5.2 Explain the importance of applicable regulations, standards, or frameworks that impact organizational security posture Flashcards

1
Q

What are the key frameworks in Cybersecurity?

A

Center for Internet Security (CIS)
National Institute of Standards and Technology (NIST)
RMF/CSF
International Organization for Standardization (ISO)
27001/27002/27701/31000
SSAE SOC 2 Type I/II
Cloud security alliance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is NIST?

A

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is a relatively new addition to the IT governance space and distinct from other frameworks by focusing exclusively on IT security, rather than IT service provisioning more generally (nist.gov/cyberframework). It is developed for a US audience and focuses somewhat on US government, but its recommendations can be adapted for other countries and types of organizations. As well as its cybersecurity and risk frameworks, NIST is responsible for issuing the Federal Information Processing Standards (FIPS) plus advisory guides called Special Publications (csrc.nist.gov/publications/sp).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the difference between CSF and RMF?

A

NIST’s Risk Management Framework (RMF) pre-dates the CSF. Where the CSF focuses on practical cybersecurity for businesses, the RMF is more prescriptive and principally intended for use by federal agencies (csrc.nist.gov/projects/risk-management/rmf-overview).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is ISO 27K?

A

The framework was established in 2005 and revised in 2013. Unlike the NIST framework, the ISO 27001 Information Security Management standard must be purchased (iso.org/standard/54534.html). ISO 27001 is part of an overall 27000 series of information security standards, also known as 27K. Of these, 27002 classifies security controls, 27017 and 27018 reference cloud security, and 27701 focuses on personal data and privacy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is ISO 31K?

A

Where ISO 27K is a cybersecurity framework, ISO 31K (iso.org/iso-31000-risk-management.html) is an overall framework for enterprise risk management (ERM). ERM considers risks and opportunities beyond cybersecurity by including financial, customer service, competition, and legal liability factors. ISO 31K establishes best practices for performing risk assessments.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is CSA?

A

The not-for-profit organization Cloud Security Alliance (CSA) produces various resources to assist cloud service providers (CSP) in setting up and delivering secure cloud platforms. These resources can also be useful for cloud consumers in evaluating and selecting cloud services.

– Enterprise reference architecture:
(ea.cloudsecurityalliance.org)—best practice methodology and tools for CSPs to use in architecting cloud solutions. The solutions are divided across a number of domains, such as risk management and infrastructure, application, and presentation services.

– Cloud controls matrix: (cloudsecurityalliance.org/research/working-groups/cloud-controls-matrix)—lists specific controls and assessment guidelines that should be implemented by CSPs. For cloud consumers, the matrix acts as a starting point for cloud contracts and agreements as it provides a baseline level of security competency that the CSP should meet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is SSAE and SOC?

A

Statements on Standards for Attestation Engagements (SSAE) Service Organization Control (SOC)
The Statements on Standards for Attestation Engagements (SSAE) are audit specifications developed by the American Institute of Certified Public Accountants (AICPA). These audits are designed to assure consumers that service providers—notably cloud providers, but including any type of hosted or third-party service—meet professional standards

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is SOC2

A

Service Organization Control (SOC2)—evaluates the internal controls implemented by the service provider to ensure compliance with Trust Services Criteria (TSC) when storing and processing customer data. TSC refers to security, confidentiality, integrity, availability, and privacy properties. An SOC2 Type I report assesses the system design, while a Type II report assesses the ongoing effectiveness of the security architecture over a period of 6-12 months. SOC2 reports are highly detailed and designed to be restricted. They should only be shared with the auditor and regulators, and with important partners under non-disclosure agreement (NDA) terms.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is SOC3?

A

SOC3—a less detailed report certifying compliance with SOC2. SOC3 reports can be freely distributed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is CIS?

A

Center for Internet Security (CIS)
The Center for Internet Security (cisecurity.org) is a not-for-profit organization (founded partly by The SANS Institute). It publishes the well-known “The CIS Critical Security Controls.” The CIS-RAM (Risk Assessment Method) can be used to perform an overall evaluation of security posture (learn.cisecurity.org/cis-ram).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is PCI DSS?

A

Payment Card Industry Data Security Standard (PCI DSS)
Compliance issues can also arise from industry-mandated regulations. For example, the Payment Card Industry Data Security Standard (PCI DSS) defines the safe handling and storage of financial information (pcisecuritystandards.org/pci_security). (Regulations, standards, and legislation)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is GDPR?

A

Privacy requires that collection and processing of personal information be both secure and fair. Fairness and the right to privacy, as enacted by regulations such as the European Union’s General Data Protection Regulation (GDPR), means that personal data cannot be collected, processed, or retained without the individual’s informed consent. Informed consent means that the data must be collected and processed only for the stated purpose, and that purpose must be clearly described to the user in plain language, not legalese. (

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the purpose of an OS vendor-specific guide?

A

Operating system (OS) best practice configuration lists the settings and controls that should be applied for a computing platform to work in a defined role, such as client workstation, authentication server, network switch/router/firewall, web/application server, and so on.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the purpose of an Application Server vendor-specific configuration guide?

A

Most application architectures use a client/server model. This means that part of the application is a client software program, installed and run on separate hardware to the server application code. The client interacts with the server over a network. Attacks can therefore be directed at the local client code, at the server application, or at the network channel between them. As well as coding issues, the applications need to take account of platform issues. The client application might be running in a computing host alongside other, potentially malicious, software. Code that runs on the client should not be trusted. The server-side code should implement routines to verify that input conforms to what is expected.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the purpose of a Web Server application vendor-specific configuration guide?

A

The application uses a generic client (a web browser), and standard network protocols and servers (HTTP/HTTPS). The specific features of the application are developed using code running on the clients and servers. Web applications are also likely to use a multi-tier architecture, where the server part is split between application logic and data storage and retrieval. Modern web applications may use even more distributed architectures, such as microservices and serverless.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the overall purpose of Network appliance and vendor-specific guides?

A

Operating system (OS) best practice configuration lists the settings and controls that should be applied for a computing platform to work in a defined role, such as client workstation, authentication server, network switch/router/firewall, web/application server, and so on.

Most vendors will provide guides, templates, and tools for configuring and validating the deployment of network appliances, operating systems, web servers, and application/database servers. The security configurations for each of these devices will vary not only by vendor but by device and version as well. The vendor’s support portal will host the configuration guides (along with setup/install guides and software downloads and updates) or they can be easily located using a web search engine.

16
Q

Why are frameworks, benchmarks and configuration guides used?

A

The key frameworks, benchmarks, and configuration guides may be used to demonstrate compliance with a country’s legal/regulatory requirements or with industry-specific regulations. Due diligence is a legal term meaning that responsible persons have not been negligent in discharging their duties. Negligence may create criminal and civil liabilities. Many countries have enacted legislation that criminalizes negligence in information management. In the US, for example, the Sarbanes-Oxley Act (SOX) mandates the implementation of risk assessments, internal controls, and audit procedures. The Computer Security Act (1987) requires federal agencies to develop security policies for computer systems that process confidential information. In 2002, the Federal Information Security Management Act (FISMA) was introduced to govern the security of data processed by federal government agencies.