6.3 System Infrastructure
(a) Information Technology Control Frameworks
IT control frameworks provide overall guidance to user organizations as a frame of reference for security, governance, and implementation of security-related controls. Several organizations within and outside the United States provide such guidance.
Eleven major types of IT control frameworks are discussed in this section:
1. The Institute of Internal Auditors’ Electronic Systems Assurance and Control (eSAC)
2. The IT Governance Institute’s (ITGI’s) Control Objectives for Information and Related Technology (COBIT)
3. The Information Systems Audit and Control Foundation’s (ISACF’s) Control Objectives for Net Centric Technology (CONCT)
4. The SysTrust Principles and Criteria for Systems Reliability from the American Institute of Certified Public Accountants/Canadian Institute of Certified Accountants (AICPA/CICA)
5. The International Federation of Accountants’ (IFAC’s) Managing Security of Information
6. The Information Security Forum’s (ISF’s) standard
7. U.S Department of Homeland Security
8. The European Union’s (EU’s) security directives
9. The Organisation for Economic Co-operation and Development’s (OECD’s) Guidelines for the Security of Information Systems
10. International Common Criteria (CC)
11. The International Organization for Standardization (ISO) standards
In addition, guidelines for implementing minimum security requirements, regardless of the type of IT control framework adopted, are presented. ...