Academy Central
----
Weather

Introduction to Frameworks

Frameworks help organizations plan, assess, review, and manage cybersecurity. Five key frameworks are discussed below.

框架簡介(繁體中文)

框架旨在協助組織規劃、評估、審查及管理網路安全。以下將介紹五個主要安全框架。


NIST Cybersecurity Framework

Overview

The NIST Cybersecurity Framework is a U.S. policy framework designed to help organizations assess and improve their security posture against cyberattacks.

Purpose

It provides a scalable methodology based on existing standards, guidelines, and practices for managing and reducing cybersecurity risk. It also facilitates communication between internal and external stakeholders.

Components

The framework comprises three main components:

  • Core — A set of desired cybersecurity activities suitable for organizations of any size, designed to complement the risk management process.
  • Implementation Tiers — Provide an organizational view of cybersecurity risk management to guide discussions on risk appetite, budget, and priorities.
  • Profiles — Enable organizations to strengthen existing processes or implement new ones, facilitating internal communication.

NIST 網路安全框架(繁體中文)

概述

NIST 網路安全框架是由美國國家標準暨技術研究院(NIST)制定的政策框架,旨在協助組織評估並提升抵禦網路攻擊的安全態勢。

目的

該框架基於現有標準、指南與實務做法,提供可擴展的方法論,協助組織管理並降低網路安全風險,同時促進內外部利害關係人之間的安全溝通。

組成要素

框架包含三大組成部分:

  • 核心(Core) — 一套適用於各類組織的網路安全活動,旨在輔助風險管理流程。
  • 實施分級(Implementation Tiers) — 提供網路安全風險管理的組織視角,協助討論風險偏好、預算與優先事項。
  • 設定檔(Profiles) — 協助組織強化現有流程或導入新流程,促進內部溝通。

NIST Special Publication 800-61

Overview

NIST SP 800-61 provides step-by-step guidance for incident response teams to create effective incident response policies and plans, helping organizations better manage computer security incidents.

Recommendations

NIST recommends that each incident response plan include a mission statement, strategies and goals, an organizational approach to incident response, metrics for measuring effectiveness, and a built-in process for updating the plan. The guide also emphasizes post-incident reviews to strengthen future protections.

NIST SP 800-61(繁體中文)

概述

NIST SP 800-61 為事件應變團隊提供逐步指引,協助制定有效的事件應變政策與計畫,幫助組織更完善地管理電腦安全事件。

建議事項

NIST 建議每份事件應變計畫應包含使命宣言、策略與目標、組織應變方法、成效衡量指標,以及內建的計畫更新機制。該指南亦強調應進行事件後檢討,以強化未來防護能力。


FedRAMP

The Federal Risk and Authorization Management Program (FedRAMP) modernizes government IT by providing a standard approach to security assessment, authorization, and continuous monitoring for cloud products and services.

Effective Cloud Security

FedRAMP provides a framework for creating repeatable processes to ensure effective cloud security for the government.

Marketplace

FedRAMP established a cloud service marketplace enabling collaboration across agencies through use cases, solutions, and lessons learned.

Security Baselines

FedRAMP defines four security baselines:

  • High — 421 controls
  • Moderate — 325 controls
  • Low — 125 controls
  • LI SaaS — 36 controls

Goals

FedRAMP collaborates with agencies including NSA, DoD, NIST, GSA, and OMB to achieve the following:

  1. Accelerate the shift to secure cloud solutions through reuse of assessments and authorizations.
  2. Improve confidence in cloud security.
  3. Ensure consistent application of security policies.
  4. Increase automation for near real-time continuous monitoring.

FedRAMP(繁體中文)

FedRAMP(聯邦風險與授權管理計畫)透過提供標準化的安全評估、授權及持續監控方法,推動政府 IT 現代化。

有效的雲端安全

FedRAMP 提供建立可重複流程的框架,確保政府機構的雲端安全。

服務市集

FedRAMP 建立雲端服務市集,促進跨機構協作,共享使用案例、解決方案與經驗教訓。

安全基準

FedRAMP 定義四級安全基準:

  • 高安全性 — 421 項控制項
  • 中安全性 — 325 項控制項
  • 低安全性 — 125 項控制項
  • LI SaaS — 36 項控制項

目標

FedRAMP 與 NSA、DoD、NIST、GSA、OMB 等機構合作,致力實現以下目標:

  1. 透過評估與授權的再利用,加速採用安全雲端解決方案。
  2. 提升雲端安全信心。
  3. 確保安全政策的一致性執行。
  4. 透過持續監控提升自動化與即時資料能力。

FISMA

The Federal Information Security Modernization Act (FISMA) is a U.S. federal law that implements a comprehensive framework to protect information systems used in government agencies. It requires agencies to develop, document, and implement an information security program covering:

  • Information system inventory
  • Risk-based categorization of information and systems
  • Selection of appropriate security controls
  • Risk assessment
  • System security plan
  • Certification and accreditation
  • Continuous monitoring

FISMA(繁體中文)

FISMA(聯邦資訊安全現代化法案)是美國聯邦法律,建立了一套全面框架以保護政府機構的資訊系統。該法要求各機構制定、記錄並實施資訊安全計畫,內容涵蓋:

  • 資訊系統清冊
  • 依風險等級分類資訊與系統
  • 選用適當的安全控制措施
  • 風險評估
  • 系統安全計畫
  • 驗證與認證
  • 持續監控

MITRE ATT&CK Framework

The ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework is a knowledge base of attacker behaviors. It enables security teams to view attack groups, access dynamically created dashboards for planning detection capabilities, and analyze adversary tactics. The framework consists of 12 tactics and 332 techniques, each containing methods used to achieve attacker objectives.

MITRE ATT&CK 框架(繁體中文)

MITRE ATT&CK(對抗性戰術、技術與共通知識)框架是一個攻擊者行為的知識庫。安全團隊可藉此檢視攻擊群組、使用動態儀表板規劃偵測能力,並分析攻擊者戰術。該框架包含 12 項戰術與 332 項技術,每項戰術下涵蓋多種攻擊者達成目標的手法。


ISO Standards

The International Organization for Standardization (ISO) publishes standards relating to information security, digital evidence, and incident handling:

  • ISO/IEC 27035-1 — Principles of incident management
  • ISO/IEC 27035-2 — Guidelines to plan and prepare for incident response
  • ISO/IEC 27037 — Guidelines for identification, collection, and preservation of digital evidence
  • ISO/IEC 27042 — Guidelines for analysis and interpretation of digital evidence
  • ISO/IEC 27043 — Incident investigation principles and processes

ISO 標準(繁體中文)

國際標準化組織(ISO)發布多項資訊安全、數位證據及事件處理相關標準:

  • ISO/IEC 27035-1 — 事件管理原則
  • ISO/IEC 27035-2 — 事件應變規劃與準備指引
  • ISO/IEC 27037 — 數位證據識別、蒐集與保存指引
  • ISO/IEC 27042 — 數位證據分析與解讀指引
  • ISO/IEC 27043 — 事件調查原則與流程