Security Governance Frameworks
NIST, ISO 27001, COBIT, and implementing governance structures.
Overview
Governance frameworks provide structured security approaches.
Framework Comparison
| Framework | Focus | Complexity |
|---|---|---|
| NIST CSF | Cybersecurity | Medium |
| ISO 27001 | Information security | High |
| COBIT | IT governance | High |
| CIS Controls | Practical controls | Low |
NIST Cybersecurity Framework
Architecture Diagram
1. IDENTIFY
- Asset management
- Risk assessment
2. PROTECT
- Access control
- Training
3. DETECT
- Monitoring
- Detection processes
4. RESPOND
- Response planning
- Communications
5. RECOVER
- Recovery planning
- Improvements
ISO 27001 Controls
## A.5 Information Security Policies
- A.5.1 Management direction
- A.5.2 Information security policies
## A.6 Organization of Information Security
- A.6.1 Internal organization
- A.6.2 Mobile devices and teleworking
## A.7 Human Resource Security
- A.7.1 Prior to employment
- A.7.2 During employment
- A.7.3 Termination of employment
Implementation Steps
Architecture Diagram
1. Gap Assessment → Current vs target
2. Policy Development → Documentation
3. Control Implementation → Technical controls
4. Training → Awareness programs
5. Internal Audit → Self-assessment
6. Certification → External audit
Governance Metrics
| Metric | Target |
|---|---|
| Policy compliance | > 95% |
| Audit findings resolved | < 30 days |
| Training completion | > 90% |
| Risk assessments completed | 100% |
Practice
Implement NIST CSF for a small organization.