Governance, Risk and Compliance

Following are few of the fundamentals cyber security frameworks to implement GRC

1. Defense in Depth:

   • Reference: Defense in Depth - Wikipedia

   • Explanation: Defense in depth is a cybersecurity strategy that involves implementing multiple layers of security controls and measures to protect an organization's systems and data. It aims to provide redundancy and ensure that even if one security layer is breached, others can still defend against threats.

2. Pyramid in Pain:

   • Reference: This term does not appear to have a widely recognized reference. Please provide more context if you have specific information in mind.

3. MITRE Framework (ATT&CK):

   • Reference: MITRE ATT&CK Framework

   • Explanation: The MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework is a knowledge base that catalogs various tactics and techniques used by cyber adversaries. It assists organizations in understanding and defending against cyber threats effectively.

4. CVE Database:

   • Reference: Common Vulnerabilities and Exposures (CVE)

   • Explanation: The Common Vulnerabilities and Exposures (CVE) database is a publicly accessible repository that documents known vulnerabilities in software and hardware. Each vulnerability is assigned a unique identifier (CVE ID) and is widely used for vulnerability tracking and management.

5. NIST Cybersecurity Framework:

   • Reference: NIST Cybersecurity Framework

   • Explanation: The National Institute of Standards and Technology (NIST) Cybersecurity Framework is a set of guidelines and best practices that help organizations manage and reduce cybersecurity risk. It provides a structured approach to cybersecurity and is widely adopted in various industries.

6. NIST Vulnerability Database:

   • Reference: NIST National Vulnerability Database (NVD)

   • Explanation: The NIST National Vulnerability Database (NVD) is a comprehensive database that contains information about known vulnerabilities. It provides detailed information about vulnerabilities, including their severity, impact, and available patches or mitigations.

7. NIST 53:

   • Reference: NIST Special Publication 53

   • Explanation: NIST Special Publication 53 provides guidelines and recommendations for managing security and privacy controls for federal information systems and organizations. It is part of the NIST 800-53 series.

8. Exploit Database:

   • Reference: Exploit Database

   • Explanation: The Exploit Database is a repository of exploits, vulnerabilities, and security research. Security professionals and researchers use it to access information about security vulnerabilities and exploits.

9. CERT Security Notes:

   • Reference: CERT Security Notes

   • Explanation: CERT (Computer Emergency Response Team) publishes security notes that provide information about vulnerabilities, threats, and best practices for enhancing cybersecurity.

10. NSA DevSecOps:

    • Reference: The specific NSA DevSecOps reference is not publicly available. However, the NSA offers cybersecurity guidance and resources on its official website.

11. NSA IAM (Identity and Access Management):

    • Reference: The specific NSA IAM reference is not publicly available. The NSA may provide guidance on IAM through various resources and publications.

12. DISA (Defense Information Systems Agency):

    • Reference: DISA

    • Explanation: DISA is a U.S. Department of Defense (DoD) agency responsible for providing secure information systems and communications for the DoD. It offers cybersecurity guidelines and resources for DoD systems.

13. CSEG CHECK:

    • Reference: CESG CHECK Scheme

    • Explanation: CSEG CHECK is a cybersecurity certification scheme run by the UK's National Cyber Security Centre (NCSC). It assesses the security of IT products and services to ensure they meet specific security standards.

14. PCI DSS (Payment Card Industry Data Security Standard):

    • Reference: PCI Security Standards Council

    • Explanation: PCI DSS is a set of security standards designed to ensure the secure handling of payment card data. It is essential for organizations that process credit card transactions.

15. HITRUST:

    • Reference: HITRUST Alliance

    • Explanation: HITRUST is an organization that provides a framework for managing and securing healthcare information. It helps healthcare organizations protect sensitive patient data.

16. HIPAA (Health Insurance Portability and Accountability Act):

    • Reference: HHS HIPAA

    • Explanation: HIPAA is a U.S. federal law that mandates the protection of patients' healthcare information. It sets standards for the security and privacy of health data.

17. ISO 27000 Series:

    • Reference: ISO/IEC 27000 Family - Information security management

    • Explanation: The ISO 27000 series includes a set of international standards and guidelines for information security management. ISO 27001, in particular, is widely adopted for creating Information Security Management Systems (ISMS).

18. PTES (Penetration Testing Execution Standard):

    • Reference: Penetration Testing Execution Standard (PTES)

    • Explanation: PTES is a framework for conducting penetration testing and security assessments. It provides guidelines and best practices for security professionals.

19. CMMC (Cybersecurity Maturity Model Certification):

    • Reference: CMMC - Office of the Under Secretary of Defense for Acquisition & Sustainment

    • Explanation: CMMC is a cybersecurity certification framework developed by the U.S. Department of Defense (DoD) to enhance the cybersecurity posture of defense contractors and protect sensitive information.

20. DOD Cybersecurity (Department of Defense Cybersecurity):

    • Reference: Department of Defense Cybersecurity

    • Explanation: The U.S. Department of Defense (DoD) has a comprehensive cybersecurity program to protect its information systems and networks. It includes various guidelines, policies, and practices to safeguard sensitive military information.