Learn about industry-standard frameworks and reference architecture in this guest post by Ian Neil, the author of CompTIA+ Security Certification Guide.
Industry-standard frameworks are a set of criteria within an industry related to carrying out operations known as best practices; this is the best way that the operations should be set up and carried out. Best practices produce better results than a standard way of setting up the operations.
These industry standard frameworks are carried out by all members of that industry. In networking, the International Standard Organization (ISO) is responsible for the industry framework within communications and the IT industry. The ISO is a body comprising international standards bodies that mainly look at communication.
A reference architecture is a document or a set of documents to which a project manager or other interested party can refer for best practices.This will include documents relating to hardware, software, processes, specifications, and configurations, as well as logical components and interrelationships.
ISO/IEC 17789:2014 specifies the cloud computing reference architecture (CCRA). The reference architecture includes the cloud computing roles, cloud computing activities, and the cloud computing functional components and their relationships.
OSI Reference Model
ISO developed the Open Systems Interconnection model (OSI model). It is a conceptual model that standardizes the communication functions of a telecommunications or computing system, without regard to its internal structure and technology.
The purpose of the OSI reference model is to provide guidance to vendors and developers so that products they develop can communicate with one another.
The OSI reference model is a seven-layer model, and each layer provides specific services. The CompTIA Security+ exam focuses mainly on layers 2, 3, and 7:
Exam tip: Although Security+ is not a networking exam, you must ensure that you are familiar with devices that operate at layers 2, 3, and 7.
The TCP/IP protocol is the protocol or language used in modern communications; it is the only protocol used by the internet. The TCP/IP model is derived from the OSI reference model, and it is a four-layer model:
Types of Frameworks
There are different types of frameworks covered in the Security+ exam, and they are listed here:
Regulatory: Regulatory frameworks are based on statute law and governmental regulations that companies must abide by at all times. Failure to do so will result in a regulatory fine:
- Example 1: The General Data Protection Regulation(GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It addresses the export of personal data outside the EU. Companies within the European Union can be fined 4% of their annual turnover, up to €20 million.
- Example2: The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is United States’ legislation that provides data privacy and security regulations for safeguarding medical information. Regulatory fines ranging from $100 – $1.5 million can be awarded for each violation.
Non-regulatory: This is not enforceable by law and is optional, but provides a framework that organizations can follow as a best practice.
- Example 3: Information Technology Infrastructure Library (ITIL) is a set of detailed practices for IT Service Management through a service lifecycle. The ITIL five distinct life cycle stages:
- Service Strategy
- Service Design
- Service Transition
- Service Operation
- Continual Service Improvement
Example 4: COBIT 5 is similar to ITIL in that provides to provide management with information technology (IT) governance model that helps in delivering value from IT and managing the risks associated with IT. The five COBIT 5 principles are:
- Meeting stakeholder needs
- Covering the enterprise end to end
- Applying a single integrated framework
- Enabling a holistic approach
- Separating governance from management
National versus international: National frameworks could be the Data Protection Act 2018, which is a United Kingdom regulation on data protection and how data can be used; it was given Royal Assent from the Queen of England on May 23, 2018. An international frameworks example is the IS0/IEC 27002, which provides a framework for IT security and is used by the international community.
Industry-specific frameworks—finance: The International Financial Reporting StandardsFoundation (IFRS) is a non-profit accounting organization. The purpose of the IFRS is to standardize financial reporting internally. It only deals with the finance industry.
Benchmarks/Secure Configuration Guides
Every company faces the challenge of protecting its servers and computers from an ever-increasing cyber security threat. There are many different types of servers: web servers, email servers, and database servers, and each of these has different configurations and services, so the baselines are different for each type of server. Vendors and manufacturers will provide platform/vendor guides so that their product can be configured as per their own best practices so that they perform as best they can.
Exam tip: Policies are written so that the security administrator knows what to configure, and end users know what part they play in keeping the company secure.
If you found this article interesting, you can refer to CompTIA+ Security Certification Guide to master IT security essentials and exam topics for CompTIA Security+ SY0-501 certification. The guide aims to provide 100% coverage of every objective on the SY0-501 exam. The technical jargon and complex topics are broken down with good examples and are explained in a concise manner to help you succeed in the exam with ease.