Security Frameworks

A voluntary framework consisting of standards, guidelines, and best practices to manage cybersecurity risk. Version 2.0 added the Govern function to emphasize organizational governance.

A prioritized set of actions that collectively form a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks. Controls are grouped into Implementation Groups (IG1, IG2, IG3).

An international standard for information security management systems (ISMS). It provides requirements for establishing, implementing, maintaining, and continually improving an ISMS within the context of an organization.

A globally accessible knowledge base of adversary tactics and techniques based on real-world observations. ATT&CK is used as a foundation for threat models and methodologies in the private sector, government, and the cybersecurity community. The Enterprise matrix covers 14 tactics describing adversary goals, with hundreds of techniques describing how those goals are achieved.