12 KiB
12 KiB
Security Frameworks & Standards
Comprehensive collection of security frameworks, compliance standards, and threat analysis models used across the cybersecurity industry.
NIST Framework Suite
The National Institute of Standards and Technology (NIST) publishes comprehensive cybersecurity frameworks and guidelines.
Core Frameworks
- NIST Cybersecurity Framework - Framework for improving critical infrastructure cybersecurity
- NIST Privacy Framework - Privacy risk management framework
- NIST 800-37 Risk Management Framework - RMF for information systems and organizations
Security Controls
- NIST 800-53 Security Controls - Security and privacy controls for information systems
- NIST 800-171 - Protecting Controlled Unclassified Information (CUI)
Risk Management
- NIST 800-39 Managing Information Security Risk - Organization-level risk management
Specialized Guidelines
- NIST 800-61 Incident Handling Guide - Computer security incident handling
- NIST 800-63 Digital Identity Guidelines - Digital identity framework
- NIST 800-207 Zero Trust Architecture - Zero trust security model
- NIST 800-218 Secure Software Development Framework - Secure SDLC practices
ISO/IEC Standards
International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) security standards.
Information Security Management
- ISO/IEC 27001 - Information security management systems (ISMS) requirements
- ISO/IEC 27002 - Code of practice for information security controls
Specialized ISO Standards
- ISO/IEC 27032 - Guidelines for cybersecurity
- ISO/IEC 27033 - Network security management
- ISO/IEC 27034 - Application security guidelines
- ISO 22301 - Business continuity management systems
Industry Security Frameworks
Threat Intelligence & Attack Frameworks
MITRE Corporation:
- MITRE ATT&CK Framework - Adversary tactics, techniques, and common knowledge
- MITRE Shield - Active defense knowledge base
- MITRE Engage - Framework for adversary engagement operations
Attack Models:
- Lockheed Martin Cyber Kill Chain - Framework for identifying and preventing cyber intrusions
- Diamond Model of Intrusion Analysis - Model for analyzing cyber intrusions
- Unified Kill Chain - Unified framework combining multiple kill chain models
Application Security
- OWASP Top 10 - Top 10 web application security risks
- OWASP ASVS - Application Security Verification Standard
- OWASP SAMM - Software Assurance Maturity Model
- OWASP Mobile Top 10 - Mobile application security risks
Security Controls & Best Practices
- CIS Controls - Critical security controls for effective cyber defense
- CIS Benchmarks - Configuration best practices for various technologies
Cloud Security
- Cloud Security Alliance CCSK - Certificate of Cloud Security Knowledge
- CSA Cloud Controls Matrix - Security controls framework for cloud computing
- AWS Well-Architected Framework - Security pillar for AWS
Compliance & Regulatory Frameworks
Financial Services
Payment Card Industry:
- PCI-DSS - Payment Card Industry Data Security Standard
- Requirements for securing credit card transactions
- Applies to all entities that store, process, or transmit cardholder data
Banking & Finance:
- SOX (Sarbanes-Oxley Act) - Financial reporting and IT controls
- GLBA (Gramm-Leach-Bliley Act) - Financial privacy requirements
Healthcare
- HIPAA Security Rule - Health Insurance Portability and Accountability Act
- Protects electronic protected health information (ePHI)
- Administrative, physical, and technical safeguards
- HITECH Act - Health Information Technology for Economic and Clinical Health
Privacy Regulations
International:
- GDPR (General Data Protection Regulation) - European Union data protection and privacy
- Applies to all organizations processing EU citizen data
- Data protection by design and default
United States:
- CCPA (California Consumer Privacy Act) - California privacy law
- CPRA (California Privacy Rights Act) - Enhanced California privacy protections
Canada:
- PIPEDA - Personal Information Protection and Electronic Documents Act
Federal & Government
United States Federal:
- FISMA (Federal Information Security Management Act) - Federal information security requirements
- FedRAMP (Federal Risk and Authorization Management Program) - Cloud security assessment for federal agencies
- NIST SP 800-53 - Security controls for federal systems
Defense:
- CMMC (Cybersecurity Maturity Model Certification) - DoD cybersecurity framework
- Required for defense contractors
- Tiered maturity model (Levels 1-3)
Industry Standards
- SOC 2 Type II - Service Organization Control 2
- Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, Privacy
- Common for SaaS and cloud service providers
Incident Response Frameworks
Response Methodologies
NIST Incident Response:
- Preparation
- Detection and Analysis
- Containment, Eradication, and Recovery
- Post-Incident Activity
SANS Incident Response:
- Preparation
- Identification
- Containment
- Eradication
- Recovery
- Lessons Learned
Risk Management Frameworks
Enterprise Risk
- ISO 31000 - Risk management guidelines
- COSO ERM Framework - Enterprise risk management
- FAIR (Factor Analysis of Information Risk) - Quantitative risk analysis
IT Risk
- OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) - Risk-based strategic assessment
- NIST RMF - Risk Management Framework for information systems
Security Architecture Frameworks
Enterprise Architecture
- SABSA (Sherwood Applied Business Security Architecture) - Business-driven security architecture framework
- TOGAF (The Open Group Architecture Framework) - Enterprise architecture methodology
- Zachman Framework - Enterprise architecture framework
Zero Trust
- NIST Zero Trust Architecture (SP 800-207)
- Microsoft Zero Trust Model
- Google BeyondCorp - Zero trust security framework
Industry-Specific Frameworks
Critical Infrastructure
- NERC CIP - North American Electric Reliability Corporation Critical Infrastructure Protection
- TSA Security Directives - Transportation security requirements
Manufacturing & IoT
- IEC 62443 - Industrial automation and control systems security
- NIST Cybersecurity for IoT - IoT security guidance
Threat & Vulnerability Frameworks
Vulnerability Databases
- CVE (Common Vulnerabilities and Exposures) - Vulnerability naming standard
- NVD (National Vulnerability Database) - US government vulnerability database
- CWE (Common Weakness Enumeration) - Software security weakness taxonomy
Scoring Systems
- CVSS (Common Vulnerability Scoring System) - Vulnerability severity scoring
- EPSS (Exploit Prediction Scoring System) - Likelihood of exploitation
Data Breach & Incident Frameworks
Incident Documentation
- VERIS (Vocabulary for Event Recording and Incident Sharing) - Framework for describing security incidents
- STIX/TAXII - Structured Threat Information Expression / Trusted Automated Exchange of Intelligence Information
Maturity Models
Security Maturity
- OWASP SAMM - Software Assurance Maturity Model
- CMMC - Cybersecurity Maturity Model Certification
- C2M2 (Cybersecurity Capability Maturity Model) - Energy sector cybersecurity maturity
Governance Maturity
- COBIT - Control Objectives for Information and Related Technologies
- IT governance and management framework
- Published by ISACA
Additional Resources
Framework Implementation Guides
- NIST Cybersecurity Framework Implementation Guide
- CIS Controls Implementation Groups
- ISO 27001 Implementation Guide