5.2 Regulations and Standards

Question 1

GDRP

Answer 1

General data protection regulation- strengthens the regulation of users data in the uk or company’s processing uk data

Question 2

DPO

Answer 2

Data protection officer ensures company compliance with GDPR

Question 3

PCI DSS

Answer 3

Payment card industry data security standard- standard for protecting credit card processing
It is a global standard

Question 4

PCI DSS level 1

Answer 4

Company processes over 6 million credit cards a year
Validation requirement- annual on-site assessment for compliance by a qualified exit security assessor (QSA)
Compliance validation- submission of annual report on compliance and quarterly net scans

Question 5

PCI DSS Level 2

Answer 5

Company processes 1 to 6 million transactions
Validation-annual self-assessment questionnaire(SAQ) or onsite audit from a QSA
Compliance-quarterly net scans

Question 6

PCI DSS Level 3

Answer 6

20,000 to 1 million transactions
Validation-Annual SQA or onsite by QSA
Compliance- quarterly net scans

Question 7

PCI DSS Level 4

Answer 7

Processes u under 20,000 transactions
Validation- annual SQA or on-site by QSA
Compliance-maybe quarterly net scans

Question 8

Security frameworks

Answer 8

Help you to secure a company network with guidelines and best practices

Question 9

CIS framework

Answer 9

Center for internet security- framework to improve security posture designed to address high priority security issues.
3 implementation groups:
Basic cyber hygiene-first basic control steps
Foundational cyber hygiene-builds on basic
Advanced cyber hygiene-most advanced cyber tools setting up detecting and alerting security events

Question 10

NIST RMF

Answer 10

National Institute of standards and technology risk management framework-mandatory framework for us federal agencies and companies handling federal data.
Six step process-
1.)categorize(classify data processed stored and transmitted by systems based on cia triad)
2.)select- identify and choose security controls based on determined security levels
3.)implement-implement controls
4.)Asses- check if controls working properly
5.)Authorize-Decide if systems and controls will be put into production environment
6.)monitor-Regularly monitor

Question 11

NIST Csf

Answer 11

NIST cyber security framework-Commercial company NIST framework
3 areas in framework-
1.) Framework core-
Identify-risks,processes,assests
Protect-assets
Detect-threats
Respond
Recover
2.)framework implementation-Tiers used to describe organization security posture 4 tiers
Tier 1-partial-company has as hoc approach and little knowledge of risk and strategy
Tier 2-risk informed- aware of risks and may have a documented approach to events
Tier 3-Repeatable-well document and repeatable approaches to events
Tier 4- company had repeatable and well documented approaches to event and is very adaptive to new events
3.) framework profile alignment of standard, guideline and regulations to framework core

Question 12

ISO/IEC

Answer 12

International organization for standardization/International electrotechnical commission
4 important standards
ISO/IEC 27001
ISO/IEC 27002
ISO/IEC 27701
ISO/IEC 3100

Question 13

ISO/IEC 27001

Answer 13

International organization for standardization/ International electrotechnical commission 27001-Concerned with Information security management systems (isms) which protect sensitive data with processes, policies and procedures
Uses plan-do-check-act
Plan-establish isms and define objectives
Do- implement isms
Check-monitor isms
Act-Take corrective and preventative actions to improve isms

Question 14

ISO/IEC 27002

Answer 14

Provides guidance of best practices for implementing controls on isms , this acts as more of a guide for bettering isms while 27001 is set of requirements and structure for isms for a company to get the 27001 certification.

Question 15

ISO/IEC 27701

Answer 15

Provides guidelines and a framework for establishing,implementing and maintaining a privacy information management system (PIMS)-focused mainly on jsut privacy for data rather then informations security as a whole

Question 16

ISO/IEC 3100

Answer 16

Risk management practices

Question 17

SSAE SOC 2 type 1/11

Answer 17

From AICPA(American institute of certified public accountants) called statement on standard for attestation engagements- This is an accounting standard 2 types
Type 1- assess the security posture of a company at that given time
Type 2- asses the security posture of a company and its operations over a period of at least 6 months

Question 18

CSA

Answer 18

Cloud security alliance-cloud sec framework, created a ccm
CCM-cloud controlled matrix framework-this is where cloud clntrols are mapped to standards, best practices, and regulations.

Question 19

FERPA

Answer 19

Family educational rights and privacy act- requires that educational institutions implement security and privacy controls for student educational records

Question 20

SOX

Answer 20

SOX-Sarbanes -Oxely act- dictates requirement for storage and Retention of documents relating to organizations financial and business operations
-relevant for any publicly traded company with market value of 75 million or more

Question 21

GLBA

Answer 21

GLBA-Gramm-leach-bliley act- are requirements for institutes that help protect the privacy of an individual financial info that’s is held by a financial institution