IT and Business Insights for SMB Solution Providers

There are many frameworks that you can use to protect a company infrastructure

They are many different approaches to helping a company look at protection of assets and data for a repeatable process.

There is Cobitby ISACA, COBIT stands for Control Objectives for Information and Related Technology. It is a framework created by the ISACA (Information Systems Audit and Control Association) for IT governance and management. It was designed to be a supportive tool for managers—and allows bridging the crucial gap between technical issues, business risks, and control requirements. You can learn about COBIT here.

The National Institute of Standards and Technology  (NIST) SP 800The NIST SP 800 documents are a series of publications put forth by the National Institute of Standards and Technology (NIST), which is a non-regulatory agency of the United States Department of Commerce. The SP 800 series was established in 1990 and has grown quite a bit since then, encompassing a large, in-depth, and ever-growing set of computer security documents seen by many as industry leading. Additionally, the NIST SP 800 documents have been well-known to many professionals within the field of information technology - particularly that of information security -as they gained additional recognition with the Federal Information Security Management Act of 2002, known as FISMA. You can see the SP 800 files here.

Cybersecurity Framework Version 1.1 CSF. This voluntary Framework consists of standards, guidelines, and best practices to manage cybersecurity-related risk.  The Cybersecurity Framework’s prioritized, flexible, and cost-effective approach helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security. You can learn about CSF here.

The ISO/IEC 27000 family of standards helps organizations keep information assets secure. Using this family of standards will help your organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties. ISO/IEC 27001 is the best-known standard in the family providing requirements for an information security management system (ISMS). There are more than a dozen standards in the 27000 family, you can see them here.

Most of us know about MITRE CVE’swho sole purpose is to provide common vulnerability identifiers called “CVE Entries.” CVE does not provide severity scoring or prioritization ratings for software vulnerabilities. However, while separate, the CVSS standard can be used to score the severity of CVE Entries.        

One you might not know about is MITRE ATT&CK™

MITRE also has the ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.  With the creation of ATT&CK, MITRE is fulfilling its mission to solve problems for a safer world — by bringing communities together to develop more effective cybersecurity. ATT&CK is open and available to any person or organization for use at no charge. You can find out more here.

About the Author

ChannelPro SMB Magazine
SUBSCRIBE FREE!

Get an edge on the competition

With each issue packed full of powerful news, reviews, analysis, and advice targeting IT channel professionals, ChannelPro-SMB will help you cultivate your SMB customers and run your business more profitably.