5.2 Importance of regulations, standards, frameworks that impact security posture Flashcards
Security regulation & standards: what is GDPR?
Data protection & privacy for individual in EU.
Data: name, address, photo, email address, bank details, posts on social media networking websites, medical info, computer’s IP etc
Security regulation & standards: what is PCI DSS?
Payment Card Industry Data Security Standard is a standard for protecting credit cards
Security regulation & standards: what are the controls of PCI DSS?
6 control objectives:
- Build and maintain a secure network & systems
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
Security frameworks: what is the CIS CSC?
Center for Internet Security Critical Security Controls for Effective Cyber Defense
Security frameworks: what is the NIST RMF?
NIST Risk Management Framework helps to handle data. It’s a 6 step process:
- Categorize - define the env
- Select - pick appropriate controls
- Implement - Define proper implementation
- Assess - determine if controls are working
- Authorize - make a decision to authorize a system
- Monitor - check for ongoing compliance
Security frameworks: what is the NIST CFS?
NIST Cybersecurity Framework with framework core (identify, protect, detect, respond, recover), framework implementation, framework profile (alignment of standards, and practices to the framework core)
Security frameworks: what is the ISO/IEC?
- ISO/EIC 27001: Information Security Management System
- ISO/EIC 27002: Practice for information security controls
Security frameworks: what is the SSAE SOC 2?
Audit standard focuses on topic such as firewall, intrusion detection, and multi factor authentication
Security configuration: where to find hardening guides ?
Hardening guides are specific to the software or OS, so you can get it from the manufacturer or on internet
Security configuration: how to harden a web server?
- Manage permission
- Configure SSL: manage and install certificates
- Log files: monitor access and error logs
Security configuration: how to harden OS?
- Ensure OS is updated
- Set up password complexity and permission
- Limit network access
- Monitor antivirus/ malware
Security configuration: how to harden network infrastructure?
- Configure authentication (don’t use defaults credentials)
- Check with the manufacturer for security updates