Framework

---

A framework is a collection of guidelines, best practices, or policies a third-party develops for another organization to use.

• may be created in response to a regulation for compliance purposes
• e.g.
  • Center for Internet Security (CIS)
    • is a nonprofit organization focused on developing best practices and frameworks for cyber threat protection
  • National Institute of Standards and Technology (NIST)
  • International Organization for Standardization (ISO)
  • International Electrotechnical Commission (IEC)
    • is an international electrical and electronic technology standards-development organization
  • Cloud Security Alliance (CSA)
    • is an organization focused on developing cloud computing environment best practices

Security Frameworks

• The CIS Critical Security Controls (CSC) is a security framework consisting of recommended security controls organized in 18 different areas.
• The NIST Risk Management Framework (RMF) is a security framework required by a public sector organization to implement a systematic process of addressing the risks facing an organization known as risk management.
• The NIST Cybersecurity Framework (CSF) is a NIST security framework consisting of resources to implement risk management for a private sector organization.
• The CSA Cloud Controls Matrix (CCM) is a security framework consisting of recommended security controls for each party in a cloud computing environment.
• The CSA enterprise architecture (EA) reference guide is a CSA security framework used to align organizational goals with recommended cloud infrastructure security controls.

ISO/IEC Standards and Frameworks

A co-developed ISO and IEC standard is referred to as an ISO/IEC standard.

• ISO/IEC 27001 is a security standard and framework for the implementation of an information management security system (ISMS) for public and private sector organizations.
• ISO/IEC 27002 is a security standard and framework used to guide information security control implementation within an ISMS for public and private sector organizations.
• ISO/IEC 27701 is a security standard and framework for the implementation of a privacy information management system (PIMS) for public and private sector organizations.
• ISO/IEC 31000 is a security standard and framework used to implement risk management.

System and Organizational Control (SOC) Reports

The AICPA developed system and organization controls (SOC) reports to ensure a service entity’s secure handling of a user entity’s financial information.

• A user entity is an entity who engages another entity, or service entity, to process certain financial transactions
• part of the auditing standard called statement on standards for attestation engagements number 18 (SSAE 18)

Types

SOC 2 audits a service entity’s security controls for compliance and operations.

• two kinds:
  • SOC 2 Type 1 is an AICPA point-in-time audit of a service entity’s security controls
    • intended to improve security control effectiveness whenever a SOC Type 2 audit is conducted
  • SOC 2 Type 2 is an AICPA periodic, usually annual, audit of a service entity’s security controls
• only be requested by a user entity

SOC 1 focuses on a service entity’s financial reporting.

• only be requested by a user entity

SOC 3 is a high-level report on a service entity’s SOC 2 results.

• anyone from the general public can request this