Section 1: IT Governance, Frameworks & Regulatory Standards
NIST · COBIT 2019 · CIS Controls · HIPAA · GDPR · PCI DSS
1.1 NIST Cybersecurity Framework (CSF 2.0)
The NIST CSF is a voluntary framework that helps an organization manage and reduce cybersecurity risk. Version 2.0 (the current version) is built around six Functions.
| Function | Purpose |
|---|---|
| Govern | Establishes and monitors the cybersecurity risk-management strategy, expectations, and policy (governance policies/processes, risk strategy, roles & responsibilities, awareness & training, oversight). Newly elevated as its own Function in CSF 2.0. |
| Identify | Understands the organization's assets, suppliers, and related cyber risks, identify what you need to protect (asset inventory, business environment, risk assessment, supply-chain risk). |
| Protect | Implements safeguards (identity management, authentication & access control, data security, awareness & training, platform protection, maintenance). |
| Detect | Finds and analyzes possible attacks/compromises in a timely way (continuous monitoring, anomaly/event detection). |
| Respond | Takes action on a detected incident, contain it, mitigate losses, communicate with affected parties. |
| Recover | Restores assets and operations, repair equipment, restore from backups, return to normal. |
- G: Govern
- I: Identify
- P: Protect
- D: Detect
- R: Respond
- R: Recover
CSF Implementation Tiers
Tiers describe how rigorous and mature an organization's risk-management practices are (a characterization, not a maturity "grade").
| Tier | Name | Characteristics |
|---|---|---|
| Tier 1 | Partial | Ad hoc, reactive, "impulsive", risk managed informally and inconsistently. |
| Tier 2 | Risk-Informed | Risk practices approved but may not be organization-wide; only the most important areas covered. |
| Tier 3 | Repeatable | Formalized, organization-wide practices with standardized technology and policies. |
| Tier 4 | Adaptive | Continuous improvement; assumes it will be attacked; formal documented policies and advanced technology. |
Organizational Profiles & the five-step process
Current Profile: the cybersecurity outcomes achieved today. Target Profile: the desired future outcomes prioritized. The repeatable five-step approach: (1) scope the organizational profile, (2) gather the information needed, (3) create the profile, (4) perform a gap analysis (current vs. target), (5) implement the action plan and update the profile, iterating.
1.2 NIST Privacy Framework
Provides a common language for identifying, managing, and communicating privacy risk from how an organization processes data. Built to be used with the CSF.
| Function | Question it answers |
|---|---|
| Identify-P | What are the privacy risks from our data processing? (Inventory data processing, map data flows, assess risk.) |
| Govern-P | What governance structure best manages privacy risk? (Policies/processes, risk strategy, awareness & training, monitoring.) |
| Control-P | What management structure lets the organization manage data with adequate granularity? (Data-processing policies, management, disassociated processing.) |
| Communicate-P | How does the organization enable dialogue about privacy risk with individuals and stakeholders? |
| Protect-P | What data-protection safeguards reduce privacy risk? (Shared with the CSF's Protect Function.) |
CSF vs. Privacy Framework
Similarities: both manage data/information-system risk; both can use the Protect Function. Differences: the Privacy Framework focuses on privacy risk in data processing and uniquely includes Control-P and Communicate-P; the CSF focuses on cybersecurity events and includes Govern, Identify, Protect with Detect/Respond/Recover.
1.3 NIST SP 800-39: Managing Information Security Risk
An integrated, organization-wide approach to managing information-security risk as a continuous, iterative process from senior leadership to operations. Four components:
- Risk Framing: sets the context for risk decisions: assumptions, constraints, risk tolerance, priorities, trade-offs.
- Risk Assessment: identifies threats, vulnerabilities, likelihood, and potential impact.
- Risk Response: develops/selects responses (mitigate, transfer, accept, avoid) consistent with risk tolerance.
- Risk Monitoring: continuously tracks effectiveness of responses and changes in the environment.
Example (cloud adoption): Framing, leadership defines acceptable risk; Assessment, IT identifies vulnerabilities/impact; Response, encryption & MFA; Monitoring, ongoing review of logs and alerts.
1.4 NIST SP 800-53: Security & Privacy Controls
The detailed "control catalog" for federal information systems, far stricter and more granular than the CSF or Privacy Framework.
- Purpose: a comprehensive set of security & privacy controls (~1,200 controls and enhancements) to protect federal systems and comply with federal requirements.
- Scope: any system that processes, stores, or transmits federal information; widely adopted voluntarily.
- Mandated by: OMB Circular A-130 and FISMA (minimum controls to protect federal information).
- Emphasis: continuous monitoring, controls evaluated on an ongoing basis as threats evolve.
- Audience: system administrators, developers, security/privacy officers, auditors, procurement officials, third-party vendors.
| Implementation approach | Where the control is applied |
|---|---|
| Common (Inheritable) | Implemented once at the organization level and inherited by individual systems. |
| System-Specific | Tailored to and applied at the individual information-system level. |
| Hybrid | A combination, organization-level where appropriate, the remainder at the system level. |
1.5 Data Breaches & Breach Costs
Unintentional breach: results from negligence or error. Intentional breach: bad actors illegally gaining access. Breach costs fall into: (1) detection & escalation, (2) notification, (3) post-breach response, and (4) lost business & revenue (loss of customer trust reduces revenue).
1.6 HIPAA
HIPAA Safeguards
| Administrative | Physical | Technical |
|---|---|---|
| Contingency plans; information-access management; security awareness & training. | Facility access controls; workstation use; workstation security; device & media controls. | Access control; audit controls; data-integrity controls; person/entity authentication; transmission security. |
HIPAA Security Rule
Covered entities must: (1) ensure the confidentiality, integrity, and availability of all electronic PHI; (2) protect against reasonably anticipated threats; (3) protect against reasonably anticipated impermissible uses/disclosures; and (4) ensure workforce compliance.
- C: Confidentiality
- I: Integrity
- A: Availability
1.7 GDPR: General Data Protection Regulation
Who it applies to
- Data processors based in the EU, even if the actual processing happens outside the EU.
- Processors not based in the EU if they offer goods/services to, or monitor the behavior of, people in the EU.
- Processors not based in the EU but where EU law applies via public international law (e.g., EU embassies).
Rectification: the individual's right to correct or complete inaccurate or incomplete personal data.
Principles for processing personal data
- Lawfulness, fairness, transparency.
- Purpose limitation: specified, explicit, legitimate purposes (further processing allowed for public-interest archiving, research, statistics).
- Data minimization: adequate, relevant, limited to what is necessary.
- Accuracy: accurate and kept up to date.
- Storage limitation: kept only as long as necessary.
- Integrity and confidentiality: processed securely against unauthorized processing, loss, destruction, damage.
1.8 EU–US Data Transfer
Concept to retain: the EU restricts transfers of personal data to countries it considers to lack "adequate" protection; transatlantic transfer frameworks bridge that gap. The current one is the DPF (companies may also rely on tools such as Standard Contractual Clauses).
1.9 PCI DSS: Payment Card Industry Data Security Standard
Purpose: a standard from the PCI Security Standards Council to protect cardholder data and ensure secure payment processing. Scope: every entity that stores, processes, or transmits cardholder data. A core requirement is protecting cardholder data with strong cryptography during transmission over open, public networks.
| The six goals | Examples |
|---|---|
| 1. Build & maintain a secure network & systems | Maintain firewall configurations. |
| 2. Protect account data | Strong cryptography for cardholder data in transit over public networks. |
| 3. Maintain a vulnerability-management program | Anti-malware, secure development, regular patching/AV updates. |
| 4. Implement strong access-control measures | Authenticate access; restrict by need-to-know. |
| 5. Regularly monitor & test networks | Detect weaknesses and unauthorized access. |
| 6. Maintain an information-security policy | Policies/procedures to manage information security. |
1.10 CIS Controls & Implementation Groups
The CIS Controls are recommended actions and best practices to strengthen cyber defenses, helping organizations prioritize by risk and resources, defend against common and advanced threats, support compliance, and drive continuous improvement.
Design principles: Context (expand scope/practicality with examples), Coexistence (align with evolving standards including NIST CSF 2.0), Consistency (minimize disruption to control users).
Implementation Groups (self-assessed, by size/risk)
| IG | Typical organization | Goal / focus |
|---|---|---|
| IG1 | Small/midsize; limited IT & expertise; non-sensitive data; cannot tolerate long downtime. | Essential cyber hygiene, block common attacks; keep the company operational. |
| IG2 (incl. IG1) | IT staff supporting multiple departments with varied risk; holds sensitive client data; can tolerate short interruptions. | Enhanced, protect client data & trust; biggest concern is loss of trust from a breach. |
| IG3 (incl. IG1 & IG2) | Large/regulated/critical infrastructure with security experts across domains. | Enterprise-grade, high-impact data & public welfare; attacks can harm the company and the public. |
Selected CIS control families
| Control | What it does |
|---|---|
| 03, Data Protection | Classify and label data based on sensitivity. |
| 04, Secure Configuration | Establish/maintain secure baseline settings (harden systems; move off insecure defaults). |
| 05, Account Management | Create, authorize, maintain, and disable accounts; keep an account inventory. |
| 06, Access Control Mgmt | Grant/manage/revoke access rights and privileges (least privilege). |
| 08, Audit Log Management | Capture the time and detail of events such as crashes and restorations. |
| 09, Email & Web Browser Protections | Counter phishing (including attacks targeting executives who control funds). |
| 10, Malware Defenses | e.g., disable autorun/autoplay for removable media. |
| 12, Network Infrastructure Mgmt | Securely manage and keep network devices current; maintain secure architecture. |
| 13/14, Network Monitoring & Defense | Comprehensive monitoring; IDS log/analyze traffic past the firewall; centralize alerting. |
| 15, Service Provider Mgmt | Vet third-party providers (e.g., review their SOC reports) when they access sensitive data. |
| 16, Application Software Security | Manage the security life cycle of software to find & fix weaknesses before exploitation. |
| 17, Incident Response Mgmt | Establish policies, plans, roles, training, and communication to prepare for and react to attacks. |
1.11 COBIT 2019: IT Governance Framework
A flexible, comprehensive toolkit for IT governance that helps ensure IT supports business goals, manages risk, and delivers value.
Six principles for a governance system
- Provide stakeholder value: balance benefits, risk, and resources via an actionable strategy.
- Holistic approach: consider diverse components together, focusing on how they interrelate.
- Dynamic governance system: when one part changes, weigh the impact on the whole.
- Distinct from management: governance and management are clearly separated.
- Tailored to enterprise needs: customize up front using design factors (structure, culture, goals).
- End-to-end governance: cover all processes that involve information and technology, not just IT.
Three principles for a governance framework
Based on a conceptual model (identify components and relationships); Open and flexible (a "living document"); Aligned to major standards (regulations, frameworks, standards).
Governance & management objectives
| Domain | Focus |
|---|---|
| EDM: Evaluate, Direct, Monitor (Governance) | Those charged with governance evaluate objectives, direct management to achieve them, and monitor whether they are met. |
| APO: Align, Plan, Organize | Overall IT strategy & supporting activities; managing data, infrastructure, architecture, budgeting, risk. |
| BAI: Build, Acquire, Implement | Define, procure, deploy, and integrate IT solutions into business processes. |
| DSS: Deliver, Service, Support | Operations, service requests, problems, continuity, security services, business-process controls. |
| MEA: Monitor, Evaluate, Assess | Monitor performance, internal control, and compliance. |
Seven components of a governance system: processes; organizational structures; principles, policies & frameworks; information; culture, ethics & behavior; people, skills & competencies; and services, infrastructure & applications.
Design factors (examples): enterprise strategy; enterprise goals; risk profile; I&T-related issues; threat landscape; compliance requirements; role of IT (support, factory, turnaround, strategic); sourcing model; implementation methods; technology-adoption strategy (first mover, follower, slow adopter).
IT governance responsibilities
| Who | Responsibility |
|---|---|
| Board of directors | Sets governance policies. |
| Executives | Ensure an IT governance structure exists and is executed effectively. |
| Middle management | Carry out, implement, and enforce policies; organize teams, monitor compliance, report issues. |
| End users | Follow the processes and procedures. |