FRAMEWORKS.md

Security Frameworks & Standards

Comprehensive collection of security frameworks, compliance standards, and threat analysis models used across the cybersecurity industry.

NIST Framework Suite

The National Institute of Standards and Technology (NIST) publishes comprehensive cybersecurity frameworks and guidelines.

Core Frameworks

• NIST Cybersecurity Framework - Framework for improving critical infrastructure cybersecurity
• NIST Privacy Framework - Privacy risk management framework
• NIST 800-37 Risk Management Framework - RMF for information systems and organizations

Security Controls

• NIST 800-53 Security Controls - Security and privacy controls for information systems
• NIST 800-171 - Protecting Controlled Unclassified Information (CUI)

Risk Management

• NIST 800-39 Managing Information Security Risk - Organization-level risk management

Specialized Guidelines

• NIST 800-61 Incident Handling Guide - Computer security incident handling
• NIST 800-63 Digital Identity Guidelines - Digital identity framework
• NIST 800-207 Zero Trust Architecture - Zero trust security model
• NIST 800-218 Secure Software Development Framework - Secure SDLC practices

---

ISO/IEC Standards

International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) security standards.

Information Security Management

• ISO/IEC 27001 - Information security management systems (ISMS) requirements
• ISO/IEC 27002 - Code of practice for information security controls

Specialized ISO Standards

• ISO/IEC 27032 - Guidelines for cybersecurity
• ISO/IEC 27033 - Network security management
• ISO/IEC 27034 - Application security guidelines
• ISO 22301 - Business continuity management systems

---

Industry Security Frameworks

Threat Intelligence & Attack Frameworks

MITRE Corporation:

• MITRE ATT&CK Framework - Adversary tactics, techniques, and common knowledge
• MITRE Shield - Active defense knowledge base
• MITRE Engage - Framework for adversary engagement operations

Attack Models:

• Lockheed Martin Cyber Kill Chain - Framework for identifying and preventing cyber intrusions
• Diamond Model of Intrusion Analysis - Model for analyzing cyber intrusions
• Unified Kill Chain - Unified framework combining multiple kill chain models

Application Security

• OWASP Top 10 - Top 10 web application security risks
• OWASP ASVS - Application Security Verification Standard
• OWASP SAMM - Software Assurance Maturity Model
• OWASP Mobile Top 10 - Mobile application security risks

Security Controls & Best Practices

• CIS Controls - Critical security controls for effective cyber defense
• CIS Benchmarks - Configuration best practices for various technologies

Cloud Security

• Cloud Security Alliance CCSK - Certificate of Cloud Security Knowledge
• CSA Cloud Controls Matrix - Security controls framework for cloud computing
• AWS Well-Architected Framework - Security pillar for AWS

---

Compliance & Regulatory Frameworks

Financial Services

Payment Card Industry:

• PCI-DSS - Payment Card Industry Data Security Standard
  • Requirements for securing credit card transactions
  • Applies to all entities that store, process, or transmit cardholder data

Banking & Finance:

• SOX (Sarbanes-Oxley Act) - Financial reporting and IT controls
• GLBA (Gramm-Leach-Bliley Act) - Financial privacy requirements

Healthcare

• HIPAA Security Rule - Health Insurance Portability and Accountability Act
  • Protects electronic protected health information (ePHI)
  • Administrative, physical, and technical safeguards
• HITECH Act - Health Information Technology for Economic and Clinical Health

Privacy Regulations

International:

• GDPR (General Data Protection Regulation) - European Union data protection and privacy
  • Applies to all organizations processing EU citizen data
  • Data protection by design and default

United States:

• CCPA (California Consumer Privacy Act) - California privacy law
• CPRA (California Privacy Rights Act) - Enhanced California privacy protections

Canada:

• PIPEDA - Personal Information Protection and Electronic Documents Act

Federal & Government

United States Federal:

• FISMA (Federal Information Security Management Act) - Federal information security requirements
• FedRAMP (Federal Risk and Authorization Management Program) - Cloud security assessment for federal agencies
• NIST SP 800-53 - Security controls for federal systems

Defense:

• CMMC (Cybersecurity Maturity Model Certification) - DoD cybersecurity framework
  • Required for defense contractors
  • Tiered maturity model (Levels 1-3)

Industry Standards

• SOC 2 Type II - Service Organization Control 2
  • Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, Privacy
  • Common for SaaS and cloud service providers

---

Incident Response Frameworks

Response Methodologies

NIST Incident Response:

• Preparation
• Detection and Analysis
• Containment, Eradication, and Recovery
• Post-Incident Activity

SANS Incident Response:

• Preparation
• Identification
• Containment
• Eradication
• Recovery
• Lessons Learned

---

Risk Management Frameworks

Enterprise Risk

• ISO 31000 - Risk management guidelines
• COSO ERM Framework - Enterprise risk management
• FAIR (Factor Analysis of Information Risk) - Quantitative risk analysis

IT Risk

• OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) - Risk-based strategic assessment
• NIST RMF - Risk Management Framework for information systems

---

Security Architecture Frameworks

Enterprise Architecture

• SABSA (Sherwood Applied Business Security Architecture) - Business-driven security architecture framework
• TOGAF (The Open Group Architecture Framework) - Enterprise architecture methodology
• Zachman Framework - Enterprise architecture framework

Zero Trust

• NIST Zero Trust Architecture (SP 800-207)
• Microsoft Zero Trust Model
• Google BeyondCorp - Zero trust security framework

---

Industry-Specific Frameworks

Critical Infrastructure

• NERC CIP - North American Electric Reliability Corporation Critical Infrastructure Protection
• TSA Security Directives - Transportation security requirements

Manufacturing & IoT

• IEC 62443 - Industrial automation and control systems security
• NIST Cybersecurity for IoT - IoT security guidance

---

Threat & Vulnerability Frameworks

Vulnerability Databases

• CVE (Common Vulnerabilities and Exposures) - Vulnerability naming standard
• NVD (National Vulnerability Database) - US government vulnerability database
• CWE (Common Weakness Enumeration) - Software security weakness taxonomy

Scoring Systems

• CVSS (Common Vulnerability Scoring System) - Vulnerability severity scoring
• EPSS (Exploit Prediction Scoring System) - Likelihood of exploitation

---

Data Breach & Incident Frameworks

Incident Documentation

• VERIS (Vocabulary for Event Recording and Incident Sharing) - Framework for describing security incidents
• STIX/TAXII - Structured Threat Information Expression / Trusted Automated Exchange of Intelligence Information

---

Maturity Models

Security Maturity

• OWASP SAMM - Software Assurance Maturity Model
• CMMC - Cybersecurity Maturity Model Certification
• C2M2 (Cybersecurity Capability Maturity Model) - Energy sector cybersecurity maturity

Governance Maturity

• COBIT - Control Objectives for Information and Related Technologies
  • IT governance and management framework
  • Published by ISACA

---

Additional Resources

Framework Implementation Guides

• NIST Cybersecurity Framework Implementation Guide
• CIS Controls Implementation Groups
• ISO 27001 Implementation Guide

Framework Mapping

• NIST-to-ISO Mapping
• CIS Controls to NIST CSF Mapping

---

Back to Resources | Back to Main