Identifying Security Compliance Measures

Question 1

What is Security Compliance?

Answer 1

The adherence to rules, regulations or practises that are related to the protection of assets that are established by a specific authority.

Question 2

What are Assets?

Answer 2

Assets are anything that is considered to have Value.
E.G. Computer hardware/software People, Buildings and data.

Question 3

Compliance requirements (authority) normally comes from:

Answer 3

The organisation, government or industry

Question 4

What is Security policies?

Answer 4

A set of documents that outline the physical and information security requirements for an organisation. The goal of a security policy is to protect organisations resources.

Question 5

Give Examples of Security Policies

Answer 5

Password Policy

Acceptable Use Policy (AUP)

Internet Usage Policy (Can overlap with AUPs)

Question 6

Define: Password Policy

Answer 6

A security policy to create a strong/complex password to prevent the possibilities of being hacked.

Question 7

What is Acceptable Use Policy (AUP)

Answer 7

A security policy that govern how individuals or organisations can use a particular system or resource.

Question 8

Why do we have AUPs?

Answer 8

An AUP is put in place to protect the security and integrity of the system or resource and ensure that users behave in a responsible and ethical manner.

Question 9

Define: Internet Usage Policy

Answer 9

A security policy that outlines how users can use the internet in a workplace or within an organisation. (Can overlap with AUPs)

Question 10

What does AUP Stand for?

Answer 10

Acceptable Use Policy

Question 11

What does PII Stand for?

Answer 11

Personally Identifiable Information

Question 12

What is PII? Give examples

Answer 12

It is data that can be used to identify a specific person, such as Social Security numbers, passport numbers, and combinations of data, such as a full name and date of birth.

Question 13

What does PHI Stand for?

Answer 13

Protected Health Information

Question 14

What is PHI? Give examples

Answer 14

Information that is individually identifiable and maintained by a health care provider, health plan, or health care clearinghouse that is covered by the mandates in the Health Insurance Portability and Accountability Act (HIPAA).

Examples of PHI can be:
* Medical Records
* Health Insurance Information
* Test Results
* Prescription Information
* Medical Images
* Family history

Question 15

What are Facility Policies?

Answer 15

Facility Policies are a set of documents that specify how employees and visitors can access an organization’s physical premises.

Facility policies can include Physical barriers to manage access like guardhouses and locked doors.

Identification of authorized individuals can include badges for employees and visitors, keys for authorized employees, etc.

Question 16

Incident Reporting

Answer 16

Security incident reports are an important tool for managing security incidents and improving security in the future. They help to identify vulnerabilities and gaps in security, allowing organizations to take proactive steps to prevent future incidents. This can include a description of the impact of the incident, loss of data, or disruption to operations.

Question 17

If there are no formal security policy is in place, what can you refer to?

Answer 17

If there are no formal security policies in place you can refer to:
* The Employee handbook
* Network user guide or AUP
* HR department
* IT department
* Information security (InfoSec) department
* Legal department
* Health information management department
* Website

Question 18

What are the Consequences of Non-Compliance with Organizational Requirements?

Answer 18

This can vary from organization to organization. Dependent on the severity of the violation. Can range from verbal warning to demotion, pay reduction or termination. Should be clearly outlined and available to employees. Consequences should be explained fully to all staff so that there is no misunderstandings.

Question 19

Scenario: You work at That’s Cheezy Cheese Emporium. Company executives are concerned about the security of organizational assets and customer data. You are on the team that is developing a comprehensive security policy for the organization.

At the first committee meeting, it is decided that the team should establish a process for developing the security policy. What do you think should be the first step?

Answer 19

A good first step would be to collect and review any exiting organisations documentation to determine what security requirements already exist.

A thorough risk assessment is an essential first step in developing an effective security policy. It provides a foundation for understanding the organization’s security needs and developing policies and procedures that are tailored to its unique risks and requirements.

Question 20

In which type of document would you expect to include rules for entering restricted areas of the company’s central building?

A. AUP
B. Facility policy
C. Password policy
D. Internet usage policy

Answer 20

B

Question 21

Which types of protected data do you think will be of primary concern for your company? (Select two.)

A. Email address
B. Insurance ID number
C. Credit card number
D. Name
E. Name and address combined

Answer 21

C & E

Question 22

What factors do you think the team should consider as they outline disciplinary actions to be taken when someone is not compliant with the security policy?

Answer 22

When outlining disciplinary actions for noncompliance with the security policy, the team should consider the following factors:

• Severity of the Violation/risk
• Intent
• Role and Responsibility

Question 23

Legal Compliance Requirements

Answer 23

Legal compliance requirements refer to the regulations and laws that organizations must follow to ensure that they operate within the bounds of the law. Failure to comply with these requirements can lead to legal action, penalties, fines, and damage to a company’s reputation.

Question 24

In the United States legal compliance requirements are generally found in laws and regulations, both of which can carry criminal or civil penalties for non - compliance. These can exist at the federal, state and local level.

What are examples of U.S. Compliance laws & regulations?

Answer 24

Compliance Laws:
* Fair Credit Reporting Act (FCRA)
* Health Insurance Portability and
Accountability Act (HIPAA)
* Sarbanes - Oxley Act (SOX)

Regulations:
* Federal Trade Commissions (FTC)
* Privacy Guidelines
* National Institute of Standards and
Technology (NIST)
* Compliance Standards
* Payment Card Industry Data Security
Standard (PCI DSS)

Question 25

Health Insurance Portability and Accountability Act (HIPAA)

Description:
Provides compliance requirements for the PHI of patients.
Uses 18 identifies to determine if information is considered PHI

Answer 25

Jurisdiction

HIPAA affects U.S. health care providers, health plans and health care clearinghouses that collect and store patients information.

Question 26

In the European Union, legal compliance requirements take the form of directives and regulations.

What is a directive?

Answer 26

A directive is a legal act that sets out specific goals or outcomes that member states must achieve. Unlike regulations, directives allow each member state to decide how to implement the requirements into their national laws, providing flexibility while ensuring harmonization across the EU. Once adopted, member states must transpose the directive into national law, and organizations operating within the EU must comply with the relevant national laws. Directives are commonly used in areas such as data protection, consumer protection, and environmental protection.

Question 27

What are some Examples of Directives?

Answer 27

Examples of directives are:

• Network and Information System Security
  Directive (NISD)
• ePrivacy Directive

Question 28

In the European Union, legal compliance requirements take the form of directives and regulations.

What is a regulation?

Answer 28

A regulation is a legal act that has binding force and applies directly in all member states. Unlike directives, regulations do not require individual member states to transpose them into national law because they are already binding as soon as they are adopted by the EU. This means that regulations create a more uniform set of legal requirements across the EU and leave no room for member states to interpret or implement them differently.

Question 29

What are some Examples of Regulations?

Answer 29

Examples of regulations are:

• General Data Protection Regulations (GDPR)
• EU Cybersecurity Act

Question 30

Sarbanes - Oxley Act (SOX)

Legal requirements for accounting and auditing

Answer 30

Jurisdiction

Publicly traded companies in the U.S.

Question 31

General Data Protection Regulation (GDPR)

Protects the privacy of individuals, including the export of personal data.
Note: From 1995 to 2016, the predecessor to GDPR was the Data Protection Directive.

Answer 31

Jurisdiction

Affects all entities that collect or process the personal data of EU citizens, even if the entity is not based in the EU.

Question 32

Network and Information Security Directive (NISD)

Protects essential services, utilities, and infrastructure.

Answer 32

Jurisdiction

Applies throughout the EU, and to two groups of organizations: operators of essential services (OES) and relevant digital service providers (RDSPs).

Question 33

ePrivacy Directive

Protects the privacy and security of personal data in electronic communications.
An ePrivacy Regulation has also been drafted and is under discussion at the time of this publication.

Answer 33

Jurisdiction

Entities in the EU that handle any electronic communications.

Note: The directive was adopted to complement the Data Protection Directive. Until the ePrivacy Regulation takes effect, the GDPR and ePrivacy Directive are key parts of the EU’s plan to protect the privacy of individuals.

Question 34

What does Resources for Maintaining Legal Security Compliance include?

Answer 34

Resources for Maintaining Legal Security Compliances include:

• Organizational compliance documentation.
• Government websites.
• Your organization’s legal department.
• Insurance providers.
• Text of applicable legislation.

Question 35

Legal Consequences of Non-Compliance with HIPAA violations

Answer 35

• Civil penalties: $100 per violation (annual maximum of $25,000 for repeat violations) up to $50,000 per violation (annual maximum of $1.5 million).
• Criminal penalties: $50,000 and one year’s imprisonment up to $250,000 and 10 years’ imprisonment.

Question 36

Legal Consequences of Non-Compliance with SOX violations

Answer 36

Loss of stock exchange listing and loss of directors’ and officers’ liability insurance up to multimillion dollar fines and prison sentences for company officers (up to $5 million and imprisonment for up to 20 years).

Question 37

Legal Consequences of Non-Compliance with GDPR violations

Answer 37

• Administrative fines: Tier 1 violations: 10 million euros or 2 percent of the organization’s annual revenue, whichever is greater. Tier 2 violations: 20 million euros or 4 percent of the organization’s annual revenue, whichever is greater.
• Personal liability: Any individual who has suffered any sort of damage, whether material or non-material, has the right to seek compensation against the company responsible for the damages.

Question 38

Legal Consequences of Non-Compliance
NISD

Answer 38

Penalties depend on the individual member states’ legislation.
For instance, in the UK, the maximum fine is 17 million pounds.

Question 39

Legal Consequences of Non-Compliance with ePrivacy Directive violations

Answer 39

Penalties depend on the individual member states’ legislation.
For instance, in the UK, the maximum fine is 500,000 pounds.

Question 40

Scenario: You work at That’s Cheezy Cheese Emporium, a specialty food vendor with retail and web sales. As part of the ongoing effort to create a comprehensive security policy for the company, you’ve been asked to identify relevant legal compliance requirements to be referenced in the security policy.

At That’s Cheezy Cheese Emporium, although most sales occur within the U.S., there are web sales that come from all around the world. Which of the legal compliance requirements discussed in this topic would apply?

A. HIPAA
B. SOX
C. GDPR
D. NISD
E. ePrivacy Directive

Answer 40

C & E

Question 41

Industry Compliance Requirements - Generally applies to a specific industry sector:

• Banking
• Automotive
• Manufacturing

Answer 41

Key Industry Compliance Requirements are:

Payment Card Industry Data Security Standard (PCI DSS)
ISO 27001 Standards
National Institute of Standards and Technology (NIST) standards

Question 42

Payment Card Industry Data Security Standard (PCI DSS)

Regulates the handling and management of payment card data to reduce fraud through the use of six control objectives.

Answer 42

PCI DSS has been implemented and followed across the globe. Any organizations that handle credit/debit cards and the information associated with them are subject to the standard.

Question 43

ISO 27001 Standards

A group of international standards for information security.
Enables any type of organization to manage the security of assets.

Answer 43

Although most countries do not require the widespread implementation of ISO 27001, some regulations do exist that require selected industries to implement the standards.

Question 44

National Institute of Standards and Technology (NIST) standards

Numerous NIST standards are in effect. Those that deal with cybersecurity include NIST SP 800-53 and the NIST Cybersecurity Framework.

Answer 44

NIST standards and frameworks are used globally, but they are mandatory only for U.S. federal agencies.

Question 45

What are the Payment Card Industry Data Security Standard (PCI DSS) Six control Objectives?

Answer 45

The six control objectives are:
1. Build and maintain a secure network and systems.
2. Protect cardholder data.
3. Maintain a vulnerability management program
4. Implement strong access control measures.
5. Regularly monitor and test networks.
6. Maintain an information security policy.

Question 46

What does PCI DSS Stand for?

Answer 46

Payment Card Industry Data Security Standard

Question 47

Resources for Maintaining Compliance with industry standards and framework includes what?

Answer 47

• Industry association websites and guidance documents.
• Professional group websites and guidance documents.

Question 48

What are the consequences of Non-Compliance with Industry Requirements with PCI DSS?

Answer 48

• Fines of up to $500,000 per incident, plus written notification
  of all affected individuals.
• Damage to your company’s reputation.
• Possibly a loss of consumer trust.

Question 49

What are the consequences of Non-Compliance with Industry Requirements with ISO 27001 standards?

Answer 49

Nonconformities include failure to fulfill a requirement of the standards, nonconformance to a requirement of the implemented information security management system, or the inability to meet the legal, contractual, or business requirements of customers.

If an ISO 27001 audit is performed and nonconformities are discovered, the auditor may withhold the ISO 27001 certificate.

Question 50

What are the consequences of Non-Compliance with Industry Requirements with NIST?

Answer 50

Depending on the organization, effects of non-compliance with NIST standards could range from loss of business reputation to loss of eligibility for procuring U.S. government contracts.

Question 51

Scenario:
You work at That’s Cheezy Cheese Emporium, a specialty food vendor with retail and web sales. To wrap up the compliance research you have been involved with, you’ve been asked to identify relevant industry compliance requirements to be referenced in the security policy.

At That’s Cheezy Cheese Emporium, although most sales occur within the U.S., there are web sales that come from all around the world. Which of the industry compliance requirements discussed in this topic would apply?

A. PCI DSS
B. ISO 27001
C. NIST SP 800-53
D. NIST Cybersecurity Framework

Answer 51

A