5.2 Explain the Importance Of applicable Regulations, Standards, Or Frameworks that Impact Organizational Security Posture.

Question 1

Regulations, Standards, and Legislation

Answer 1

Regulations, standards, and legislation are put in place to ensure that compliance has been achieved, and most are legally enforceable. From these regulations and standards, we derive our policies to ensure compliance and prevent crime; if companies do not abide by these regulations, they will be fined. Other industry frameworks are only best practices and are not legally enforceable, but vendors will not support any product that has not been set up according to such best practices.

Question 2

General Data Protection Regulation (GDPR)

Answer 2

The European Union’s (EU’s) GDPR came into force on 25th May 2018, as a framework for data protection law. It is enforced by the EU Information Commissioner’s Office (ICO) and protects the individual’s right to the privacy of their data, such as name, date of birth, photographs, video footage, email addresses, and telephone numbers. GDPR aims at protecting the collection, use, and storage of this information. GDPR states that anyone selling products on their website to EU citizens must adhere to GDPR and that data can only be stored for its intended use. For example, after a purchase has been made, credit card details should no longer be stored without the consent of the user. It is known as an international regulation as there are 27 countries in the EU.

Question 3

National, Territory, or State Laws

Answer 3

In the US, there are national data laws – for example, the Health Insurance Portability and Accountability Act (HIPAA) for medical data and the Gramm-Leach-Bliley Act (GBLA) for financial services. States tend to have their own laws on personal data, but most are based on Federal Information Security Management Act (FISMA), which protects government information and operations.

Question 4

Payment Card Industry Data Security Standard (PCI DSS)

Answer 4

PCI DSS deals with the handling and storage of data used for card payments.

Question 5

Key Frameworks

Answer 5

Several key frameworks have been designed, mostly by not-for-profit organizations, to help reduce the risk created by ever-increasing cybercrime levels and the adoption of the cloud by companies.

Question 6

Center for Internet Security (CIS)

Answer 6

This is a not-for-profit organization that publishes information on cybersecurity best practices and threats and has tools to help harden your environment and provide risk management. CIS provides benchmarks for different operating systems and provides controls to help secure your organization.

Question 7

NIST/CSF/RMF Cyber Security Framework

Answer 7

NIST Cyber Security Framework (CSF): NIST RMF/CSF is designed to focus on the individual and the risk they pose to cybersecurity. This replaces NIST’s Risk Management Framework (RMF) and was designed to look at the risk that individuals pose to governmental agencies.

Question 8

International Organization for Standardization (ISO)

Answer 8

ISO publishes standards that are internally agreed upon by experts. Listed here are the standards for information systems

ISO 27001 – Security techniques for Information Security Management Systems: https://www.iso.org/standard/54534.html.

ISO 27002 – Code of Practice for Information Security Controls. The aim of this standard is to improve the management of information: https://www.iso.org/standard/54533.html.

ISO 27701 – An extension to 27001/27002 for Privacy Information Management – Requirements and Guidelines: https://www.iso.org/standard/71670.html.

ISO 31000 – About managing risk for company organizations and management in general; information can be found on its website: https://www.iso.org/standard/65694.html.

Question 9

SOC Type 2 Reports

Answer 9

These are reports on the internal controls of the security, processing, and handling of users’ data to ensure that it is kept confidential and that privacy is maintained. There are two types: type 1 is to do with the suitability of the design of controls, and type 2 is to do with the effectiveness of the controls.

The distribution of these reports is restricted as they provide lots of details on the company that has been audited.

Question 10

Cloud Security Alliance

Answer 10

The Cloud Security Alliance (CSA) is a not-for-profit organization that produces various resources to help Cloud Service Providers (CSPs), such as online training, webinars, community discussion groups, and virtual summits.

Question 11

Cloud Control Matrix (CCM) and the CSA Reference Architecture

Answer 11

This is designed to provide a guide on security principles for cloud vendors and potential cloud customers to assess the overall risk of a cloud provider: https://cloudsecurityalliance.org/research/working-groups/cloud-controls-matrix/

Question 12

CSA Reference Architecture

Answer 12

The Reference Architecture contains best security practices for CSPs. Its website states its mission as being “to promote research, development, and education of best practices and methodologies around a reference architecture for a secure and trusted cloud.” It looks at different topics, such as security and risk, presentation services, application services, information services, IT Operation and Support (ITOS), and Business Operation and Support Services (BOSS).

Question 13

Benchmarks/Secure Configuration Guides

Answer 13

Every company faces the challenge of protecting its servers and computers from an ever-increasing amount of cybersecurity threats. There are many different types of servers, such as web servers, email servers, and database servers, and each of them has different configurations and services, so the baselines are different for each type of server. Vendors and manufacturers will provide platform/vendor guides so that their products can be configured as per their own best practices, ensuring that they perform as best they can.

Question 14

Platform-/Vendor-Specific Guides

Answer 14

These guides roll out with new products so that they can be set up as securely as possible, making them less vulnerable to attack.

Question 15

Web Servers

Answer 15

There are two main web servers used by commercial companies. Microsoft has a web server called the Internet Information Server, and its rival is Apache. Web servers provide web pages for the public to view, and because they are in the public domain, they are prime targets for hackers. To help reduce the risk, both Microsoft and Apache provide security guides to help security teams reduce their footprint, making them more secure. Microsoft has created a user guide called Best Practice to Protect Internet Facing Web Servers, which can be found at https://social.technet.microsoft.com/wiki/contents/articles/13974.microsoft-security-best-practices-to-protect-internet-facing-web-servers.aspx. Web server security guides rely on the latest updates being in place, services that are not required being turned off, and the operating system is hardened to make it as secure as possible and reduce the risk of attack.

Question 16

Operating Systems

Answer 16

Most vendors, such as Microsoft, have guides that detail the best practices for installing their operating systems. This is to ensure that they are as secure and as reliable as possible.

Question 17

Application Server

Answer 17

Vendors produce guides on how to set up their application servers, such as email servers or database servers, to make them less vulnerable to attack.

Question 18

Network Infrastructure Devices

Answer 18

Cisco produces the best high-end network devices, and because the networking world is ever-evolving, Cisco has produced an infrastructure upgrade guide so that companies can use it for best practices when upgrading their network devices: https://www.cisco.com/c/en/us/support/ios-nx-os-software/ios-15-4m-t/products-installation-and-configuration-guides-list.html.