CSY101 Week 14 - Apply security standards through practical assessment and implementation exercises.

Week Introduction

💡 Mental Model

"Industry standards as security roadmaps." Security standards and benchmarks provide battle-tested guidance distilled from thousands of breaches, compliance audits, and expert consensus. Rather than inventing security from scratch, professionals leverage these frameworks to build mature security programs.

You cannot defend everything equally—resources are finite. Standards help you prioritize high-impact controls and measure security maturity objectively. This week introduces the frameworks used by governments, Fortune 500 companies, and security professionals worldwide.

Learning Outcomes (Week 14 Focus)

By the end of this week, you should be able to:

LO1 - CIS Controls Mastery: Navigate the CIS Controls v8 framework and understand Implementation Groups (IG1, IG2, IG3) for organizational sizing
LO2 - NIST 800-53 Literacy: Understand NIST SP 800-53 security control families and how they map to compliance requirements
LO3 - ISO 27001/27002 Awareness: Recognize international security standards and certification requirements
LO4 - Automated Assessment: Use tools like CIS-CAT Lite to assess system compliance against benchmarks
LO5 - Risk-Based Prioritization: Map organizational needs to appropriate standard controls and implementation levels

Lesson 14.1 · Why Security Standards Matter

The challenge: Every organization faces similar threats (ransomware, phishing, data breaches), yet security maturity varies wildly. Some build comprehensive programs, others apply random controls hoping for protection. Standards bridge this gap.

What Security Standards Provide

Proven baseline controls: Instead of guessing what works, standards codify lessons from thousands of incidents. These controls have demonstrated effectiveness across industries.
Prioritization frameworks: Not all controls are equal. Standards help you focus limited resources on high-impact defenses first.
Measurement and maturity: Objective assessment of "how secure are we?" Standards provide scoring and maturity models.
Common language: When auditors, regulators, or customers ask "are you secure?", standards provide verifiable answers (ISO 27001 certified, CIS IG2 compliant, etc.)
Compliance shortcuts: Many regulations (PCI DSS, HIPAA, GDPR) accept standard frameworks as evidence of due diligence.

Types of Security Standards

1. Prescriptive Controls (CIS Controls, NIST 800-53)
Tell you WHAT to implement (enable MFA, encrypt data, monitor logs)
Best for: Implementation teams, technical security

2. Management Frameworks (ISO 27001, NIST CSF)
Tell you HOW to organize security programs (governance, risk management, policies)
Best for: Leadership, compliance, maturity assessment

3. Industry-Specific (PCI DSS for payments, HIPAA for healthcare)
Tailored to sector-specific risks and regulations
Best for: Compliance in regulated industries

Lesson 14.2 · CIS Controls v8 - The 18 Critical Security Controls

What are CIS Controls? Created by the Center for Internet Security (CIS), these are 18 prioritized cybersecurity actions proven to block known attack patterns. Unlike frameworks with hundreds of controls, CIS focuses on high-impact defenses that stop the majority of attacks.

The 18 CIS Controls (Organized by Category)

Basic CIS Controls (Foundation)

Inventory and Control of Enterprise Assets
Know what devices exist on your network (you can't protect what you don't know about)
Inventory and Control of Software Assets
Track approved software, block unauthorized applications
Data Protection
Classify data, encrypt sensitive information, implement data loss prevention
Secure Configuration of Enterprise Assets and Software
Harden systems (disable unnecessary services, apply CIS Benchmarks)
Account Management
Control user privileges, implement least privilege, disable inactive accounts
Access Control Management
Enforce authentication (MFA), manage access to sensitive data

Foundational CIS Controls

Continuous Vulnerability Management
Scan for vulnerabilities, prioritize patching based on risk
Audit Log Management
Collect logs, monitor for anomalies, retain for forensics
Email and Web Browser Protections
Block phishing, filter malicious content, sandbox attachments
Malware Defenses
Deploy antivirus, enable automatic updates, use allowlisting
Data Recovery
Automated backups, test restoration, protect backup integrity
Network Infrastructure Management
Segment networks, manage network devices securely, use VLANs

Organizational CIS Controls

Network Monitoring and Defense
Deploy IDS/IPS, analyze traffic, detect command-and-control
Security Awareness and Skills Training
Train users to recognize phishing, report incidents, follow security policies
Service Provider Management
Assess vendor security, require contractual protections, monitor third parties
Application Software Security
Secure SDLC, code reviews, security testing, patch management
Incident Response Management
IR plan, detection capabilities, forensics, lessons learned
Penetration Testing
Regular red team exercises, vulnerability assessments, attack simulation

Implementation Groups (IG1, IG2, IG3)

💡 Key insight

Not every organization needs all 18 controls at maximum maturity. CIS defines three Implementation Groups based on organization size, risk profile, and resources:

IG1 - Essential Cyber Hygiene (Small organizations, limited IT staff)
• Focus: Controls 1-6 (56 Safeguards total)
• Who: Small businesses, startups, low-risk environments
• Goal: Baseline protection against common attacks
• Example: Hardware/software inventory, secure configuration, basic access control, automated backups

IG2 - Foundational Security (Medium organizations, moderate risk)
• Focus: Controls 1-16 (130 Safeguards total)
• Who: Enterprises handling sensitive data, healthcare, financial services
• Goal: Defend against sophisticated threats, enable compliance
• Example: Add vulnerability scanning, SIEM/log monitoring, network segmentation, security training

IG3 - Advanced/Progressive (Large organizations, high risk/regulatory requirements)
• Focus: All 18 Controls (153 Safeguards total)
• Who: Critical infrastructure, government, high-value targets
• Goal: Comprehensive security program, zero trust, threat hunting
• Example: Add IDS/IPS, penetration testing, advanced IR capabilities, application security program

Lesson 14.3 · NIST SP 800-53 - Security and Privacy Controls

What is NIST 800-53? A comprehensive catalog of security and privacy controls for federal information systems (and widely adopted by commercial organizations). Unlike CIS Controls (18 high-level actions), NIST 800-53 provides 1,000+ detailed controls organized into 20 families.

The 20 Control Families

Each family addresses a security domain:

AC - Access Control: Who can access what? (RBAC, least privilege, session management)
AU - Audit and Accountability: Logging, monitoring, forensic evidence
AT - Awareness and Training: Security education programs
CM - Configuration Management: Baseline configurations, change control
CP - Contingency Planning: Business continuity, disaster recovery, backups
IA - Identification and Authentication: User identity, MFA, credential management
IR - Incident Response: Detection, response, reporting, recovery
MA - Maintenance: System maintenance, tools, personnel
MP - Media Protection: Protecting physical media, sanitization
PE - Physical and Environmental Protection: Facility security, fire suppression
PL - Planning: Security planning, system security plans
PS - Personnel Security: Background checks, separation of duties
PT - PII Processing and Transparency: Privacy protections (new in Rev 5)
RA - Risk Assessment: Vulnerability scanning, threat analysis
CA - Assessment, Authorization, and Monitoring: Security testing, continuous monitoring
SC - System and Communications Protection: Network security, encryption, segmentation
SI - System and Information Integrity: Malware protection, input validation, error handling
SA - System and Services Acquisition: Secure development, supply chain risk
PM - Program Management: Governance, enterprise architecture
SR - Supply Chain Risk Management: Vendor assessment, component authenticity

Control Baselines (Low, Moderate, High)

Similar to CIS Implementation Groups, NIST defines three impact levels based on confidentiality, integrity, and availability requirements:

Low Baseline: ~125 controls (minimal impact if breached)
Moderate Baseline: ~325 controls (serious impact, most commercial systems)
High Baseline: ~420+ controls (severe/catastrophic impact, national security)

Example Control - AC-2 (Account Management):
• Identifies authorized users
• Defines access privileges
• Enforces least privilege
• Monitors account usage
• Reviews accounts periodically
• Disables inactive accounts

Lesson 14.4 · ISO 27001/27002 - International Security Standard

What is ISO 27001? An international standard for Information Security Management Systems (ISMS). Unlike technical controls (CIS, NIST 800-53), ISO 27001 focuses on establishing a management system—policies, processes, risk management, continuous improvement.

Key Difference: Certification vs. Framework

CIS Controls & NIST 800-53: Self-assessment frameworks (you implement, you measure)
ISO 27001: Third-party certification (external auditor verifies compliance)

Why organizations pursue ISO 27001 certification:

Customer requirements (many enterprises require vendor certification)
Market differentiation (trust signal for security-conscious buyers)
International recognition (accepted in 170+ countries)
Regulatory alignment (maps to GDPR, UK Cyber Essentials, others)

ISO 27001 vs. ISO 27002

ISO 27001: WHAT you must do (requirements for ISMS certification)
ISO 27002: HOW to do it (implementation guidance, best practices)

ISO 27002 Control Categories (2022 version): 93 controls in 4 themes

Organizational controls (37)
People controls (8)
Physical controls (14)
Technological controls (34)

Lesson 14.5 · Automated Compliance Assessment Tools

The scaling problem: Manually checking hundreds of controls across dozens of systems is impractical. Automated tools assess compliance, generate reports, and track remediation.

CIS-CAT (Configuration Assessment Tool)

What it does: Scans systems against CIS Benchmarks (secure configuration guides) and scores compliance.

CIS-CAT Lite (free): Assess individual systems, manual execution
CIS-CAT Pro (paid): Centralized dashboard, automated scanning, multiple OSes

Supported benchmarks: Windows, Linux, macOS, Docker, Kubernetes, AWS, Azure, Office 365, databases

Other Notable Tools

OpenSCAP: Open-source compliance automation (NIST 800-53, PCI DSS, DISA STIGs)
Nessus/Tenable: Vulnerability + compliance scanning
AWS Security Hub / Azure Security Center: Cloud-native compliance dashboards
Prowler (AWS), ScoutSuite (multi-cloud): Open-source cloud security assessments

Lesson 14.6 · Mapping Standards to Organizational Needs

Real-world challenge: Your CISO asks, "Which standard should we adopt?" The answer: It depends on industry, size, compliance requirements, and maturity.

Decision Framework

Organization Type	Recommended Standard	Why
Small business, startup	CIS Controls IG1	56 essential safeguards, no certification cost
Enterprise (non-regulated)	CIS IG2 + ISO 27001	Technical controls + certified ISMS for customers
US Federal / Government	NIST 800-53	Mandated by FISMA, FedRAMP
Healthcare (US)	HIPAA + NIST 800-53	Regulatory requirement + proven controls
Payment processing	PCI DSS	Mandatory for card data handling
International B2B SaaS	ISO 27001 + SOC 2	Global recognition + US customer trust
Critical infrastructure	NIST 800-53 High + CIS IG3	Maximum controls for severe impact

Pro tip: Most organizations use multiple standards:
• CIS Controls for technical implementation
• ISO 27001 for ISMS certification
• Industry-specific for compliance (PCI DSS, HIPAA, etc.)

🎯 Hands-On Labs (Free & Essential)

Apply security standards through practical assessment and implementation exercises.

🔬 Lab 1: CIS-CAT Lite - Assess System Against CIS Benchmarks

What you'll do: Download CIS-CAT Lite, run a compliance assessment against CIS Benchmark for your OS (Windows/Linux/macOS), analyze the report, and identify top 5 misconfigurations.
Why it matters: Automated compliance tools are industry standard. Learning to interpret compliance reports is essential for security engineers and auditors.
Prerequisites: Windows, Linux, or macOS system; CIS account (free)
Time estimate: 2-3 hours

Steps:
1. Create free account at CIS WorkBench (cisecurity.org)
2. Download CIS-CAT Lite (automated assessment tool)
3. Select appropriate benchmark for your OS
4. Run assessment (may take 10-30 minutes)
5. Review HTML report: overall score, failed rules, remediation guidance
6. Document top 5 failures and their security impact
Deliverable: Screenshot of report + summary of 5 critical misconfigurations with remediation plan

🔬 Lab 2: Map Organization to CIS Implementation Group

What you'll do: Choose a real or hypothetical organization (your university, a startup, a hospital, etc.), assess its risk profile, and determine the appropriate CIS Implementation Group (IG1, IG2, or IG3). Then select 10 priority controls from that IG and justify your choices.
Why it matters: Risk-based prioritization is core to security. Not every organization needs maximum controls—matching controls to risk/resources is professional judgment.
Time estimate: 1.5-2 hours

Factors to consider:
• Organization size (employees, IT staff)
• Data sensitivity (PII, health records, financial data)
• Regulatory requirements (HIPAA, PCI DSS, GDPR)
• Threat landscape (targeted attacks, opportunistic malware)
• Resources (budget, security team expertise)
Deliverable: 1-page assessment with IG selection justification + 10 prioritized controls with rationale

🔬 Lab 3: NIST 800-53 Control Selection Exercise

What you'll do: Given a scenario (web application processing customer PII), select appropriate NIST 800-53 controls from at least 5 different control families. Document WHY each control is necessary and HOW it would be implemented.
Why it matters: Control selection is a core skill for GRC analysts, security architects, and compliance teams. You'll use this in CSY303 (GRC) and CSY399 (Capstone).
Time estimate: 1.5-2 hours

Scenario: E-commerce platform with customer accounts, payment processing, order database
Required control families: Select controls from AC, AU, IA, SC, SI (minimum 2 controls per family)
Resources: Use NIST 800-53 Rev 5 Control Catalog (free PDF)
Deliverable: Table with control ID, family, description, implementation details, and rationale

💡 Lab Strategy: Start with CIS-CAT Lite for hands-on tool experience. Lab 2 and 3 build critical thinking around control selection—these skills directly apply to real security programs.

Resources

Required: CIS Controls v8 (Official Site)

Read the CIS Controls overview and browse the 18 controls. Download the "CIS Controls v8 Guide" PDF (free). Time: 30-40 minutes

Required: NIST SP 800-53 Rev 5 (Browse Control Catalog)

You don't need to read all 1,000+ controls. Browse the 20 control families, read 2-3 controls from each family to understand structure. Time: 30 minutes

Recommended: ISO 27001 Overview (ISO Official)

Read the overview page for ISO 27001 (certification) and ISO 27002 (implementation guidance). Understand the difference and when each is used. Time: 15 minutes

📚 Building on Prior Knowledge

This week connects to concepts you've already learned:

CSY101 Week 1 (CIA Triad, Risk Formula): Security standards operationalize risk management. CIS Controls address specific threats, NIST 800-53 protects CIA properties systematically.
CSY101 Week 1 (NIST CSF): Standards like CIS and NIST 800-53 provide the "Protect" function. They tell you WHAT controls to implement after you've "Identified" risks.
CSY101 Week 13 (Threat Modeling): After STRIDE identifies threats, standards help you select appropriate countermeasures. Example: Information Disclosure threat → Apply CIS Control 3 (Data Protection) or NIST 800-53 SC family (System and Communications Protection).
Looking ahead:
- CSY203 (Web Security): CIS Control 16 (Application Software Security) + NIST SI family
- CSY302 (Cloud Security): CIS Benchmarks for AWS/Azure/GCP, cloud-specific controls
- CSY303 (GRC): Deep dive into compliance frameworks, ISO 27001 certification, audit preparation
- CSY399 (Capstone): Map findings to NIST 800-53 controls, recommend control implementation

💡 Reflection Prompt: If you were a CISO at a 50-person startup handling customer payment data, which standard(s) would you adopt and why? Consider compliance requirements, resources, and customer expectations.

Weekly Reflection Prompt

Write 200-300 words answering this prompt:

You are advising two different organizations on security standards adoption:

Organization A: 20-person SaaS startup, handles customer business data (not regulated), limited security budget, no dedicated security team

Organization B: 500-employee healthcare provider, handles patient health records (HIPAA-regulated), has 5-person security team, moderate budget

For EACH organization, recommend:

Which standard(s) to adopt (CIS Controls, NIST 800-53, ISO 27001, or combination)

Which implementation level (CIS IG1/2/3, NIST Low/Moderate/High)

Top 3 priority controls to implement first

Justification for your choices (consider: compliance, resources, risk, customer expectations)

What good looks like: You demonstrate understanding that standards selection is context-dependent. You balance ideal security with practical constraints (budget, staffing). You show awareness of compliance drivers and customer requirements.