5.2 Explain the importance of applicable regulations, standards, or frameworks that impact organizational security posture Flashcards
What are the key frameworks in Cybersecurity?
Center for Internet Security (CIS)
National Institute of Standards and Technology (NIST)
RMF/CSF
International Organization for Standardization (ISO)
27001/27002/27701/31000
SSAE SOC 2 Type I/II
Cloud security alliance
What is NIST?
The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is a relatively new addition to the IT governance space and distinct from other frameworks by focusing exclusively on IT security, rather than IT service provisioning more generally (nist.gov/cyberframework). It is developed for a US audience and focuses somewhat on US government, but its recommendations can be adapted for other countries and types of organizations. As well as its cybersecurity and risk frameworks, NIST is responsible for issuing the Federal Information Processing Standards (FIPS) plus advisory guides called Special Publications (csrc.nist.gov/publications/sp).
What is the difference between CSF and RMF?
NIST’s Risk Management Framework (RMF) pre-dates the CSF. Where the CSF focuses on practical cybersecurity for businesses, the RMF is more prescriptive and principally intended for use by federal agencies (csrc.nist.gov/projects/risk-management/rmf-overview).
What is ISO 27K?
The framework was established in 2005 and revised in 2013. Unlike the NIST framework, the ISO 27001 Information Security Management standard must be purchased (iso.org/standard/54534.html). ISO 27001 is part of an overall 27000 series of information security standards, also known as 27K. Of these, 27002 classifies security controls, 27017 and 27018 reference cloud security, and 27701 focuses on personal data and privacy.
What is ISO 31K?
Where ISO 27K is a cybersecurity framework, ISO 31K (iso.org/iso-31000-risk-management.html) is an overall framework for enterprise risk management (ERM). ERM considers risks and opportunities beyond cybersecurity by including financial, customer service, competition, and legal liability factors. ISO 31K establishes best practices for performing risk assessments.
What is CSA?
The not-for-profit organization Cloud Security Alliance (CSA) produces various resources to assist cloud service providers (CSP) in setting up and delivering secure cloud platforms. These resources can also be useful for cloud consumers in evaluating and selecting cloud services.
– Enterprise reference architecture:
(ea.cloudsecurityalliance.org)—best practice methodology and tools for CSPs to use in architecting cloud solutions. The solutions are divided across a number of domains, such as risk management and infrastructure, application, and presentation services.
– Cloud controls matrix: (cloudsecurityalliance.org/research/working-groups/cloud-controls-matrix)—lists specific controls and assessment guidelines that should be implemented by CSPs. For cloud consumers, the matrix acts as a starting point for cloud contracts and agreements as it provides a baseline level of security competency that the CSP should meet.
What is SSAE and SOC?
Statements on Standards for Attestation Engagements (SSAE) Service Organization Control (SOC)
The Statements on Standards for Attestation Engagements (SSAE) are audit specifications developed by the American Institute of Certified Public Accountants (AICPA). These audits are designed to assure consumers that service providers—notably cloud providers, but including any type of hosted or third-party service—meet professional standards
What is SOC2
Service Organization Control (SOC2)—evaluates the internal controls implemented by the service provider to ensure compliance with Trust Services Criteria (TSC) when storing and processing customer data. TSC refers to security, confidentiality, integrity, availability, and privacy properties. An SOC2 Type I report assesses the system design, while a Type II report assesses the ongoing effectiveness of the security architecture over a period of 6-12 months. SOC2 reports are highly detailed and designed to be restricted. They should only be shared with the auditor and regulators, and with important partners under non-disclosure agreement (NDA) terms.
What is SOC3?
SOC3—a less detailed report certifying compliance with SOC2. SOC3 reports can be freely distributed.
What is CIS?
Center for Internet Security (CIS)
The Center for Internet Security (cisecurity.org) is a not-for-profit organization (founded partly by The SANS Institute). It publishes the well-known “The CIS Critical Security Controls.” The CIS-RAM (Risk Assessment Method) can be used to perform an overall evaluation of security posture (learn.cisecurity.org/cis-ram).
What is PCI DSS?
Payment Card Industry Data Security Standard (PCI DSS)
Compliance issues can also arise from industry-mandated regulations. For example, the Payment Card Industry Data Security Standard (PCI DSS) defines the safe handling and storage of financial information (pcisecuritystandards.org/pci_security). (Regulations, standards, and legislation)
What is GDPR?
Privacy requires that collection and processing of personal information be both secure and fair. Fairness and the right to privacy, as enacted by regulations such as the European Union’s General Data Protection Regulation (GDPR), means that personal data cannot be collected, processed, or retained without the individual’s informed consent. Informed consent means that the data must be collected and processed only for the stated purpose, and that purpose must be clearly described to the user in plain language, not legalese. (
What is the purpose of an OS vendor-specific guide?
Operating system (OS) best practice configuration lists the settings and controls that should be applied for a computing platform to work in a defined role, such as client workstation, authentication server, network switch/router/firewall, web/application server, and so on.
What is the purpose of an Application Server vendor-specific configuration guide?
Most application architectures use a client/server model. This means that part of the application is a client software program, installed and run on separate hardware to the server application code. The client interacts with the server over a network. Attacks can therefore be directed at the local client code, at the server application, or at the network channel between them. As well as coding issues, the applications need to take account of platform issues. The client application might be running in a computing host alongside other, potentially malicious, software. Code that runs on the client should not be trusted. The server-side code should implement routines to verify that input conforms to what is expected.
What is the purpose of a Web Server application vendor-specific configuration guide?
The application uses a generic client (a web browser), and standard network protocols and servers (HTTP/HTTPS). The specific features of the application are developed using code running on the clients and servers. Web applications are also likely to use a multi-tier architecture, where the server part is split between application logic and data storage and retrieval. Modern web applications may use even more distributed architectures, such as microservices and serverless.
