Welcome to Cyber is Video, Siri's and the copy of Security Plus 5 +01 Certification and Exam.
I'm your instructor, Ron Warner.
In this video, I'll be discussing the first section in domain three on secure architecture and design, where you need to be able to explain use cases and the purpose for frameworks,
best practices and secure configuration guides.
An organization security architecture should be based on a standard or framework.
Often the organization is bound by regulations or laws and must base their security architecture on them.
When an organization is international, the organization could be subject to additional restrictions based on regulatory compliance in that country
when designing the organizational security architecture. In addition to regulations, the components taken into consideration include standards, frameworks and guidelines.
Let me explain each term.
Standards describe specific mandatory controls based on policies
guides. Her guidelines
provide recommendations or best practices.
A framework generally includes more components than a guide and is used as the basis for the implementation and management of security controls.
In this video, we'll cover the following topics
industry standard frameworks and reference architectures,
benchmarks and secure configuration guides
and last defense and death and layered security.
There are different types of frameworks in place for cyber security
regulatory. Those air requirements created by government agencies and are mandated by law
regulation can exist on an international, national or even local level.
Examples include HIPPA G L B a. Gramm Leach Bliley Act for banking worser, banes Oxley or socks.
Non regulatory requirements are developed by agencies that provide technology, metrics or standards development for the betterment of science and management
of their industry.
Examples include the Payment Card industry data security standard, which is used to protect credit card information.
There's also national versus International Frameworks and Loss
International like Esso or an international law like GDP are the year the European Union's general data protection requirements.
Lastly, industry specific framework based on the company's business
payment card industry is another example of that.
Be familiar with the regulations, frameworks and standards applicable to your organization's business.
There are many standards, frameworks and guidelines available to assist you and planning and implementing your organization cybersecurity program.
These include national international standards, industry specific standard
product specific guidelines and vendor specific guidance. All of these will be useful in helping you determine the best practice for your cybersecurity program
on your screen is a list of numerous frameworks that are available. I recommend you look into each of them. I'll discuss a few through this video.
It must be noted that it's beyond the scope of a single lecture to fully cover every regulation or standard.
In this session, we will explore some of the most widely known standards, framework and regulations.
You should also consult the regulations relevant to your locality and industry.
The International Organization for Standardization, also known as S O, is an international standard setting body composed of representatives from various national standards organizations.
They create documents that provide requirements, specifications, guidelines or characteristics that could be used consistently to ensure that materials, products, processes and service's are fit for their purpose.
On your screen, you see the Esso standard
focused on cybersecurity, these air all within the 27 0 x domain, the ice, so slash I'II see 2700. Siri's comprises into information security standards published jointly by I S O and the International Electro Technical Commissioner. I'II see.
I'll discuss specifics for some of these in the next few slides.
Eso 27 0 no one was written published in 2013.
It specifies the requirements for establishing, implementing, maintaining and continually approving an information security management system for an organization.
It also includes requirements for the assessment and treatment of information security. Risk
Taylor to the needs of the organization.
Thes air generic, not technology or organization specific, and are tended to be applicable to any and all types of organizations, no matter their size type or nature.
Eso 27 02 gets guidelines for organizational information security standards and information security management practices,
including the selection, implementation and management of controls. Taking into consideration the organization's information security risk environment.
It is designed to be used by organizations that intend to select controls within the process of implementing an information security management system,
implementing commonly accepted information security controls and develop their own information security management guidelines.
So s so. 27 02
It's all about security controls.
On your screen are the different best practices and topic areas associated with 27 02
This proves to be a very good reference document as your defining and managing your information security program.
You should note that each of these topics are covered in this video Siri's and mirror the information found in the security Plus example,
I. So I'II see 27 0 17 gives guidelines for information security controls applicable to the provisions and use of cloud service is
refer to this document. If your organization is using, Cloud service is we're even considering their use.
The National Institute of Standards and Technology is the source for the United States. National standards
refer to nish dot gov used this as a
primary resource and a lot of my activities in cyber security.
These are general guidelines applicable regardless of the specific industry or even specific devices.
The nest cyber security framework, which you see on your screen, is a group of related standards that are designed to provide guidance on cyber security.
Many organizations now are turning to the nest CSF to base their cybersecurity program.
Each standard, published by NEST, is a special publication, or SP, with numeric designation.
Those focused on cyber security or encryption. Our Nest 800 Siris,
the NIST Cybersecurity Resource Center, provides nous, cybersecurity and information security related projects, publications, news and events
Under screen are some of the Nest special publications. SP 800 Siri's
830 is the guide for Conducting Risk Assessments. If your organization is looking to conduct a security risk assessments, they should. Leverage 830
835 is a guide for information technology. Security Service's
853 is a huge list of security controls.
Many organizations are using 853 as their base line for security and basing their audits on it.
His guidance on assessing security and privacy controls even though it says for just federal information systems. I know many organizations now leverage 853 a
review. The next 800 Siri's to learn more about these guidelines and best practices.
An industry specific standard you should be familiar with is the payment card industry data Security standard
or P. C. I. D. S s.
This is the standard developed and used by Visa, MasterCard Discover American Express was a few others to create common security controls for the protection of cardholder data or C H d.
Any organization processing credit cards must be compliant with P. C. I. D. S s.
The level of compliance differs
depending on the number of credit transactions you take annually
on your screen. You see some P C. I. D. S s control objectives.
For example, building and maintaining a secure network
protecting the cardholder data, whether it's within a flat file or within a database, whether to the cardholder data is at rest in transit or being processed.
Maintaining a vulnerability management program.
Monitoring and testing your networks.
The maintaining of Vulnerability management program.
We cover numerous parts of these topics through this video. Siri's
P. C. I. D. S s is a worldwide standard that you should be familiar with.
The next topic of security standards are system baselines and configuration guides.
These air general purpose guides for securing operating systems, networks and applications. You see a couple of examples on your screen.
The U. S Department of Defense publishes their security Technical implementation guides or Stig's
thes contained technical guidance to lock down and secure information systems and software that might otherwise be vulnerable to malicious computer attacks. So if you need to lock down a specific operating system, say Windows 10 Windows Server 2016 or a Lennox operating system,
check out the sticks.
Another common benchmark and secure configuration guy comes from the Center for Internet Security.
They published numerous benchmarks and secure configuration guides based on different applications and operating systems similar to the sticks.
Check out each of these as great Resource is, you should be using not only for Security plus but as a security professional.
In addition to those benchmarks and guide, there are many different vendors that produce their own configuration guidelines related to their use of their product and security.
Some of the platform vendor specific guides include Cisco for networking
Microsoft TechNet with different Microsoft operating systems and applications.
Macintosh links provide similar types of guides.
Web servers for like I I s from Microsoft and Apache. All of these have specific security configuration guides available from the vendor's Web sites.
Well, now, transition to talking about some of the security concepts associated with framework, standards and guidelines.
The first is defence in depth and layered security. Defense in depth. It's the coordinated use of multiple security countermeasures on information asset, so it's providing security at different levels within the operating system. Within the application, this provides layers of security
segmentation is a form of defence in depth. It's the act or practice of splitting a computer network into zones or sub nets based on the business function and security needs. You can do this using physical devices such as routers and switches, or virtually with a villain.
An air gap is another method. Air gapped, meaning no network connectivity you would need to use. We call it sneaker neck,
taking a USB flash drive to transfer any files.
Other concepts related to defence in depth and layered security are on your screen.
The first is control diversity. It's addressing a security concern using different controls that don't depend on each other. So you have your firewall. Has control of your network. Layer might have an operating system fire law.
Two different types of firewalls that supplement each other. You could do this through technical means or administrative and process means
Vendor Diversity addresses the security control using different vendors products. So if my firewall vendor has a security vulnerability and I'm using a different product internally, that vulnerability does not work
flow down to those other products.
Lastly, user training
user security awareness is fundamental part of a security program and if greatly reduces the impact of booths, threats and vulnerabilities.
Review these different security concepts, I'll be discussing each of them in more detail. In other videos,
let's practice on a few example. Quiz questions.
This standard gifts guidelines for information security controls applicable to the provisions and use of cloud service is
the answer is C s 0 27 0 17 Remember, that's the one for cloud
According to Comp TIA, which of the following is not a consideration for defense in depth or layered security?
The answer is B
security benchmarks. It's not included in the list for defense and death.
This concludes the video for section three dot Want Where I explained, Use cases and purposes for frameworks, Best practices and secure configuration guides
referred to your study notes and other resource is for more information on this section.