Introduction to Security Frameworks and Controls:

 Guidelines used for building plans to help mitigate risk and threats to data and privacy.
 Purpose of Security Frameworks: Protecting PII, Securing Financial Information,
identifying security weaknesses, managing organizational risks, Aligning security with
business goals.
 Core Components:
a> Goals: Identifying and documenting security goals.
b> Guidelines: Setting guidelines to achieve security goals
c> Processes: Implementing security processes.
d> Communication: Monitoring and communicating results.
 Security Controls: Safeguards designed to reduce specific security risks.

Secure Design:
 CIA Triad: A foundational model that helps inform how organizations consider risk when
setting up systems and security policies. Also, known as “foundational cybersecurity
model”.
 Data protected by CIA Triad:

a> Confidentiality: only authorized users can access specific assets or data.
b> Integrity: Data is correct, authentic and reliable
c> Availability: Data is accessible to those who are authorized access to it.
 Asset: An item perceived as having value to an organization.
 NIST Cybersecurity Framework (CSF):
A voluntary framework that consists of standards, guidelines and best practices to
manage cybersecurity risks.
Specific controls, frameworks, and compliance
1. The National Institute of Standards and Technology (NIST) is a U.S.-based agency that
develops multiple voluntary compliance frameworks that organizations worldwide can use
to help manage risk. The more aligned an organization is with compliance, the lower the
risk.
2. Examples of frameworks include the NIST Cybersecurity Framework (CSF) and the NIST Risk
Management Framework (RMF).
3. Note: Specifications and guidelines can change depending on the type of organization you
work for.
4. In addition to the NIST CSF and NIST RMF, there are several other controls, frameworks,
and compliance standards that are important for security professionals to be familiar with
to help keep organizations and the people they serve safe.
The Federal Energy Regulatory Commission - North American Electric Reliability
Corporation (FERC-NERC)
5. FERC-NERC is a regulation that applies to organizations that work with electricity or that
are involved with the U.S. and North American power grid. These types of organizations
have an obligation to prepare for, mitigate, and report any potential security incident that
can negatively affect the power grid. They are also legally required to adhere to the Critical
Infrastructure Protection (CIP) Reliability Standards defined by the FERC.
The Federal Risk and Authorization Management Program (FedRAMP®)
6. FedRAMP is a U.S. federal government program that standardizes security assessment,
authorization, monitoring, and handling of cloud services and product offerings. Its purpose
is to provide consistency across the government sector and third-party cloud providers.
Center for Internet Security (CIS®)
7. CIS is a nonprofit with multiple areas of emphasis. It provides a set of controls that can be
used to safeguard systems and networks against attacks. Its purpose is to help
organizations establish a better plan of defense. CIS also provides actionable controls that
security professionals may follow if a security incident occurs.
General Data Protection Regulation (GDPR)
8. GDPR is a European Union (E.U.) general data regulation that protects the processing of
E.U. residents’ data and their right to privacy in and out of E.U. territory. For example, if an
organization is not being transparent about the data they are holding about an E.U. citizen
and why they are holding that data, this is an infringement that can result in a fine to the
organization. Additionally, if a breach occurs and an E.U. citizen’s data is compromised,
they must be informed. The affected organization has 72 hours to notify the E.U. citizen
about the breach.
Payment Card Industry Data Security Standard (PCI DSS)
9. PCI DSS is an international security standard meant to ensure that organizations storing,
accepting, processing, and transmitting credit card information do so in a secure
environment. The objective of this compliance standard is to reduce credit card fraud.
The Health Insurance Portability and Accountability Act (HIPAA)

2
 1. HIPAA is a U.S. federal law established in 1996 to protect patients' health information.
This law prohibits patient information from being shared without their consent. It is
governed by three rules: 1. Privacy, 2. Security, 3. Breach notification

10. Organizations that store patient data have a legal obligation to inform patients of a breach
because if patients' Protected Health Information (PHI) is exposed, it can lead to identity
theft and insurance fraud. PHI relates to the past, present, or future physical or mental
health or condition of an individual, whether it’s a plan of care or payments for care. Along
with understanding HIPAA as a law, security professionals also need to be familiar with the
Health Information Trust Alliance (HITRUST®), which is a security framework and assurance
program that helps institutions meet HIPAA compliance.
International Organization for Standardization (ISO)
11. ISO was created to establish international standards related to technology, manufacturing,
and management across borders. It helps organizations improve their processes and
procedures for staff retention, planning, waste, and services.
System and Organizations Controls (SOC type 1, SOC type 2)
12. The American Institute of Certified Public Accountants® (AICPA) auditing standards board
developed this standard. The SOC1 and SOC2 are a series of reports that focus on an
organization's user access policies at different organizational levels such as:
 Associate
 Supervisor
 Manager
 Executive
 Vendor
 Others
13. They are used to assess an organization’s financial compliance and levels of risk. They also
cover confidentiality, privacy, integrity, availability, security, and overall data safety.
Control failures in these areas can lead to fraud.
14. Pro tip: There are several regulations that are frequently revised. You are encouraged to
keep up to date with changes and explore more frameworks, controls, and compliance.
Two suggestions to research: the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act.
United States Presidential Executive Order 14028
Key takeaways
15. In this reading you learned more about controls, frameworks, and compliance. You also
learned how they work together to help organizations maintain a low level of risk.
16. As a security analyst, it’s important to stay up to date on common frameworks, controls,
and compliance regulations and be aware of changes to the cybersecurity landscape to
help ensure the safety of both organizations and people.

3
Ethics in Cybersecurity:
 Security Ethics: These are guidelines for making appropriate decisions as a security
professional.
 Ethical principles in Security:
a> Confidentiality: It means that only authorized users can access specific assets or
data. Confidentiality as it relates to professional ethics means that there needs
to be a high level of respect for privacy to safeguard private assets and data.
b> Privacy protection: It means safeguarding personal information from
unauthorized use.
c> Laws: These are the rules that are recognized by a community and enforced by a
governing entity.

4
Important Cybersecurity Tools: