Building governance to ensure compliance, and reduce/mitigate risk with compensating controls.
Maximize the Value of IT and address with Governance, Risk, and Compliance (GRC).
Comply with process, systems and oversight
Policies, standards, processes, procedures and guidelines
Risk: Avoid, Mitigate, Accept, Transfer (identify, document, and elevate visibility)
Security Awareness (security technologies, trends, standards and best practices)
Standards:
CFR - Code of Federal Regulations (Title 21)
CJIS Security Policy v5.5 - Criminal Justice Information Services
CNSSI No. 1253 - Security Categorization and Control Selection for National Security Systems; 27 March 2014
DAAPM - Defense Security Service (DSS) Assessment and Authorization Process Manual
DIACAP - DoD Information Assurance Certification and Accreditation Process
DoD 5200.01 - Information Security Program: Controlled Unclassified Information
DoD 5200.40 - Information Technology Security Certification and Accreditation Process (DITSCAP)
DoD Instruction 8510.01 - Risk Management Framework (RMF) for DoD IT
DoD Manual 5200.01 - Information Security Program, Protection of Classified Information
DoDD 8750.1 - Information Assurance Training, Certification, and Workforce Management (Cancelled; superseded by DoDD 8140.01)
DoD 8750.01-M - Information Assurance (IAM)
DoDD 8140.01 - Cyberspace Workforce Management
DoDD 8001 - Defense Information Management (IM) Program
DoDD 8500.01 - Cybersecurity
DoDD 5505.13E - DoD Executive Agent (EA) for the DoD Cyber Crime Center (DC3)
DoDD 8140.01 - Cyberspace Workforce Management
DoDI 8500.01 - Cybersecurity
DoDI 8500.2 - Information Assurance Implementation
DoDI 8530.01 - Cybersecurity Activities Support to DoD Information Network Operations
DoDI S-5240.23 - Counterintelligence (CI) Activities in Cyberspace (U)
DoDI 5205.13 - Defence Industrial Base (DIB) Cyber Security (CS) Activities
DoDI S-3325.10 - Human Intelligence (HUMINT) Activities in Cyberspace (U/FOUO)
DoDI 8500.2 - Information Assurance (IA) Implementation
FedRAMP - Federal Risk and Authorization Management Program
FIPS - Federal Information Processing Standards
FISMA - Federal Information Security Modernization Act
HIPAA - Health Insurance Portability and Accountability Act
NISPOM (DoD 5220.22-M) - National Industrial Security Program Operating Manual (Change 2; May 18, 2016) Changes: Summary / Redlines
NIST - National Institute of Standards and Technology
NIST FIPS-199 - Standards for Security Categorization of Federal Information and Information Systems
NIST SP 800-30 - Guide for Conducting Risk Assessments
NIST SP 800-37 Rev 1 - Guide for Applying the Risk Management Framework to Federal Information Systems
NIST SP 800-39 - Managing Information Security Risk
NIST SP 800-53 - Security and Privacy Controls for Information Systems and Organizations
NIST SP 800-53A - Assessing Security and Privacy Controls in Federal Information Systems and Organizations
NIST SP 800-60 - Volume I: Guide for Mapping Types of Information and Information Systems to Security Categories
NIST SP 800-137 - Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations
NIST SP 800-145 - The NIST Definition of Cloud Computing
NIST SP 800-171 - Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations
NIST SP 800-60 (Vol 1) - Guide for Mapping Types of Information and Information Systems to Security Categories
PCI-DSS - Payment Card Industry Data Security Standard
ISO 9001 - Quality Management
ISO 19770-1:2017 - Information Technology - IT Asset Management - IT Asset Management Systems - Requirements
ISO 27001 - Information technology - Security techniques - Information security management systems - Requirements
ISO 27002 - Information technology — Security techniques — Code of practice for information security management
ISO 27018 - IT Security techniques Code of practice for protection of PII in public clouds acting as PII processors
Frameworks:
COBIT - Control Objectives for Information and Related Technologies
ITIL - Information Technology Infrastructure Library
NIST SP 800-37 (Rev 2) - Risk Management Framework for Information Systems and Organizations
Risk-IT - The Risk IT Framework
DevOps
Guidelines:
ICD-503 - Intelligence Community Technology System Security, Risk Management, Certification and Accreditation
NIST 800-37 - Guide for Applying the Risk Management Framework to Federal Information Systems
NIST 800-30 (Rev 1) - Guide for Conducting Risk Assessments
SOC - Service Organization Control Reports