1. Security Frameworks
   1. Broad, high-level collections of standards and practices that form a solid approach to information security.
   2. Example: The NIST Cyber Security Framework Version 1.1
      1. National Institute for Standards in Technology (NIST):
         1. A United States government organization, a division of the United States Department of Commerce, that promotes innovation and industrial competitiveness.
      2. NIST publishes a free cybersecurity framework. The goal of this framework is to enable organizations to:
         1. Describe their current cybersecurity posture.
         2. Describe their target state for cybersecurity.
         3. Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process.
         4. Assess progress toward the target state.
         5. Communicate among internal and external stakeholders about cybersecurity risk.
      3. The Framework is composed of three parts:
         1. Framework Core
            1. A set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors.
            2. Consists of five Functions:
            3. Identify
            4. Protect
            5. Detect
            6. Respond
            7. Recover
            8. When considered together, these Functions provide a high-level, strategic view of an organization's management of cybersecurity risks.
         2. Framework Implementation Tiers
         3. Framework Profile
      4. https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
   3. Security Frameworks and Framework-Issuing Organizations:
      1. United States National Institute of Standards and Technology (NIST):
         1. SP 800 Publication Group
         2. SP 1800 Publication Group
         3. The NIST Cyber Security Framework
      2. International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC):
         1. The ISO/IEC 27000 Family of Security Standards
      3. Information Systems Audit and Control Association (ISACA):
         1. Control Objectives for Information and Related Technologies (COBIT) Framework:
            1. Plan and Organize
            2. Acquire and Implement
            3. Deliver and Support
            4. Monitor and Evaluate
      4. Information Technology Infrastructure Library (ITIL):
         1. Business Information Services Library (BiSL) Framework
         2. Project Management Body of Knowledge (PMBOK) Framework
2. Reference Architectures
   1. A set of documents to which an interested party can refer for best practices regarding a specific technology.
   2. Reference Architectures describe:
      1. The specific controls and technical components of a security program
      2. How those components interact to meet control objectives.
   3. Example: Cisco Desktop Virtualization
      1. https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/desktop-virtualization-solutions/solution_overview_c22-727509.pdf
   4. Example: Oracle Cloud
      1. https://www.oracle.com/technetwork/architect/archday-rws-2013-krishnaswamy-1966514.pdf