5.2 Governance - Regulations, Standards & Frameworks Flashcards
Define General Data Protection Regulation (GDPR) (4)
- Laws applying to personal information in data in the EU
- Allows people to understand and control their personal data collected by companies
- Prohibits export of personal data outside of the EU
- Requires posting of detailed privacy policies regarding personal data
Define Payment Card Industry Data Security Standard (PCI DSS) (2)
- Rules regarding credit card transaction transmissions and credit card data storage
- Not laws, but an organization setup by credit card companies to develop standards
Define Center for Internet Security (CIS) Framework
Developed critical security controls (CSC) framework with different security recommendations based on the size of an organization
Define NIST Risk Management Framework (RMF)
Framework federal government agencies are required to follow
Define NIST Cybersecurity Framework (CSF)
Framework for non-government corporate entities
Define International Organization Standardization (ISO) Frameworks
Developed for international organizations
Define SSAE SOC 2 Type I/II (3)
- Security auditing standard developed by the American Institute of Certified Public Accountants, or the AICPA
- Type I - audits/tests controls at a particular date/time
- Type II - audits/tests controls over a 6 month or longer time frame
Define benchmarks/secure configuration guides
- Hardening secure configuration guides created for specific OS or platforms
- Can be from vendor or industry groups
What devices types do benchmarks/secure configuration guides apply to?
- Web servers
- OS
- Application servers
- Network devices