Week 2 notes

The relationship between frameworks

and controls
Previously, you learned how organizations use security frameworks and
controls to protect against threats, risks, and vulnerabilities. This included
discussions about the National Institute of Standards and Technology’s (NIST’s) Risk
Management Framework (RMF) and Cybersecurity Framework (CSF), as well as the
confidentiality, integrity, and availability (CIA) triad. In this reading, you will further
explore security frameworks and controls and how they are used together to help
mitigate organizational risk.

Frameworks and controls

Security frameworks are guidelines used for building plans to help mitigate risk and
threats to data and privacy. Frameworks support organizations’ ability to adhere to
compliance laws and regulations. For example, the healthcare industry uses
frameworks to comply with the United States’ Health Insurance Portability and
Accountability Act (HIPAA), which requires that medical professionals keep patient
information safe.

Security controls are safeguards designed to reduce specific security risks. Security
controls are the measures organizations use to lower risk and threats to data and
privacy. For example, a control that can be used alongside frameworks to ensure a
hospital remains compliant with HIPAA is requiring that patients use multi-factor
authentication (MFA) to access their medical records. Using a measure like MFA to
validate someone’s identity is one way to help mitigate potential risks and threats to
private data.

Specific frameworks and controls

There are many different frameworks and controls that organizations can use
to remain compliant with regulations and achieve their security goals. Frameworks
covered in this reading are the Cyber Threat Framework (CTF) and the International
Organization for Standardization/International Electrotechnical Commission
(ISO/IEC) 27001. Several common security controls, used alongside these types of
frameworks, are also explained.

Cyber Threat Framework (CTF)

According to the Office of the Director of National Intelligence, the CTF was
developed by the U.S. government to provide “a common language for describing
and communicating information about cyber threat activity.” By providing a common
language to communicate information about threat activity, the CTF helps
cybersecurity professionals analyze and share information more efficiently. This
allows organizations to improve their response to the constantly evolving
cybersecurity landscape and threat actors' many tactics and techniques.
 Week 2 notes

International Organization for Standardization/International

Electrotechnical Commission (ISO/IEC) 27001

An internationally recognized and used framework is ISO/IEC 27001. The ISO

27000 family of standards enables organizations of all sectors and sizes to manage
the security of assets, such as financial information, intellectual property, employee
data, and information entrusted to third parties. This framework outlines
requirements for an information security management system, best practices, and
controls that support an organization’s ability to manage risks. Although the ISO/IEC
27001 framework does not require the use of specific controls, it does provide a
collection of controls that organizations can use to improve their security posture.

Controls

Controls are used alongside frameworks to reduce the possibility and impact of a
security threat, risk, or vulnerability. Controls can be physical, technical, and
administrative and are typically used to prevent, detect, or correct security issues.

Examples of physical controls:

 Gates, fences, and locks

 Security guards
 Closed-circuit television (CCTV), surveillance cameras, and motion detectors
 Access cards or badges to enter office spaces

Examples of technical controls:

 Firewalls
 MFA
 Antivirus software

Examples of administrative controls:

 Separation of duties
 Authorization
 Asset classification

Types of Controls:
1. Encryption is the process of converting data from a readable format to an
encoded format. Typically, encryption involves converting data from plaintext
to ciphertext. Ciphertext is the raw, encoded message that's unreadable to
humans and computers. Ciphertext data cannot be read until it's been
decrypted into its original plaintext form. Encryption is used to
ensure confidentiality of sensitive data, such as customers' account
information or social security numbers.
 Week 2 notes

2. Authentication is the process of verifying who someone or something is. A

real-world example of authentication is logging into a website with your
username and password. This basic form of authentication proves that
you know the username and password and should be allowed to access the
website. More advanced methods of authentication, such as multi-factor
authentication, or MFA, challenge the user to demonstrate that they are who
they claim to be by requiring both a password and an additional form of
authentication, like security code or biometrics, such as a fingerprint, voice,
or face scan.

3. Authorization refers to the concept of granting access to specific resources

within a system. Essentially, authorization is used to verify that a person has
permission to access a resource. As an example, if you're working as an
entry-level security analyst for the federal government, you could have
permission to access data through the deep web or other internal data that is
only accessible if you're a federal employee.

To learn more about controls, particularly those used to protect health-related assets
from a variety of threat types, review the U.S. Department of Health and Human
Services’ Physical Access Control presentation.
 Week 2 notes

Use the CIA triad to protect

organizations
Previously, you were introduced to the confidentiality, integrity, and availability
(CIA) triad and how it helps organizations consider and mitigate risk. In this reading,
you will learn how cybersecurity analysts use the CIA triad in the workplace.

The CIA triad for analysts

The CIA triad is a model that helps inform how organizations consider risk
when setting up systems and security policies. It is made up of three elements that
cybersecurity analysts and organizations work toward upholding: confidentiality,
integrity, and availability. Maintaining an acceptable level of risk and ensuring
systems and policies are designed with these elements in mind helps establish a
successful security posture, which refers to an organization’s ability to manage its
defense of critical assets and data and react to change.

Confidentiality

Confidentiality is the idea that only authorized users can access specific
assets or data. In an organization, confidentiality can be enhanced through the
implementation of design principles, such as the principle of least privilege. The
principle of least privilege limits users' access to only the information they need to
complete work-related tasks. Limiting access is one way of maintaining the
confidentiality and security of private data.

Integrity

Integrity is the idea that the data is verifiably correct, authentic, and reliable.
Having protocols in place to verify the authenticity of data is essential. One way to
verify data integrity is through cryptography, which is used to transform data so
unauthorized parties cannot read or tamper with it (NIST, 2022). Another example of
how an organization might implement integrity is by enabling encryption, which is the
process of converting data from a readable format to an encoded format. Encryption
can be used to prevent access and ensure data, such as messages on an
organization's internal chat platform, cannot be tampered with.

Availability

Availability is the idea that data is accessible to those who are authorized to
use it. When a system adheres to both availability and confidentiality principles, data
can be used when needed. In the workplace, this could mean that the organization
allows remote employees to access its internal network to perform their jobs. It’s
worth noting that access to data on the internal network is still limited, depending on
what type of access employees need to do their jobs. If, for example, an employee
works in the organization’s accounting department, they might need access to
corporate accounts but not data related to ongoing development projects.
 Week 2 notes

The National Institute of Standards and Technology, or NIST's

frameworks that can support ongoing security efforts for all types of
organizations, including for profit and nonprofit businesses, as well as government
agencies. While NIST is a US based organization, the guidance it provides can help
analysts all over the world understand how to implement essential cybersecurity
practices. One NIST framework that we'll discuss throughout the program is the
NIST Cybersecurity Framework, or CSF.

The CSF is a voluntary framework that consists of standards, guidelines, and best
practices to manage cybersecurity risk. This framework is widely respected and
essential for maintaining security regardless of the organization you work for. The
CSF consists of five important core functions, identify, protect, detect, respond, and
recover, which we'll discuss in detail in a future video. For now, we'll focus on how
the CSF benefits organizations and how it can be used to protect against
threats, risks, and vulnerabilities by providing a workplace example.

The core functions of the NIST CSF provide specific guidance and direction for
security professionals. This framework is used to develop plans to handle an incident
appropriately and quickly to lower risk, protect an organization against a threat, and
mitigate any potential vulnerabilities. The NIST CSF also expands into the protection
of the United States federal government with:

NIST special publication, or SP 800-53. It provides a unified framework for

protecting the security of information systems within the federal
government, including the systems provided by private companies for federal
government use. The security controls provided by this framework are used to
maintain the CIA triad for those systems used by the government.

NIST CSF focuses on five core functions:

 Identify
 Protect
 Detect
 Respond
 Recover

These core functions help organizations manage cybersecurity risks, implement risk
management strategies, and learn from previous mistakes. Basically, when it comes
to security operations, NIST CSF functions are key for making sure an organization
is protected against potential threats, risks, and vulnerabilities. So let's take a little
time to explore how each function can be used to improve an organization's security.
 Week 2 notes

1. Identify, which is related to the management of cybersecurity risk and its

effect on an organization's people and assets. For example, as a security
analyst, you may be asked to monitor systems and devices in your
organization's internal network to identify potential security issues

2. Protect, which is the strategy used to protect an organization through the

implementation of policies, procedures, training, and tools that help mitigate
cybersecurity threats. For example, as a security analyst, you and your team
might encounter new and unfamiliar threats and attacks. For this reason,
studying historical data and making improvements to policies and procedures
is essential.

3. Detect, which means identifying potential security incidents and improving

monitoring capabilities to increase the speed and efficiency of detections. For
example, as an analyst, you might be asked to review a new security tool's
setup to make sure it's flagging low, medium, or high risk, and then alerting
the security team about any potential threats or incidents.

4. Respond, which means making sure that the proper procedures are used to
contain, neutralize, and analyze security incidents, and implement
improvements to the security process. As an analyst, you could be working
with a team to collect and organize data to document an incident and
suggest improvements to processes to prevent the incident from happening
again.

5. Recover, which is the process of returning affected systems back to normal

operation. For example, as an entry-level security analyst, you might work
with your security team to restore systems, data, and assets, such
as financial or legal files, that have been affected by an incident like a breach.

Security incidents are going to happen, but an organization must have the ability to
quickly recover from any damage caused by an incident to minimize their level of
risk.
 Week 2 notes

More about OWASP security principles

Previously, you learned that cybersecurity analysts help keep data safe and
reduce risk for an organization by using a variety of security frameworks, controls,
and security principles. In this reading, you will learn about more Open Web
Application Security Project, recently renamed Open Worldwide Application Security
Project® (OWASP), security principles and how entry-level analysts use them.

Security principles
In the workplace, security principles are embedded in your daily tasks. Whether you
are analyzing logs, monitoring a security information and event management (SIEM)
dashboard, or using a vulnerability scanner, you will use these principles in some
way.

Previously, you were introduced to several OWASP security principles. These

included:

 Minimize attack surface area: Attack surface refers to all the potential
vulnerabilities a threat actor could exploit.

 Principle of least privilege: Users have the least amount of access required to
perform their everyday tasks.

 Defense in depth: Organizations should have varying security controls that

mitigate risks and threats.

 Separation of duties: Critical actions should rely on multiple people, each of

whom follow the principle of least privilege.

 Keep security simple: Avoid unnecessarily complicated solutions. Complexity

makes security difficult.

 Fix security issues correctly: When security incidents occur, identify the root
cause, contain the impact, identify vulnerabilities, and conduct tests to ensure
that remediation is successful.

Additional OWASP security principles

Next, you’ll learn about four additional OWASP security principles that cybersecurity
analysts and their teams use to keep organizational operations and people safe.

Establish secure defaults

This principle means that the optimal security state of an application is also its
default state for users; it should take extra work to make the application insecure.
 Week 2 notes

Fail securely

Fail securely means that when a control fails or stops, it should do so by defaulting to
its most secure option. For example, when a firewall fails it should simply close all
connections and block all new ones, rather than start accepting everything.

Don’t trust services

Many organizations work with third-party partners. These outside partners often have
different security policies than the organization does. And the organization shouldn’t
explicitly trust that their partners’ systems are secure. For example, if a third-party
vendor tracks reward points for airline customers, the airline should ensure that the
balance is accurate before sharing that information with their customers.

Avoid security by obscurity

The security of key systems should not rely on keeping details hidden. Consider the
following example from OWASP (2016):

The security of an application should not rely on keeping the source code secret. Its
security should rely upon many other factors, including reasonable password
policies, defense in depth, business transaction limits, solid network architecture,
and fraud and audit controls.

More about security audits

Previously, you were introduced to how to plan and complete an internal
security audit. In this reading, you will learn more about security audits, including the
goals and objectives of audits.

Security audits
A security audit is a review of an organization's security controls, policies, and
procedures against a set of expectations. Audits are independent reviews that
evaluate whether an organization is meeting internal and external criteria. Internal
criteria include outlined policies, procedures, and best practices. External criteria
include regulatory compliance, laws, and federal regulations.

Additionally, a security audit can be used to assess an organization's established

security controls. As a reminder, security controls are safeguards designed to reduce
specific security risks.

Audits help ensure that security checks are made (i.e., daily monitoring of security
information and event management dashboards), to identify threats, risks, and
vulnerabilities. This helps maintain an organization’s security posture. And, if there
are security issues, a remediation process must be in place.

Goals and objectives of an audit

 Week 2 notes

The goal of an audit is to ensure an organization's information technology (IT)

practices are meeting industry and organizational standards. The objective is to
identify and address areas of remediation and growth. Audits provide direction and
clarity by identifying what the current failures are and developing a plan to correct
them.

Security audits must be performed to safeguard data and avoid penalties and fines
from governmental agencies. The frequency of audits is dependent on local laws and
federal compliance regulations.

Factors that affect audits

Factors that determine the types of audits an organization implements include:

 Industry type

 Organization size

 Ties to the applicable government regulations

 A business’s geographical location

 A business decision to adhere to a specific regulatory compliance

To review common compliance regulations that different organizations need to

adhere to, refer to the reading about controls, frameworks, and compliance.

The role of frameworks and controls in audits

Along with compliance, it’s important to mention the role of frameworks and controls
in security audits. Frameworks such as the National Institute of Standards and
Technology Cybersecurity Framework (NIST CSF) and the international standard for
information security (ISO 27000) series are designed to help organizations prepare
for regulatory compliance security audits. By adhering to these and other relevant
frameworks, organizations can save time when conducting external and internal
audits. Additionally, frameworks, when used alongside controls, can support
organizations’ ability to align with regulatory compliance requirements and
standards.

There are three main categories of controls to review during an audit, which are
administrative and/or managerial, technical, and physical controls. To learn more
about specific controls related to each category, click the following link and select
“Use Template.”

Link to template: Control categories

OR
 Week 2 notes

If you don’t have a Google account, you can download the template directly from the
following attachment

Control categories
DOCX File

Audit checklist
It’s necessary to create an audit checklist before conducting an audit. A checklist is
generally made up of the following areas of focus:

Identify the scope of the audit

 The audit should:

o List assets that will be assessed (e.g., firewalls are configured

correctly, PII is secure, physical assets are locked, etc.)

o Note how the audit will help the organization achieve its desired goals

o Indicate how often an audit should be performed

o Include an evaluation of organizational policies, protocols, and

procedures to make sure they are working as intended and being
implemented by employees

Complete a risk assessment

 A risk assessment is used to evaluate identified organizational risks related to

budget, controls, internal processes, and external standards (i.e., regulations).

Conduct the audit

 When conducting an internal audit, you will assess the security of the
identified assets listed in the audit scope.

Create a mitigation plan

 A mitigation plan is a strategy established to lower the level of risk and

potential costs, penalties, or other issues that can negatively affect the
organization’s security posture.

Communicate results to stakeholders

 Week 2 notes

 The end result of this process is providing a detailed report of findings,

suggested improvements needed to lower the organization's level of risk, and
compliance regulations and standards the organization needs to adhere to.

Control categories

Control categories
Controls within cybersecurity are grouped into three main categories:

 Administrative/Managerial controls
 Technical controls
 Physical controls

Administrative/Managerial controls address the human component of

cybersecurity. These controls include policies and procedures that define how an
organization manages data and clearly defines employee responsibilities, including
their role in protecting the organization. While administrative controls are typically
policy based, the enforcement of those policies may require the use of technical or
physical controls.

Technical controls consist of solutions such as firewalls, intrusion detection

systems (IDS), intrusion prevention systems (IPS), antivirus (AV) products,
encryption, etc. Technical controls can be used in a number of ways to meet
organizational goals and objectives.

Physical controls include door locks, cabinet locks, surveillance cameras, badge
readers, etc. They are used to limit physical access to physical assets by
unauthorized personnel.

Control types
Control types include, but are not limited to:
1. Preventative
2. Corrective
 Week 2 notes

3. Detective
4. Deterrent

These controls work together to provide defense in depth and protect assets.
Preventative controls are designed to prevent an incident from occurring in the first
place. Corrective controls are used to restore an asset after an incident. Detective
controls are implemented to determine whether an incident has occurred or is in
progress. Deterrent controls are designed to discourage attacks.

Review the following charts for specific details about each type of control and its
purpose.

Administrative Controls

Control Name Control Control Purpose

Type

Least Privilege Preventative Reduce risk and overall impact of malicious insider
or compromised accounts

Disaster recovery Corrective Provide business continuity

plans

Password policies Preventative Reduce likelihood of account compromise through

brute force or dictionary attack techniques

Access control Preventative Bolster confidentiality and integrity by defining

policies which groups can access or modify data

Account Preventative Managing account lifecycle, reducing attack

management surface, and limiting overall impact from
policies disgruntled former employees and default account
usage

Separation of Preventative Reduce risk and overall impact of malicious insider

duties or compromised accounts

Technical Controls

Control Name Control Control Purpose

Type

Firewall Preventative To filter unwanted or malicious traffic from

entering the network

IDS/IPS Detective To detect and prevent anomalous traffic

that matches a signature or rule

Encryption Deterrent Provide confidentiality to sensitive

 Week 2 notes

information

Backups Corrective Restore/recover from an event

Password management Preventative Reduce password fatigue

Antivirus (AV) software Corrective Detect and quarantine known threats

Manual monitoring, Preventative Necessary to identify and manage threats,

maintenance, and risks, or vulnerabilities to out-of-date
intervention systems

Physical Controls

Control Name Control Type Control Purpose

Time-controlled Deterrent Reduce attack surface and overall

safe impact from physical threats

Adequate lighting Deterrent Deter threats by limiting “hiding”

places

Closed-circuit Preventative/Detective Closed circuit television is both a

television preventative and detective control
(CCTV) because it’s presence can reduce risk
of certain types of events from
occurring, and can be used after an
event to inform on event conditions

Locking cabinets Preventative Bolster integrity by preventing

(for network unauthorized personnel and other
gear) individuals from physically accessing
or modifying network infrastructure
gear

Signage Deterrent Deter certain types of threats by

indicating alarm making the likelihood of a successful
service provider attack seem low

Locks Deterrent/Preventative Bolster integrity by deterring and

preventing unauthorized personnel,
individuals from physically accessing
assets

Fire detection Detective/Preventative Detect fire in physical location and

and prevention prevent damage to physical assets
(fire alarm, such as inventory, servers, etc.
sprinkler system,
 Week 2 notes

etc.)

Current assets
Assets managed by the IT Department include:
 On-premises equipment for in-office business needs
 Employee equipment: end-user devices (desktops/laptops, smartphones),
remote workstations, headsets, cables, keyboards, mice, docking stations,
surveillance cameras, etc.
 Management of systems, software, and services: accounting,
telecommunication, database, security, ecommerce, and inventory
management
 Internet access
 Internal network
 Vendor access management
 Data center hosting services
 Data retention and storage
 Badge readers
 Legacy system maintenance: end-of-life systems that require human
monitoring

Administrative Controls

Control Control type and explanation Needs to be Priority

Name implemented
(X)

Least Preventative; reduces risk by making X High

Privilege sure vendors and non-authorized staff
only have access to the assets/data
they need to do their jobs

Disaster Corrective; business continuity to X High

recovery ensure systems are able to run in the
plans event of an incident/there is limited to
no loss of productivity downtime/impact
to system components, including:
computer room environment (air
conditioning, power supply, etc.);
hardware (servers, employee
 Week 2 notes

Administrative Controls

equipment); connectivity (internal

network, wireless); applications (email,
electronic data); data and restoration

Password Preventative; establish password X High

policies strength rules to improve
security/reduce likelihood of account
compromise through brute force or
dictionary attack techniques

Access Preventative; increase confidentiality X High

control and integrity of data
policies

Account Preventative; reduce attack surface X High/

management and limit overall impact from Medium
policies disgruntled/former employees

Separation of Preventative; ensure no one has so X High

duties much access that they can abuse the
system for personal gain

Technical Controls

Control Name Control type and explanation Needs to be Priority

implemented
(X)

Firewall Preventative; firewalls are already NA NA

in place to filter
unwanted/malicious traffic from
entering internal network

Intrusion Detective; allows IT team to X High

Detection System identify possible intrusions (e.g.,
(IDS) anomalous traffic) quickly

Encryption Deterrent; makes confidential X High/

information/data more secure (e.g., Medium
website payment transactions)

Backups Corrective; supports ongoing X High

productivity in the case of an
event; aligns to the disaster
recovery plan

Password Corrective; password recovery, X High/

 Week 2 notes

management reset, lock out notifications Medium

system

Antivirus (AV) Corrective; detect and quarantine X High

software known threats

Manual Preventative/corrective; required X High

monitoring, for legacy systems to identify and
maintenance, and mitigate potential threats, risks,
intervention and vulnerabilities
 Week 2 notes

Physical Controls

Control Name Control type and explanation Needs to be Priority

implemented
(X)

Time-controlled Deterrent; reduce attack X Medium/

safe surface/impact of physical threats Low

Adequate Deterrent; limit “hiding” places to X Medium/

lighting deter threats Low

Closed-circuit Preventative/detective; can reduce X High/

television risk of certain events; can be used Medium
(CCTV) after event for investigation
surveillance

Locking cabinets Preventative; increase integrity by X Medium

(for network preventing unauthorized
gear) personnel/individuals from
physically accessing/modifying
network infrastructure gear

Signage Deterrent; makes the likelihood of a X Low

indicating alarm successful attack seem low
service provider

Locks Preventative; physical and digital X High

assets are more secure

Fire detection Detective/Preventative; detect fire X Medium/

and prevention in the toy store’s physical location Low
(fire alarm, to prevent damage to inventory,
sprinkler system, servers, etc.
etc.)
 Week 2 notes

Glossary terms from week 2

Terms and definitions from Course 2, Week 2
Asset: An item perceived as having value to an organization

Attack vectors: The pathways attackers use to penetrate security defenses

Authentication: The process of verifying who someone is

Authorization: The concept of granting access to specific resources in a system

Availability: The idea that data is accessible to those who are authorized to access it

Biometrics: The unique physical characteristics that can be used to verify a person’s identity

Confidentiality: The idea that only authorized users can access specific assets or data

Confidentiality, integrity, availability (CIA) triad: A model that helps inform how
organizations consider risk when setting up systems and security policies

Detect: A NIST core function related to identifying potential security incidents and
improving monitoring capabilities to increase the speed and efficiency of detections

Encryption: The process of converting data from a readable format to an encoded format

Identify: A NIST core function related to management of cybersecurity risk and its effect on
an organization’s people and assets

Integrity: The idea that the data is correct, authentic, and reliable

National Institute of Standards and Technology (NIST) Cybersecurity Framework

(CSF): A voluntary framework that consists of standards, guidelines, and best practices to
manage cybersecurity risk

National Institute of Standards and Technology (NIST) Special Publication (S.P.) 800-
53: A unified framework for protecting the security of information systems within the U.S.
federal government

Open Web Application Security Project/Open Worldwide Application Security Project

(OWASP): A non-profit organization focused on improving software security

Protect: A NIST core function used to protect an organization through the implementation of
policies, procedures, training, and tools that help mitigate cybersecurity threats

Recover: A NIST core function related to returning affected systems back to normal
operation
 Week 2 notes

Respond: A NIST core function related to making sure that the proper procedures are used to
contain, neutralize, and analyze security incidents, and implement improvements to the
security process

Risk: Anything that can impact the confidentiality, integrity, or availability of an asset

Security audit: A review of an organization's security controls, policies, and procedures

against a set of expectations

Security controls: Safeguards designed to reduce specific security risks

Security frameworks: Guidelines used for building plans to help mitigate risk and threats to
data and privacy

Security posture: An organization’s ability to manage its defense of critical assets and data
and react to change

Threat: Any circumstance or event that can negatively impact assets