A recurring question among novice professionals is to know what to recommend as best security practices.
As a security specialist, companies will ask you what to do to ensure security.
Some security professionals got together and created documents that we call security standards or security frameworks.
Organizations such as ISO and NIST, provide paid and free documents with security controls that can be used.
These documents provide security controls, based on practical objectives that you can adopt in your company.
But first, it is necessary to plan and define the security strategy. Then define policies, controls and processes.
Another detail is that there is no “One size fits all”. You should evaluate the recommendations and apply only what makes sense for your organization.
After the controls and policies are applied, there is a constant check and monitoring.
Practices also change over time, as technologies change and attacks too.
In the case of assessments or security assessments, practices are also used to reference your recommendations.
Watch this video from Artigo 12, Fabio Sobiecki talks about these security frameworks. The video was originally published in Portuguese.