Controls, Frameworks, Laws
COBIT 4.1
Framework for IT Governance and Control Information Assurance
OCED
Organization for Economic Co-operation and Development - privacy Principles
ISO 27033
(-1 thru -6)
Quantitative Risk Equation
Annualized rate of occurrence x Single loss expectancy = annual loss expectancy (ARO x SLE = ALE)
NIST SP 800-50
Building an Information Technology Security Awareness and Training Program provides guidance for building an effective information technology (IT) security program and supports requirements specified in the Federal Information Security Management Act (FISMA)
ISO 22301
Business Continuity Management Systems
ISO 22313
Business continuity management systems — Guidance for business continuity management systems provides guidance based on good international practice for planning, establishing, implementing, operating, monitoring, reviewing, maintaining and continually improving a documented management system that enables organizations to prepare for, respond to and recover from disruptive incidents when they arise.
ISO 22317
Business continuity management systems — Guidelines for business impact analysis (BIA) provides guidance for an organization to establish, implement, and maintain a formal and documented business impact analysis (BIA) process. This Technical Specification does not prescribe a uniform process for performing a BIA, but will assist an organization to design a BIA process that is appropriate to its needs.
ISO 22318
Business continuity management systems — Guidelines for supply chain continuity gives guidance on methods for understanding and extending the principles of BCM embodied in ISO 22301 and ISO 22313 to the management of supplier relationships.
ISO 27034-1
Application security — Part 1: Overview and concepts provides guidance to assist organizations in integrating security into the processes used for managing their applications.
OSI Model Protocol Stack: 7 layers
Application, Presentation, Session, Transport, Network, Data, Physical
TCP/IP Protocol Stack
Application, Transport, Internetwork (Internet), Link, Physical layer (Network Access)
NIST SP 800-53A
Assessing Security and Privacy Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans provides a set of procedures for conducting assessments of security controls and privacy controls employed within federal information systems and organizations. The assessment procedures, executed at various phases of the system development life cycle, are consistent with the security and privacy controls in NIST Special Publication 800-53, Revision 4.
ASD ISM
Australian Signals Directorate: Information Security Manual to outline a cyber security framework that organisations can apply, using their risk management framework, to protect their systems and information from cyber threats.
IEEE 802.1AF
Authentication for Keys at MAC session security Confidentiality of data
NIST SP 800-160 Vol. II
Developing Cyber Resilient Systems [draft] can be viewed as a handbook for achieving the identified cyber resiliency outcomes based on a systems engineering perspective on system life cycle processes in conjunction with risk management processes, allowing the experience and expertise of the organization to help determine what is correct for its purpose.
NIST SP 800-60
Guide for Mapping Types of Information and Information Systems to Security Categories (Vol. II is Appendix) addresses the FISMA direction to develop guidelines recommending the types of information and information systems to be included in each category of potential security impact. This guideline is intended to help agencies consistently map security impact levels to types of: (i) information (e.g., privacy, medical, proprietary, financial, contractor sensitive, trade secret, investigation); and (ii) information systems (e.g., mission critical, mission support, administrative). This guideline applies to all Federal information systems other than national security systems.
GDPR
General Data Protection Regulation EU law on data protection and privacy for all individuals within nEU as well as the European Economic Area. The primary purpose of GDPR is to give back control of personal data to citizens and residents. Contains providions and requirements controlling the processing of PII.
ISO 27014
Governance of information security provides guidance on concepts and principles for the governance of information security, by which organizations can evaluate, direct, monitor and communicate the information security related activities within the organization.
NIST SP 800-167
Guide for Application Whitelisting to assist organizations in understanding the basics of application whitelisting (also known as application control). All other forms of whitelisting, such as email, network traffic, and mobile code whitelisting, are out of the scope of this publication.
NIST 800-30
Guide for Conducting Risk Assessments this document provides guidance for carrying out each of the steps in the risk assessment process (i.e., preparing for the assessment, conducting the assessment, communicating the results of the assessment, and maintaining the assessment) and how risk assessments and other organizational risk management processes complement and inform each other. This publication also provides guidance to organizations on identifying specific risk factors to monitor on an ongoing basis, so that organizations can determine whether risks have increased to unacceptable levels (i.e., exceeding organizational risk tolerance) and different courses of action should be taken.
NIST SP 800-18
Guide for Developing Security Plans for Federal Information Systems This document provides guidance for federal agencies for developing system security plans for federal information systems. The purpose of the system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The system security plan also delineates responsibilities and expected behavior of all individuals who access the system.
ISO 27037
Guidelines for identification, collection, acquisition and preservation of digital evidence provides guidelines for specific activities in the handling of digital evidence, which are identification, collection, acquisition and preservation of potential digital evidence that can be of evidential value. It provides guidance to individuals with respect to common situations encountered throughout the digital evidence handling process and assists organizations in their disciplinary procedures and in facilitating the exchange of potential digital evidence between jurisdictions.
ISO 27031
Guidelines for information and communication technology readiness for business continuity describes the concepts and principles of information and communication technology (ICT) readiness for business continuity, and provides a framework of methods and processes to identify and specify all aspects (such as performance criteria, design, and implementation) for improving an organization's ICT readiness to ensure business continuity.
ISO 27008
Guidelines for the assessment of information security controls provides guidance on reviewing and assessing the implementation and operation of information security controls, including the technical assessment of information system controls, in compliance with an organization's established information security requirements including technical compliance against assessment criteria based on the information security requirements established by the organization. This document offers guidance on how to review and assess information security controls.
NIST SP 800-144
Guidelines on Security and Privacy in Public Cloud Computing provides an overview of the security and privacy challenges pertinent to public cloud computing and points out considerations organizations should take when outsourcing data, applications, and infrastructure to a public cloud environment.
IEEE 802.1AS
Hardware stack that enables the simple and rapid development of time-aware nodes
HITECH
Health Information Technology for Economic and Clinical Health Act created to promote the adoption and meaningful use of health information technology. This law significantly modifies HIPAA by adding new requirements concerning privacy and security for patient health information. It also expands the scope and privacy and security protections available under HIPAA, increases the potential legal liability for noncompliance, and provides for more enforcement.
HIPAA
Health Insurance Portability and Accountability Act improves the efficiency and effectiveness of the US healthcare system by requiring the adoption of national standards for electronic healthcare transactions and code sets.
NIST SP 800-137
Information Security Continuous Monitoring for Federal Information Systems and Organizations Ongoing monitoring is a critical part of that risk management process. In addition, an organization's overall security architecture and accompanying security program are monitored to ensure that organization-wide operations remain within an acceptable level of risk, despite any changes that occur.
ISF
Information Security Forum Standard of Good Practice for Information Security provides business-orientated focus on current and emerging information security topics. This includes enhanced coverage of the following hot topics: Agile system development, alignment of information risk with operational risk, collaboration platforms, Industrial Control Systems (ICS), information privacy and threat Intelligence.
NIST SP 800-100
Information Security Handbook: A Guide for Managers provides a broad overview of information security program elements to assist managers in understanding how to establish and implement an information security program.
NIST SP 800-39
Managing Information Security Risk: Organization, Mission, and Information System View the flagship document in the series of information security standards and guidelines developed by NIST in response to FISMA. The purpose of this publication is to provide guidance for an integrated, organization-wide program for managing information security risk to organizational operations (i.e., mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of federal information systems.
ISO 27017
Code of practice for information security controls based on ISO/IEC 27002 for cloud services gives guidelines for information security controls applicable to the provision and use of cloud services.
ISO 27018
Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.
COSO
Committee of Sponsoring Organizations
NIST 800-61
Computer Security Incident Handling Guide assists organizations in establishing computer security incident response capabilities and handling incidents efficiently and effectively. This publication provides guidelines for incident handling, particularly for analyzing incident-related data and determining the appropriate response to each incident. The guidelines can be followed independently of particular hardware platforms, operating systems, protocols, or applications.
Qualitative Risk Equation
Mapping the perceived impact to a risk rating less accurate but uses interrelated elements
IEEE 802.1AE
Media Access Control (MAC) Security
FIPS 200
Minimum Security Requirements for Federal Information and Information Systems FISMA directed the promulgation of federal standards for: (i) the security categorization of federal information and information systems based on the objectives of providing appropriate levels of information security according to a range of risk levels; and (ii) minimum security requirements for information and information systems in each such category. This standard addresses the specification of minimum security requirements for federal information and information systems.
NIST SP 800-34
Contingency Planning Guide for Federal Information Systems provides instructions, recommendations, and considerations for federal information system contingency planning. Contingency planning refers to interim measures to recover information system services after a disruption. Interim measures may include relocation of information systems and operations to an alternate site, recovery of information system functions using alternate equipment, or performance of information system functions using manual methods. This guide addresses specific contingency planning recommendations for three platform types and provides strategies and techniques common to all systems.
NIST SP 800-70
National Checklist Program for IT Products: Guidelines for Checklist Users and Developers [This does not appear on the NIST SP 800 page, OBSOLETED on February 15, 2018.] A security configuration checklist is a document that contains instructions or procedures for configuring an information technology (IT) product to an operational environment, for verifying that the product has been configured properly, and/or for identifying unauthorized changes to the product. Using these checklists can minimize the attack surface, reduce vulnerabilities, lessen the impact of successful attacks, and identify changes that might otherwise go undetected. To facilitate development of checklists and to make checklists more organized and usable, NIST established the National Checklist Program (NCP). This publication explains how to use the NCP to find and retrieve checklists, and it also describes the policies, procedures, and general requirements for participation in the NCP.
NIST SP 800-181
National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework describes the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (NICE Framework), a reference structure that describes the interdisciplinary nature of the cybersecurity work. It serves as a fundamental reference resource for describing and sharing information about cybersecurity work and the knowledge, skills, and abilities (KSAs) needed to complete tasks that can strengthen the cybersecurity posture of an organization. As a common, consistent lexicon that categorizes and describes cybersecurity work, the NICE Framework improves communication about how to identify, recruit, develop, and retain cybersecurity talent.
NERC-CIP
North American Electric Reliability Corporation (NERC) critical infrastructure compliance The North American Electric Reliability Corporation (NERC) is a not-for-profit international regulatory authority whose mission is to assure the effective and efficient reduction of risks to the reliability and security of the grid. NERC develops and enforces Reliability Standards; annually assesses seasonal and long‐term reliability; monitors the bulk power system through system awareness; and educates, trains, and certifies industry personnel. NERC's area of responsibility spans the continental United States, Canada, and the northern portion of Baja California, Mexico. NERC is the electric reliability organization (ERO) for North America, subject to oversight by the Federal Energy Regulatory Commission (FERC) and governmental authorities in Canada. NERC's jurisdiction includes users, owners, and operators of the bulk power system, which serves more than 334 million people.
IEEE 802.1AH
On Provider Backbone Bridges
OWASP
Open Web Application Security Project (OWASP) a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. Our mission is to make software security visible, so that individuals and organizations are able to make informed decisions. OWASP is in a unique position to provide impartial, practical information about AppSec to individuals, corporations, universities, government agencies, and other organizations worldwide.
PCI DSS
Payment Card Industry Data Security Standard developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. Provides a baseline of technical and operational requirements designed to protect account data. Applies to all entities involved in payment card processing, including merchants, processors, acquires, issuers, and service providers.
NIST SP 800-171
Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations provides federal agencies with a set of recommended security requirements for protecting the confidentiality of CUI when such information is resident in nonfederal systems and organizations; when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency; and where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category or subcategory listed in the CUI Registry.
ISO 9000
Quality Management this family of standards addresses various aspects of quality management and contains some of ISO's best known standards. The standards provide guidance and tools for companies and organizations who want to ensure that their products and services consistently meet customer's requirements, and that quality is consistently improved.
NIST SP 800-67
Recommendation for the Triple Data Encryption Algorithm Block Cipher This Recommendation provides a description of a mathematical algorithm for cryptographically protecting binary coded information (e.g., using encryption and authentication). The algorithm described in this Recommendation specifies cryptographic operations that are based on a binary number called a key.
RMF
Risk Management Framework provides a process that integrates security and risk management activities into the system development life cycle. The risk-based approach to security control selection and specification considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations.
NIST SP 800-37
Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy describes the Risk Management Framework (RMF) and provides guidelines for applying the RMF to information systems and organizations. The RMF provides a disciplined, structured, and flexible process for managing security and privacy risk that includes information security categorization; control selection, implementation, and assessment; system and common control authorizations; and continuous monitoring.
ISO 31000
Risk management - Guidelines, provides principles, framework and a process for managing risk. It can be used by any organization regardless of its size, activity or sector.
FIPS 199
Standards for Security Categorization of Federal Information and Information Systems Title III of the E-Government Act, entitled the Federal Information Security Management Act of 2002 (FISMA), tasked NIST with responsibilities for standards and guidelines. This publication addresses the first task cited—to develop standards for categorizing information and information systems.
SSAE 16
Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization the authoritative guidance for reporting on service organizations. Formally issued in April 2010 and became effective on June 15, 2011. Drafted with the intention and purpose of updating the US service organization reporting standard so that it mirrors and complies with the new international service organization reporting standard - ISAE 3402. Establishes a new Attestation Standard called AT 801 which contains guidance for performing the service auditor's examination.
NIST SP 800-160 Vol. I
Systems Security Engineering addresses the engineering-driven perspective and actions necessary to develop more defensible and survivable systems, inclusive of the machine, physical, and human components that compose the systems and the capabilities and services delivered by those systems. It starts with and builds upon a set of well-established International Standards for systems and software engineering published by the International Organization for Standardization (ISO), the International Electrotechnical Commission (IEC), and the Institute of Electrical and Electronics Engineers (IEEE) and infuses systems security engineering methods, practices, and techniques into those systems and software engineering activities. The objective is to address security issues from a stakeholder protection needs, concerns, and requirements perspective and to use established engineering processes to ensure that such needs, concerns, and requirements are addressed with appropriate fidelity and rigor, early and in a sustainable manner throughout the life cycle of the system.
IEEE 802.1AR
Secure Device Identity
NIST SP 800-64
Security Considerations in the System Development Life Cycle (Withdrawn on May 31, 2019.) The purpose of this guideline is to assist agencies in building security into their IT development processes. This should result in more cost-effective, risk-appropriate security control identification, development, and testing. This guide focuses on the information security components of the System Development Life Cycle (SDLC).
NIST SP 800-115
Technical Guide to Information Security Testing and Assessment a guide to the basic technical aspects of conducting information security assessments. It presents technical testing and examination methods and techniques that an organization might use as part of an assessment, and offers insights to assessors on their execution and the potential impact they may have on systems and networks. For an assessment to be successful and have a positive impact on the security posture of a system (and ultimately the entire organization), elements beyond the execution of testing and examination must support the technical process. Suggestions for these activities—including a robust planning process, root cause analysis, and tailored reporting—are also presented in this guide.
NIST SP 800-26
Security Self-Assessment Guide for Information Technology Systems (Withdrawn on December 19, 2007. Superseded by FIPS 200; SP 800-53A; SP 800-53 Rev. 1) This self-assessment guide utilizes an extensive questionnaire containing specific control objectives and techniques against which an unclassified system or group of interconnected systems can be tested and measured. The guide does not establish new security requirements. The control objectives and techniques are abstracted directly from long-standing requirements found in statute, policy, and guidance on security.
NIST SP 800-53
Security and Privacy Controls for Federal Information Systems and Organizations provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors. The controls are customizable and implemented as part of an organization-wide process that manages information security and privacy risk.
NIST SP 800-114
User's Guide to Telework and Bring Your Own Device (BYOD) Security provides recommendations for securing BYOD devices used for telework and remote access, as well as those directly attached to the enterprise's own networks.
SABSA
Sherwood Applied Business Security Architecture enterprise needs SABSA is a proven methodology for developing business-driven, risk and opportunity focused Security Architectures at both enterprise and solutions level that traceably support business objectives. It is also widely used for Information Assurance Architectures, Risk Management Frameworks, and to align and seamlessly integrate security and risk management into IT Architecture methods and frameworks.
Zachman Framework
an enterprise ontology and is a fundamental structure for Enterprise Architecture which provides a formal and structured way of viewing and defining an enterprise. The ontology is a two dimensional classification schema that reflects the intersection between two historical classifications. The first are primitive interrogatives: What, How, When, Who, Where, and Why. The second is derived from the philosophical concept of reification, the transformation of an abstract idea into an instantiation. The reification transformations are: Identification, Definition, Representation, Specification, Configuration and Instantiation
COBIT 5
2019 Framework: Governance and Management Objectives a framework for the governance and management of enterprise information and technology, aimed at the whole enterprise. Enterprise IT means all the technology and information processing the enterprise puts in place to achieve its goals, regardless of where this happens in the enterprise. In other words, enterprise IT is not limited to the IT department of an organization, but certainly includes it.
CIS Controls
Center for Internet Security Critical Security Controls for Effective Cyber Defense a recommended set of actions for cyber defense that provide specific and actionable ways to stop today's most pervasive and dangerous attacks. Basic CIS Controls 1. Inventory and Control of Hardware Assets 2. Inventory and Control of Software Assets 3. Continuous Vulnerability Management 4. Controlled Use of Administrative Privileges 5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers 6. Maintenance, Monitoring and Analysis of Audit Logs Foundational CIS Controls 7. Email and Web Browser Protections 8. Malware Defenses 9. Limitation and Control of Network Ports, Protocols and Services 10. Data Recovery Capabilities 11. Secure Configuration for Network Devices, such as Firewalls, Routers and Switches 12. Boundary Defense 13. Data Protection 14. Controlled Access Based on the Need to Know 15. Wireless Access Control 16. Account Monitoring and Control Organizational CIS Controls 17. Implement a Security Awareness and Training Program 18. Application Software Security 19. Incident Response and Management 20. Penetration Tests and Red Team Exercises
FFIEC
Federal Financial Institutions Examination Council (FFIEC) The Council is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB), and to make recommendations to promote uniformity in the supervision of financial institutions.
FISMA
Federal Information Security Modernization Act codifies the Department of Homeland Security's role in administering the implementation of information security policies for federal Executive Branch civilian agencies, overseeing agencies' compliance with those policies, and assisting OMB in developing those policies. The legislation provides the Department authority to develop and oversee the implementation of binding operational directives to other agencies, in coordination and consistent with OMB policies and practices.
NIST 800-40
Guide to Enterprise Patch Management Technologies to assist organizations in understanding the basics of enterprise patch management technologies. This publication is based on the assumption that the organization has a mature patch management capability and is focused on increasing its automation level.
NIST SP 800-86
Guide to Integrating Forensic Techniques into Incident Response provides detailed information on establishing a forensic capability, including the development of policies and procedures. Its focus is primarily on using forensic techniques to assist with computer security incident response, but much of the material is also applicable to other situations.
NIST SP 800-122
Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) provides guidelines for a risk-based approach to protecting the confidentiality of PII. The recommendations in this document are intended primarily for U.S. Federal government agencies and those who conduct business on behalf of the agencies,5 but other organizations may find portions of the publication useful.
NIST SP 800-125
Guide to Security for Full Virtualization Technologies discusses the security concerns associated with full virtualization technologies for server and desktop virtualization, and provides recommendations for addressing these concerns. Most existing recommended security practices remain applicable in virtual environments.
ISO 27032
Guidelines for Cybersecurity The framework includes — key elements of considerations for establishing trust, — necessary processes for collaboration and information exchange and sharing, as well as — technical requirements for systems integration and interoperability between different stakeholders.
NIST SP 800-124
Guidelines for Managing Security of Mobile Devices in the Enterprise Mobile devices typically need to support multiple security objectives: confidentiality, integrity, and availability. To achieve these objectives, mobile devices should be secured against a variety of threats. This publication provides recommendations for securing particular types of mobile devices, such as smart phones and tablets (but not laptops).
NIST SP 800-88
Guidelines for Media Sanitization to assist with decision making when media require disposal, reuse, or will be leaving the effective control of an organization. Organizations should develop and use local policies and procedures in conjunction with this guide to make effective, risk-based decisions on the ultimate sanitization and/or disposition of media and information.
ISO 27001
INFORMATION SECURITY MANAGEMENT is the best-known standard in the family providing requirements for an information security management system (ISMS).
ISO 27002
IT Security Techniques - Security Controls gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization's information security risk environment(s).
NIST SP 800-55
Information Security Performance Measurement Guide a guide to assist in the development, selection, and implementation of measures to be used at the information system and program levels. These measures indicate the effectiveness of security controls applied to information systems and supporting information security programs. Such measures are used to facilitate decision making, improve performance, and increase accountability through the collection, analysis, and reporting of relevant performance-related data—providing a way to tie the implementation, efficiency, and effectiveness of information system and program security controls to an agency achieving its mission.
ISO 27005
Information Security Risk Management
ITIL
Information Technology Infrastructure Library a set of detailed practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. ITIL describes processes, procedures, tasks, and checklists which are not organization-specific nor technology-specific, but can be applied by an organization toward strategy, delivering value, and maintaining a minimum level of competency. It allows the organization to establish a baseline from which it can plan, implement, and measure. It is used to demonstrate compliance and to measure improvement.
ISO 27036-1
Information security for supplier relationships — Part 1: Overview and concepts an introductory part of ISO/IEC 27036. It provides an overview of the guidance intended to assist organizations in securing their information and information systems within the context of supplier relationships. It also introduces concepts that are described in detail in the other parts of ISO/IEC 27036. ISO/IEC 27036-1:2014 addresses perspectives of both acquirers and suppliers.
ISO 27035-1
Information security incident management — Part 1: Principles of incident management the foundation of this multipart International Standard. It presents basic concepts and phases of information security incident management and combines these concepts with principles in a structured approach to detecting, reporting, assessing, and responding to incidents, and applying lessons learnt.
ISO 27799
Information security management in health using ISO/IEC 27002 gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization's information security risk environment(s). It defines guidelines to support the interpretation and implementation in health informatics.
ISO 27003
Information security management systems — Guidance provides explanation and guidance on ISO/IEC 27001.
ISO 27004
Information security management — Monitoring, measurement, analysis and evaluation provides guidelines intended to assist organizations in evaluating the information security performance and the effectiveness of an information security management system. It establishes: a) the monitoring and measurement of information security performance; b) the monitoring and measurement of the effectiveness of an information security management system (ISMS) including its processes and controls; c) the analysis and evaluation of the results of monitoring and measurement.
ISO 27016
Information security management — Organizational economics provides guidelines on how an organization can make decisions to protect information and understand the economic consequences of these decisions in the context of competing requirements for resources.
NIST SP 800-145
The NIST Definition of Cloud Computing Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.