5.2 Explain the Importance Of applicable Regulations, Standards, Or Frameworks that Impact Organizational Security Posture. Flashcards

1
Q

Regulations, Standards, and Legislation

A

Regulations, standards, and legislation are put in place to ensure that compliance has been achieved, and most are legally enforceable. From these regulations and standards, we derive our policies to ensure compliance and prevent crime; if companies do not abide by these regulations, they will be fined. Other industry frameworks are only best practices and are not legally enforceable, but vendors will not support any product that has not been set up according to such best practices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

General Data Protection Regulation (GDPR)

A

The European Union’s (EU’s) GDPR came into force on 25th May 2018, as a framework for data protection law. It is enforced by the EU Information Commissioner’s Office (ICO) and protects the individual’s right to the privacy of their data, such as name, date of birth, photographs, video footage, email addresses, and telephone numbers. GDPR aims at protecting the collection, use, and storage of this information. GDPR states that anyone selling products on their website to EU citizens must adhere to GDPR and that data can only be stored for its intended use. For example, after a purchase has been made, credit card details should no longer be stored without the consent of the user. It is known as an international regulation as there are 27 countries in the EU.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

National, Territory, or State Laws

A

In the US, there are national data laws – for example, the Health Insurance Portability and Accountability Act (HIPAA) for medical data and the Gramm-Leach-Bliley Act (GBLA) for financial services. States tend to have their own laws on personal data, but most are based on Federal Information Security Management Act (FISMA), which protects government information and operations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Payment Card Industry Data Security Standard (PCI DSS)

A

PCI DSS deals with the handling and storage of data used for card payments.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Key Frameworks

A

Several key frameworks have been designed, mostly by not-for-profit organizations, to help reduce the risk created by ever-increasing cybercrime levels and the adoption of the cloud by companies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Center for Internet Security (CIS)

A

This is a not-for-profit organization that publishes information on cybersecurity best practices and threats and has tools to help harden your environment and provide risk management. CIS provides benchmarks for different operating systems and provides controls to help secure your organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

NIST/CSF/RMF Cyber Security Framework

A

NIST Cyber Security Framework (CSF): NIST RMF/CSF is designed to focus on the individual and the risk they pose to cybersecurity. This replaces NIST’s Risk Management Framework (RMF) and was designed to look at the risk that individuals pose to governmental agencies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

International Organization for Standardization (ISO)

A

ISO publishes standards that are internally agreed upon by experts. Listed here are the standards for information systems

ISO 27001 – Security techniques for Information Security Management Systems: https://www.iso.org/standard/54534.html.

ISO 27002 – Code of Practice for Information Security Controls. The aim of this standard is to improve the management of information: https://www.iso.org/standard/54533.html.

ISO 27701 – An extension to 27001/27002 for Privacy Information Management – Requirements and Guidelines: https://www.iso.org/standard/71670.html.

ISO 31000 – About managing risk for company organizations and management in general; information can be found on its website: https://www.iso.org/standard/65694.html.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

SOC Type 2 Reports

A

These are reports on the internal controls of the security, processing, and handling of users’ data to ensure that it is kept confidential and that privacy is maintained. There are two types: type 1 is to do with the suitability of the design of controls, and type 2 is to do with the effectiveness of the controls.

The distribution of these reports is restricted as they provide lots of details on the company that has been audited.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Cloud Security Alliance

A

The Cloud Security Alliance (CSA) is a not-for-profit organization that produces various resources to help Cloud Service Providers (CSPs), such as online training, webinars, community discussion groups, and virtual summits.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Cloud Control Matrix (CCM) and the CSA Reference Architecture

A

This is designed to provide a guide on security principles for cloud vendors and potential cloud customers to assess the overall risk of a cloud provider: https://cloudsecurityalliance.org/research/working-groups/cloud-controls-matrix/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

CSA Reference Architecture

A

The Reference Architecture contains best security practices for CSPs. Its website states its mission as being “to promote research, development, and education of best practices and methodologies around a reference architecture for a secure and trusted cloud.” It looks at different topics, such as security and risk, presentation services, application services, information services, IT Operation and Support (ITOS), and Business Operation and Support Services (BOSS).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Benchmarks/Secure Configuration Guides

A

Every company faces the challenge of protecting its servers and computers from an ever-increasing amount of cybersecurity threats. There are many different types of servers, such as web servers, email servers, and database servers, and each of them has different configurations and services, so the baselines are different for each type of server. Vendors and manufacturers will provide platform/vendor guides so that their products can be configured as per their own best practices, ensuring that they perform as best they can.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Platform-/Vendor-Specific Guides

A

These guides roll out with new products so that they can be set up as securely as possible, making them less vulnerable to attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Web Servers

A

There are two main web servers used by commercial companies. Microsoft has a web server called the Internet Information Server, and its rival is Apache. Web servers provide web pages for the public to view, and because they are in the public domain, they are prime targets for hackers. To help reduce the risk, both Microsoft and Apache provide security guides to help security teams reduce their footprint, making them more secure. Microsoft has created a user guide called Best Practice to Protect Internet Facing Web Servers, which can be found at https://social.technet.microsoft.com/wiki/contents/articles/13974.microsoft-security-best-practices-to-protect-internet-facing-web-servers.aspx. Web server security guides rely on the latest updates being in place, services that are not required being turned off, and the operating system is hardened to make it as secure as possible and reduce the risk of attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Operating Systems

A

Most vendors, such as Microsoft, have guides that detail the best practices for installing their operating systems. This is to ensure that they are as secure and as reliable as possible.

17
Q

Application Server

A

Vendors produce guides on how to set up their application servers, such as email servers or database servers, to make them less vulnerable to attack.

18
Q

Network Infrastructure Devices

A

Cisco produces the best high-end network devices, and because the networking world is ever-evolving, Cisco has produced an infrastructure upgrade guide so that companies can use it for best practices when upgrading their network devices: https://www.cisco.com/c/en/us/support/ios-nx-os-software/ios-15-4m-t/products-installation-and-configuration-guides-list.html.