Hello and welcome back. Let’s continue examining some of the common security frameworks, starting with the NIST cyber framework. NIST is an American standard. It is similar to ISO 27001 in its process. First and foremost, we need to define a statement of scope. We need to identify our assets. As long as we know where our assets are, or where our information is, then we know what we have to protect.

Then we're going to protect them once we've found them and put our controls in place from our risk management strategy. We're then going to detect anomalies, or rather, we're building a baseline—we can't detect some anomalies if we don't know what normal is. And we'll do continuous monitoring. Then we'll build in processes or we'll make sure we've got processes in place to make sure that we can respond, and if that works then ultimately we'll be able to recover and stay in business.

So we have recovery planning, improvements, continuous improvement, and we'll keep making sure we are identifying new risks and new assets in our organisation and putting them through that situation. This then offers us the opportunity to improve in the future and do it better each time.

PCI DSS stands for Payment Card Industry Data Security Standard. It has 12 general baselines, 285 detail requirements, and is one of the hardest and strictest standards to meet that are out there. PCI DSS is inherent for operators like Visa, Mastercard, MNBA, Amex. They are the larger financial institutions that drive this standard.

If a PCI DSS compliant company is compromised or hacked, it is likely they will then be charged a fine. British Airways for example was recently compromised. It is likely they would have been given fines or extra levies for processing transactions. For an organisation the size of British Airways, that wasn't too much of a big issue for them because they would've had that factored in as part of their risk management. They would have been saying something along the lines of: "What’s the impact if we get breached? Probably fines from PCI DSS. That's not too bad. What does that that look like? We don't know, possibly another three, four million for the year. A negligible risk". 

They would have put a risk management process in place to make sure that if that situation did transpire, even if they were charged more for transactions, the business would still be in profit. What PCI DSS do have the power to do is stop you using and doing card payments altogether. They have that power because it's their system, it's their type of network. So they will close down your ability to do so, and deny you access. A decision as such wouldn’t be taken lightly, of course... especially for a large operator like British Airways.

PCI /DSS is a really robust standard. You can go online and you can download PCI DSS for yourself. The requirements are stipulated in the PCI DSS standards document. It breaks them down into segments. Testing procedures, guidance, requirements. So you can see they've really broken down these 12 requirements as much as they can, so that you've got 285 detailed instructions there as to what you have to follow.

A common approach to PCI DSS is to implement a walled garden, ideally having a network that doesn't touch your other networks. You have your LAN, and separately, you'll have your PCI environment. And you don't want these two to touch. They may be connected just for possible data transfer purposes at any point in time, and you're probably going to want to double-file everything.

In that situation, you would ensure that you've got a strict access control list to make sure that nothing makes its way over from one to the other because the second that these two touch, everything over here has to be hit to those exact same standards, all 285 of those requirements. And that is financially an issue for most organisations. So they normally just create a PCI DSS environment and let it be a walled garden, completely separate from whatever else they’ve got going on.

So, there's our PCI DSS requirements. Restrict access to cardholder data by 'need to know'. Down here at number seven, 'assign unique ID to each person with computer access'. That's what you have to go and do. And that's important as well. And the reason why that's important is because it allows us to have proper change control.

COBIT 5

COBIT 5 is a business framework done by ISACA of Enterprise IT, and works similarly to some of our ISO 27001 standards, but it has principles and analytical tools and models. 

PAS 555

PAS 555 is a publicly available standard by the DSI. It isn’t very thorough and few organisations use it. Instead they prefer NIST standards, ISO 27001, and all the rest. There's more information available for free. NIST standards are free, and you can download them. There are special publications you can download.

FIPS

FIPS stands for Federal Information Processing Standards - these are special publications. In the 800 series, they're all about computer security. Application containers, virtual machines, trustworthy email. 

Section 53 and SDA 830. Section 53 is Security and privacy for federal information systems and organisations. SDA 830 is a guide for conducting risk assessments.

So that is a high-level view of some of the frameworks available. These can help you understand what needs to be done, without having to spend exorbitant amounts of money to do so.