Re: References to standards and frameworks

scottadamson · ‎07-18-2023

I have noted that throughout the course (in particular Chapter 7) a lot of standards and frameworks published by NIST, ISO and others are referenced. This material seems to feature in the practice assessment and chapter review questions. This seems like a kind of rote learning where I need to memorise information rather than understanding processes and principles. Can anyone comment on whether I should be investing the time so I can recall things like what 'NIST SP 800-xxx' means ?

ericgeater · ‎07-19-2023

While you don't have to fully understand what they do, you should understand what they are, and how a framework, standard or governing principle would apply to how an org conducts its business.

Your company may elect to use SP 800-53 to create a security framework, but if it's in defense, it has to follow 800-171.
Would your company do business in Europe? Then it may require GDPR compliance.
Will it accept credit card payments online? You must comply with PCI.
Publicly traded companies require SOX compliance. Healthcare requires HIPAA compliance.

To some degree, it is memorization. In your own enterprise, you may not require many frameworks -- or in some cases, any frameworks. But your IT strategy follows the leadership of your board, so you should know what influences their decisions. As the professional security person, you'll need to know how to advise your org and steer security. Big or small, frameworks are a great way to begin.

(edited)

-----------
A claim is as good as its veracity.

tldutton · ‎07-19-2023

@ericgeater

Great explanation! Especially relevant in a global economy.