using forensic techniques to assist with computer security incident response, but much of the material is also applicable to other situations.

NIST SP 800-122

Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) provides guidelines for a risk-based approach to protecting the confidentiality of PII. The recommendations in this document are intended primarily for U.S. Federal government agencies and those who conduct business on behalf of the agencies,5 but other organizations may find portions of the publication useful.

NIST SP 800-125

Guide to Security for Full Virtualization Technologies discusses the security concerns associated with full virtualization technologies for server and desktop virtualization, and provides recommendations for addressing these concerns. Most existing recommended security practices remain applicable in virtual environments.

ISO 27032

Guidelines for Cybersecurity The framework includes — key elements of considerations for establishing trust, — necessary processes for collaboration and information exchange and sharing, as well as — technical requirements for systems integration and interoperability between different stakeholders.

NIST SP 800-124

Guidelines for Managing Security of Mobile Devices in the Enterprise Mobile devices typically need to support multiple security objectives: confidentiality, integrity, and availability. To achieve these objectives, mobile devices should be secured against a variety of threats. This publication provides recommendations for securing particular types of mobile devices, such as smart phones and tablets (but not laptops).

NIST SP 800-88

Guidelines for Media Sanitization to assist with decision making when media require disposal, reuse, or will be leaving the effective control of an organization. Organizations should develop and use local policies and procedures in conjunction with this guide to make effective, risk-based decisions on the ultimate sanitization and/or disposition of media and information.

ISO 27001

INFORMATION SECURITY MANAGEMENT is the best-known standard in the family providing requirements for an information security management system (ISMS).

ISO 27002

IT Security Techniques - Security Controls gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization's information security risk environment(s).

NIST SP 800-55

Information Security Performance Measurement Guide a guide to assist in the development, selection, and implementation of measures to be used at the information system and program levels. These measures indicate the effectiveness of security controls applied to information systems and supporting information security programs. Such measures are used to facilitate decision making, improve performance, and increase accountability through the collection, analysis, and reporting of relevant performance-related data—providing a way to tie the implementation, efficiency, and effectiveness of information system and program security controls to an agency achieving its mission.

ISO 27005

Information Security Risk Management

ITIL

Information Technology Infrastructure Library a set of detailed practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. ITIL describes processes, procedures, tasks, and checklists which are not organization-specific nor technology-specific, but can be applied by an organization toward strategy, delivering value, and maintaining a minimum level of competency. It allows the organization to establish a baseline from which it can plan, implement, and measure. It is used to demonstrate compliance and to measure improvement.

ISO 27036-1

Information security for supplier relationships — Part 1: Overview and concepts an introductory part of ISO/IEC 27036. It provides an overview of the guidance intended to assist organizations in securing their information and information systems within the context of supplier relationships. It also introduces concepts that are described in detail in the other parts of ISO/IEC 27036. ISO/IEC 27036-1:2014 addresses perspectives of both acquirers and suppliers.

ISO 27035-1

Information security incident management — Part 1: Principles of incident management the foundation of this multipart International Standard. It presents basic concepts and phases of information security incident management and combines these concepts with principles in a structured approach to detecting, reporting, assessing, and responding to incidents, and applying lessons learnt.

ISO 27799

Information security management in health using ISO/IEC 27002 gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization's information security risk environment(s). It defines guidelines to support the interpretation and implementation in health informatics.

ISO 27003

Information security management systems — Guidance provides explanation and guidance on ISO/IEC 27001.

ISO 27004

Information security management — Monitoring, measurement, analysis and evaluation provides guidelines intended to assist organizations in evaluating the information security performance and the effectiveness of an information security management system. It establishes: a) the monitoring and measurement of information security performance; b) the monitoring and measurement of the effectiveness of an information security management system (ISMS) including its processes and controls; c) the analysis and evaluation of the results of monitoring and measurement.

ISO 27016

Information security management — Organizational economics provides guidelines on how an organization can make decisions to protect information and understand the economic consequences of these decisions in the context of competing requirements for resources.

NIST SP 800-145

The NIST Definition of Cloud Computing Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.