Page 13 - CITP Review
P. 13

Various frameworks have been developed that provide a basic conceptual structure for a system and
            that are often useful for organizations looking to achieve business alignment. Commonly used
            frameworks include the following:

              NIST cybersecurity framework (CSF)
              ISO 27001
              ISO 27002
              NIST SP800-53

            The NIST cybersecurity framework defines standards, guidelines, and best practices to protect critical
            infrastructure. Components of the framework include the following:

              Core. Includes a set of cybersecurity activities, preferred outcomes, and references that are common
               across all areas of infrastructure.
              Implementation tiers. Give context about how an organization regards cybersecurity risk and the
               processes in place to manage that risk.
              Profile. Represents the outcomes based on business needs that an organization has selected from
               the framework categories and subcategories, helping to align standards, guidelines, and practice to
               the framework core.

            ISO 27001 defines requirements for managing and maintaining an information security management
            system (ISMS).

            ISO 27002 is a code of practice for information security controls that provides guidance for implementing
            commonly accepted information system security controls.

            NIST SP 800-53 includes security and privacy for federal information systems and organizations.
            Although it was designed for the government, it can be used by any organization to help choose security
            controls.




            Policy, procedures, processes, and standards


            Like many, if not most, of the assurance projects with which a CITP would be involved, this one begins
            with a review of policies and procedures in order to gain an understanding about information security, or
            infosec. In the IT policies and procedures (P&P), a segment dedicated to infosec would address issues
            generally classified in the triangle components.
            The CITP would want to gain an understanding of the intended standards that would be followed in
            developing, deploying, and monitoring infosec for the entity. Those standards should be tied to one of the
            professional organizations — for example, System Administration Networking and Security (SANS),
            International Information System Security Certification Consortium Inc. (ISC2), International Systems
            Security Association (ISSA), Computer Security Institute (CSI), ISACA, and so on — or best practices
            associated with one or more of those professions.








            © 2019 Association of International Certified Professional Accountants. All rights reserved.    1-5
   8   9   10   11   12   13   14   15   16   17   18