Home / Security Frameworks

🔗 Security Framework Alignment

Understand how major cybersecurity frameworks relate to each other and map to the security domains covered on this platform. Essential for compliance, risk management, and interview preparation.

Major Frameworks

O

OWASP

Open Web Application Security Project

Industry-standard guidance for web and API security, including the OWASP Top 10, ASVS, and testing guides.

Top 10 WebTop 10 APIASVSSAMMTesting GuideCheat Sheets
C

CVSS / CVE / KEV

Common Vulnerability Scoring System, CVE & KEV

CVSS provides standardized vulnerability severity scoring (0-10). CVE (Common Vulnerabilities and Exposures) catalogs known vulnerabilities. KEV (Known Exploited Vulnerabilities) tracks actively exploited flaws.

CVSS v3.1 / v4.0 ScoringBase / Temporal / Environmental MetricsCVE IdentifiersNVD (National Vulnerability Database)KEV CatalogEPSS (Exploit Prediction)SSVC (Stakeholder-Specific)
C

CWE / SANS Top 25

CWE/SANS Top 25 Most Dangerous Software Weaknesses

The 25 most dangerous CWE (Common Weakness Enumeration) software weaknesses ranked by prevalence and impact. Maintained by MITRE, mapped to real-world CVEs in NVD — essential for secure coding and vulnerability prioritization.

CWE-787 Out-of-bounds WriteCWE-79 XSSCWE-89 SQL InjectionCWE-416 Use After FreeCWE-78 OS Command InjectionCWE-20 Input ValidationCWE-125 Out-of-bounds ReadCWE-22 Path TraversalCWE-352 CSRFCWE-434 Unrestricted UploadMemory SafetyInjectionWeb Security
M

MITRE ATT&CK

MITRE ATT&CK Framework

Knowledge base of adversary tactics, techniques, and procedures (TTPs) for threat modeling and detection engineering.

ReconnaissanceInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessLateral MovementExfiltration
C

CIS Controls

Center for Internet Security Critical Security Controls

A prioritized set of 18 cybersecurity best practices (v8) designed to mitigate the most common cyber attacks. Organized into Implementation Groups (IG1, IG2, IG3) for phased adoption.

Inventory & Control of AssetsData ProtectionSecure ConfigurationAccount ManagementAccess Control ManagementContinuous Vulnerability ManagementAudit Log ManagementEmail & Browser ProtectionsMalware DefensesIncident Response Management
C

CISA

Cybersecurity & Infrastructure Security Agency

U.S. federal agency providing cybersecurity guidance, vulnerability advisories, Known Exploited Vulnerabilities (KEV) catalog, and Shields Up initiatives for critical infrastructure.

KEV CatalogShields UpBODs & DirectivesCyber HygieneICS-CERT AdvisoriesZero Trust Maturity Model
F

FFIEC / Federal Banking

Federal Financial Institutions Examination Council

U.S. interagency body (OCC, FDIC, Fed, NCUA, CFPB) that sets uniform IT examination standards for banks and credit unions. The FFIEC IT Handbook covers information security, business continuity, outsourcing, and cybersecurity assessment tools (CAT).

IT Examination HandbookCybersecurity Assessment Tool (CAT)Information Security BookletBusiness Continuity ManagementOutsourcing Technology ServicesAuthentication & Access ControlsOperational ResilienceBSA/AML ComplianceInteragency Guidelines (OCC/FDIC/Fed)Regulation E & Regulation Z
G

GDPR

General Data Protection Regulation (EU)

EU regulation governing the collection, processing, and storage of personal data for EU residents. Applies extraterritorially to any organization handling EU personal data. Establishes data subject rights, breach notification requirements, and significant penalties for non-compliance.

Art. 5 — Processing PrinciplesArt. 6 — Lawful BasisArt. 13-14 — Privacy NoticesArt. 15-22 — Data Subject RightsArt. 25 — Privacy by Design & DefaultArt. 28 — Processor ObligationsArt. 30 — Records of Processing (ROPA)Art. 32 — Security of ProcessingArt. 33-34 — Breach Notification (72 hrs)Art. 35 — Data Protection Impact Assessment (DPIA)Art. 37-39 — Data Protection Officer (DPO)Art. 44-49 — Cross-Border Data Transfers (SCCs, BCRs)
G

GLBA

Gramm-Leach-Bliley Act (GLBA)

U.S. federal law requiring financial institutions to explain how they share and protect customers' private information. The Safeguards Rule mandates a comprehensive information security program with administrative, technical, and physical safeguards.

Financial Privacy RuleSafeguards RulePretexting ProtectionRisk Assessment ProgramAccess ControlsEncryption of Customer DataIncident Response PlanVendor/Third-Party OversightEmployee TrainingBoard Reporting
I

ISO 27001/27002

ISO/IEC 27001 & 27002

International standards for establishing, implementing, and maintaining an information security management system (ISMS).

Annex A ControlsRisk AssessmentAsset ManagementAccess ControlCryptographyPhysical SecurityIncident Management
N

NIST CSF

NIST Cybersecurity Framework

A voluntary framework of standards, guidelines, and best practices for managing cybersecurity risk across five functions.

IdentifyProtectDetectRespondRecoverGovern
N

NIST SP 800

NIST Special Publication 800 Series

Comprehensive security controls and guidelines — SP 800-53, 800-171, 800-63 for federal and enterprise systems.

800-53 Controls800-171800-63 Digital Identity800-207 ZTA800-61 IR800-92 Log Mgmt
P

PCI-DSS

Payment Card Industry Data Security Standard

A set of 12 requirements for organizations that handle credit card data. Mandates network security, data encryption, access control, vulnerability management, and regular testing to protect cardholder data environments (CDE).

Req 1: Network Security ControlsReq 2: Secure ConfigurationsReq 3: Protect Stored Account DataReq 4: Encrypt TransmissionReq 5: Anti-MalwareReq 6: Secure DevelopmentReq 7: Restrict AccessReq 8: User IdentificationReq 9: Physical SecurityReq 10: Log & MonitorReq 11: Test SecurityReq 12: Security Policies
S

SOX

Sarbanes-Oxley Act (SOX)

U.S. federal law mandating strict financial reporting controls and IT governance for publicly traded companies. Section 404 requires management assessment of internal controls over financial reporting (ICFR), including IT general controls (ITGCs).

Section 302 (CEO/CFO Certification)Section 404 (ICFR Assessment)IT General Controls (ITGCs)Access Controls & Segregation of DutiesChange ManagementData Backup & RecoveryAudit Trail & LoggingThird-Party Assurance (SOC 1/2)

Framework × Topic Cross-Reference

This matrix shows which frameworks apply to each security domain. Use it to understand framework coverage and map your security program.

TopicOWASPNIST CSFNIST SP 800MITRE ATT&CKISO 27001CISACISCVSS/CVESANSGDPR
🤖 AI Sec
🧠 AI/ML SecOps
🔌 API Sec
🛡️ AppSec
☁️ Cloud
🔐 Data Sec
⚙️ DevSecOps
🔏 Crypto
📋 GRC
🔑 IAM / IGA
🎯 MITRE ATT&CK
🌐 Network
🛡️ OWASP Top 10
🧪 SAST/DAST
📈 SIEM/Logs
📊 SOC
🔍 VulnMgmt
🏰 ZTA

How to Use These Frameworks

🎯 Risk Assessment

Use NIST CSF's Identify function and ISO 27001's risk assessment process to catalog assets, threats, and vulnerabilities. Map to MITRE ATT&CK for threat-informed risk analysis.

🛡️ Control Implementation

Select controls from NIST SP 800-53 and ISO 27002 based on risk assessment results. Use OWASP guidelines for application-specific controls. Layer controls for defense-in-depth.

📊 Detection & Response

Map detection rules to MITRE ATT&CK techniques for coverage analysis. Use NIST CSF Detect and Respond functions. Measure detection coverage with ATT&CK Navigator.

📋 Compliance & Audit

Use ISO 27001 for ISMS certification. Map NIST SP 800-53 controls to regulatory requirements (HIPAA, PCI DSS, SOX). Generate compliance reports using framework mappings.

🎓 Interview Preparation

Demonstrate framework knowledge by explaining how they complement each other. Show practical application with real scenarios. Reference specific controls and techniques.

📈 Program Maturity

Use OWASP SAMM for AppSec maturity. Map program capabilities to NIST CSF tiers. Track ATT&CK coverage over time. Report maturity to leadership with framework-aligned metrics.

NIST CSF 2.0 Core Functions

FunctionPurposeKey Categories
Govern (GV)Establish cybersecurity strategy and governance contextRisk Management Strategy, Roles & Responsibilities, Policy
Identify (ID)Understand organizational risk postureAsset Management, Risk Assessment, Supply Chain Risk
Protect (PR)Implement safeguards against threatsIdentity Management, Data Security, Platform Security
Detect (DE)Discover cybersecurity eventsContinuous Monitoring, Adverse Event Analysis
Respond (RS)Take action on detected incidentsIncident Management, Analysis, Mitigation, Reporting
Recover (RC)Restore capabilities after incidentsIncident Recovery Plan Execution, Communication
AIMIT
AIMIT 🛡️
On Duty AvatarVani