View Full Version : Infosec Standards & Frameworks--by Anarki

07-09-2010, 12:04 PM
As we grow & learn in technical stuff its equally essential to know abt security frameworks & Standards in the industry.This thread will be for queries and contributions to this topic.I will be giving a brief info abt each standard & framework.

"All of these frameworks supply IT with repeatable processes that are consistent across the various IT functions" and help technology executives provide better service, says Kimberly Sawyer,

But none of the standards alone provides full security,"They contain various
information security concepts that must be interpreted, integrated and incorporated into the daily operations," . "Comprehensive security requires discipline and integration
across all aspects of planning, service delivery, risk management architecture, tool selection,policy development and audits."

ISO 27001
The ISO 27001 standard was published in October 2005, essentially replacing the old BS7799-2 standard.ISO 27001 (Information Security Management -- Specification With Guidance for Use).The standard, which is based on an earlier standard, ISO 17799, is designed to help organizations establish and maintain effective information security controls through continual improvements.The standard creates a road map for the secure design, implementation, management and maintenance of IT processes in an organization.

It focuses on the confidentiality, availability and integrity of data and its key precepts and requirements all occur in the regulatory requirements. Implementation of an ISO 27001 framework enables an organization to comply, at one step and subject to specific documentation and working practices tailored for each individual regulation with all the core requirements of information related regulation anywhere in the world.

ISO 27001 consists of 11 Security domains, 33 Control Objectives and 133 Security Controls.
The Control Objectives for Information and related Technology (COBIT) is a set of best practices (framework) for information technology (IT) management. Developed in 1996 by the Information Systems Audit and Control Association and the IT Governance Institute, Cobit provides a framework for users and IT, security and auditing
managers. It's gaining acceptance as a good practice for controlling data, systems and related risks.

The 4 domains of COBIT are

Plan & Organize concerned with identification of the way IT can best contribute to the achievement of business objectives

Acquire and Implement acquiring, implementing or development of IT Solutions to be integrated into business process

Deliver & Support delivery of required services including traditional operations, security, and training

Monitor & Evaluate regular assessment over time for quality and compliance with control requirements