What at the them main methodologies and policy frameworks that helped develop todays understanding of data security?
As IT has developed and changed so has the polices and procedures to assist organisations understand their role and responsibilities regarding protection of their system and data.
COSO:
Commission of Sponsoring Organisations deals with financial fraud for those in the auditing fraternity.
ITIL:
IT Information Library: There to assist IT service management published but the Stationery Office.
COBIT:
Controlled Object for Related Information Technologies: Published by IT Governance to set High Level controls for IT objectives driven by the business sector.
ISO:
Written by the British standards Institute and then incorporated into the International ISO. Began as a series of benchmarks then then organisation need to get accreditation. First IT business management degree covering several different domains like CISSP. Areas include:
- ISO 27002: Code of Practice for information Security Management.
- ISO 27003: Guidelines for ISMS implementation.
- ISO 27004: Measurement and metrics.
- ISO 27005: Security risk management.
- ISO 27006: Bodies providing audit and certification.
NIST 800-39.
Set of best practice developed in the US for Health under HIPPA and other regulated sectors.
CRAMM.
(CTTA Risk Assessment management method) Looks at technical, human and then recommendations.
Failure models and effect Analysis:
Developed for hardware testing but can relate to software testing. Basic try and see approach.
FRAP:
Facilitated Risk Analysis Process. Assumption that a narrow risk method is the most efficient and then result extrapolated to the whole process.
OCTAVE:
Like Prince 2 is a methodology that is run by an internal analysis team them looks at security and technical issues. Looks at characteristics and outputs.
SOMAP:
(Security Officers and Management Analysis Project). A Swiss non-profit organisation that provides advice on Information security with their own methodology.
Fault Tree Analysis:
Methodology that defines threats in a tree structure and then delete the branches once each issue is mitigated.