Security Frameworks

Governance
Week Two

Mr kazeze
[email protected]
Objectives

By the End Of this Session the student should be able

to:
Explain what security framework is
Outline types of Security frameworks
Define security policy is and it’s types
Build a simple security policy
What is Security framework

• A security framework (also known as a

cybersecurity framework) is a collection of well-
documented standards, policies, procedures
and best practices intended to strengthen an
organization’s security posture and reduce risks.
Why are cyber security frameworks important?

• prevent unauthorized access to information systems and

allow you to effectively manage cyber risks.
• It is a structured approach offering a systematic method
to enhance security measures, and mitigate risks
• Helps to adhere to industry standards and regulations.
• By adhering to the guidelines and best practices
outlined by cyber security frameworks, your
organisation can strengthen its Protection against cyber
attacks.
Security Framework Advantages and Benefits

An enterprise security framework serves as the

foundation for an organization’s overall information
security program.
From a planning and best practices perspective security
framework can help an organization:
• Establish an overarching security vision and strategy.
• Identify and assess security vulnerabilities, gaps and risks.
• Define a security architecture and functional components.
• Specify and prioritize specific functional requirements.
• Evaluate security solution vendors and service providers.
• Establish security best practices for employees, business partners and
customers.
• Provide a common vocabulary for discussing security issues, both
internally and externally.
• Save time and effort by leveraging public resources, industry expertise
Benefits of Security Frameworks
From a cybersecurity risk management perspective, a
security framework can help an organization:
• Increase cyber resiliency and readiness.
• Defend against data theft, malicious attacks,
ransomware and other threats.
• Demonstrate compliance with industry and government
regulations.
• Avoid fines, lawsuits and reputational damage.
• Instill customer confidence.
• Reduce cyber insurance costs and coverage denials.
• Reduce exposure by implementing field-proven,
universally accepted, widely adopted approaches.
• Avoid multivendor interoperability issues.
Top Cybersecurity frameworks
• Security frameworks provide structured guidelines for managing
security risks within an organization.
• Key industry-standard frameworks include:
• 1. NIST Cybersecurity Framework 2.0
• 2. ISO 27001
• 3. CIS Controls
• 4. SOC2
• 5. PCI-DSS
• 6. COBIT
• 7. HITRUST CSF
• Read more……https://www.dataguard.com/cyber-
security/framework/
Choosing the right cyber security framework

• Determine the compliance requirements, data

protection needs and specific threats you have
encountered.
• choose a framework that aligns with your
business objectives, industry standards, and
regulations.
• Conduct a thorough risk assessment to Identify
the most suitable framework to address your
organisation's vulnerabilities and risks.
Regulatory Compliance
• Organizations must comply with various legal and regulatory
requirements to protect data and ensure customer trust.
Some key compliance standards include:
• GDPR (General Data Protection Regulation): A European
regulation that strengthens data privacy and protection for
individuals within the EU.
• HIPAA (Health Insurance Portability and Accountability Act):
Ensures the confidentiality, integrity, and availability of healthcare
data in the U.S.
• PCI-DSS (Payment Card Industry Data Security Standard): A set of
security requirements designed to protect payment card data
Security Policies
What is a Security Policy?
• A security policy (also called an information
security policy or IT security policy) is a document
that spells out the rules, expectations, and overall
approach that an organization uses to maintain
the confidentiality, integrity, and availability of its
data.
• The policy defines the overall strategy and
security stance, with the other documents
helping build structure around that practice.
• A security policy answers the “what” and “why,”
while procedures, standards, and guidelines
answer the “how.”
Key Security Policies

• Key policies include:

• Acceptable Use Policy (AUP): Defines how employees and
stakeholders can use organizational resources securely.
• Incident Response Plan (IRP): Outlines steps to detect,
respond to, and recover from security incidents.
• Access Control Policy: Defines how users gain access to
systems and data.
Benefits of Security Policies?

• Student to Research and state some of the benefits of

security policy
Types of Security Policies
Program Policy
• Program policies are strategic, high-level blueprints that guide
an organization’s information security program. They defines
the purpose and scope of the program, as well as define roles
and responsibilities and compliance mechanisms
Issue-Specific Policy:
• build upon the generic security policy and provide more
concrete guidance on certain issues relevant to an
organization’s workforce. For example remote work policy,
bring your own device(BYOD) policy and so on.
System-Specific Policy:
• A system-specific policy is the most granular type of IT
security policy, focusing on a particular type of system, such
as a firewall or web server, or even an individual computer
Seven elements of an effective security
policy
• An effective security policy should contain the
following elements:
• Clear Purpose and Objectives
• Scope and applicability
• Communicates Senior management ambitions
• Realistic and enforceable
• Clear definition of terms.
• Tailor according to the organizations risks.
• Upto date information.
Security Awareness Training

• Educating employees and stakeholders about cybersecurity

best practices is essential.
• Awareness training should include:
Recognizing phishing attacks
Safe password practices
Proper handling of sensitive data
Reporting security incidents
Ten questions to ask when building a security Policy

1.How will you align your security HIPAA, Sarbanes-Oxley, etc.

policy to the business objectives 7.What is the organization’s risk
of the organization? appetite?
2.Who will I need buy-in from? Is 8.What kind of existing rules,
senior management committed? norms, or protocols (both formal
3.Who is the audience for this and informal) are already
policy present in the organization?
4.What is the policy scope? 9.How often should the policy be
5.How will compliance with the reviewed and updated?
policy be monitored and How will policy exceptions be
10.
enforced? handled?
6.What regulations apply to your
industry? For instance GLBA,
Case Study

• Review the city of Sacramento security policy.

A. State the strengths and weakness of this security policy.
B. Outline key security controls from the policy.
Assignment
• Task: Create a cybersecurity policy for a small business that covers
key areas, including:
• Data classification and protection
• Employee access control
• Password management
• Incident response procedures
• Compliance with regulatory requirements
• Submission Requirements: The policy should be 2-3 pages long and
align with at least one industry-standard framework discussed in class.
• Due Date: closes on 4st of march.