Practical implementation of such cyber security policies is largely addressed by establishing prioritised, flexible, repeatable, performance-based and cost-effective activities for assisting organisations to manage cyber security risk. Table 5.3 identifies a range of key PACs-related framework guidance standards in existence. Given the complexity of the cyber security challenge it is not surprising that one exhaustive model applicable to any organisation or government exists. However broad prescriptive stages do apply (e.g. establishing, implementing, operating, monitoring, reviewing, maintaining and improving), and the Plan-Do-Check-Act (PDCA) model provides a strong methodology basis.

Table 8.3 – Key PACs-related framework guidance standards 

Guidance Framework/Initiative Overview
AICPA Trust Service Criteria

Governed by AICPA (a key US Accounting institute) provide a set of professional attestation and advisory services based on a core set of principles and criteria that address the risks and opportunities of IT-enabled systems and privacy programs.

http://www.aicpa.org/InterestAreas/InformationTechnology/Resources/TrustServices/Pages/Trust%20Services%20Principles%E2%80%94An%20Overview.aspx

BITS Shared Assessments

Created by leading financial institutions, the Big 4 accounting firms, and key service providers to inject standardization, consistency, speed, efficiency and cost savings into the service provider assessment process.

https://sharedassessments.org/

BSI Germany

Set of standards created by Office for Information Security (BSI) is to promote IT security in Germany

https://www.bsi.bund.de/EN/TheBSI/thebsi_node.html;jsessionid=A45D0DD327B267B9259103FF0FB93278.2_cid359

CEN / CENELEC

The Cybersecurity Coordination Group (CSCG) acts as a single point of contact for pan‐European interchange on Cyber Security standardization and will provide a set of recommendations and advice to the European Commission (DG CONNECT and DG ENTR) and EU Member States in the area of Cyber Security standardization.

http://www.cencenelec.eu/standards/Sectors/DefenceSecurityPrivacy/Security/Pages/Cybersecurity.aspx

Cloud Controls Matrix (CCM)

Led by Cloud Security Alliance (CSA), designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. 

https://cloudsecurityalliance.org/research/ccm/

COBIT

Led by ISACA, widely used framework for governance and management of enterprise IT.

http://www.isaca.org/cobit/pages/default.aspx?cid=1003566&appeal=pr

CSA Enterprise Architecture

Formerly known as the Trusted Cloud Initiative, CSA initiative that helps cloud providers develop industry-recommended, secure and interoperable identity, access and compliance management configurations, and practices. 

https://cloudsecurityalliance.org/research/eawg/

ENISA IAF

Published in 2009, provides a set of assurance criteria designed to assess the risk of adopting cloud services, compare different Cloud Provider offers, obtain assurance from the selected cloud providers, reduce the assurance burden on cloud providers.

https://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud-computing-information-assurance-framework

ETSI TC CYBER

TC CYBER focuses on development of standards across key areas including, (1) Cybersecurity, (2) Security of infrastructures, devices, services and protocols,(3)Security advice, guidance and operational security requirements to users, (4) manufacturers and network and infrastructure operators, (4)Security tools and techniques to ensure security, (5) Creation of security specifications and alignment with work done in other ETSI committees

http://portal.etsi.org/TBSiteMap/CYBER/CyberToR.aspx

FedRAMP Security Controls

US Federal government provider requirements from secure cloud computing

http://cloud.cio.gov/fedramp

ISO/IEC 27001-2013

Specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organisation. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organisation. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organisations, regardless of type, size or nature.

http://www.iso.org/iso/catalogue_detail?csnumber=54534

NERC CIP

Set of Critical Infrastructure Standards developed by North American Electric Reliability Corporation

http://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx

NIST Critical Infrastructure Protection Framework

Provides a structure that organisations, regulators and customers can use to create, guide, assess or improve comprehensive cybersecurity programs.

http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf

NIST SP800-53

Provides a catalog of security and privacy controls for federal information systems and organisations and a process for selecting controls to protect organisational operations (including mission, functions, image, and reputation), organisational assets, individuals, other organisations, and the Nation from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors.

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

PCI DSS

Requirements and standards for storage and processing of payment card data

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf

 

Return to Policy Framework and Legislation or continue to Legislation

 

 

Getting Started

Which type of company are you? Choose one of the options below and get a head-start.

Framework Overview

Navigate through the different parts of the Framework

leeg

Joomla! Debug Console

Session

Profile Information

Memory Usage

Database Queries