Regulations, Standards, and Frameworks

Question 1

What is “compliance” in cybersecurity?

Answer 1

Meeting the standards of laws, policies, and regulations.

There are a ton of regulations and laws, many are industry specific or situational.
There could be fines, incarceration, loss of employment, etc for not being compliant.

It is important to understand the scope. It might be national laws. international laws, state laws, etc.

Question 2

What is GDPR?

Answer 2

Think EU when you see this.

This is a general data protection and privacy regulation for people in the EU.
The general overview of the rules is that users can decide where their data goes, and it prevents their information from being transported outside of the EU.
You can also contact any websites in the EU and ask to have your information removed, and they will remove it because that is part of the requirements of the GDPR,
One more thing is that every site has to provide detailed information about their privacy policy.

Question 3

What is PCI-DSS?

Answer 3

PCI=Payment card industry

Think debit/credit card processing when you see this and any kind of online purchasing of items.
This is a standard for protecting debit/credit cards.

There are 6 rules:
Build and maintain a secure network and systems.
Protect cardholder’s data
Maintain a vulnerability management program
Implement strong access control measures
Regularly monitor and test networks
Maintain an information security policy - including auditing and testing

Question 4

What is a security framework that is written by technologists, so that it can be implemented by technologists? As well as containing twenty key actions (the critical security controls) for organizations categorized by different organization sizes?

Answer 4

CIS CSC
Center for internet security Critical Security Controls
This provides practical information that you could apply to a project and then begin implementing these controls into your environment.

Question 5

Which security framework is mandatory for US federal agencies and organization that handle federal data?

Answer 5

NIST RMF=Required for government agencies
NIST Risk management Framework (National institute of standards and technology)

NIST CSF=Voluntary commercial framework. Resource for companies

There is a 6 step process here:

1. Categorize - Define the environment you are in
2. Select - Pick appropriate controls for security and privacy
3. Implement - Define proper implementation of these policies and controls
4. Assess - Determine if controls are working
5. Authorize - Make a decision to authorize a system.
6. Monitor - Check constantly for ongoing compliance.

Question 6

Which security framework is made by a government agency and is a voluntary commercial framework for businesses that might not need the same security posture as a federal agency?

Answer 6

NIST CSF=Voluntary
NIST Cybersecurity Framework (national institute of standards and technology)

NIST RMF=Required for government agencies

There are 3 major areas of the framework:
(most important)
1. Framework core - Identify, Protect, Detect, Respond, and Recover.
(most important)
2.Framework implementation tiers - An organization’s view of cybersecurity risk and processes to manage the risk.
3. Framework profile - The alignment of standards, guidelines, and practices to the framework core.

Question 7

If you see:
ISO/IEC 27001
ISO/IEC 27002
ISO/IEC 27701
ISO 31000
What is the main takeaway you should get from these?

Answer 7

International.
These are frameworks that can be applied at an international level.
These are perfect for a company that has operations in a number of countries and are looking for a framework that can encompass that.

ISO=Internet Organization for standardization
IEC=International Electrotechnical Comission

Question 8

What are SSAE SOC2 Types 1/2?

Answer 8

This is a framework for auditing your company’s security posture.

Tests firewalls, intrusion detection/prevention, and MFA

Type 1: tests controls in place at a particular time
Type 2: tests controls over a period of at least 6 consecutive months

Question 9

1. Which non-profit organization focuses on security in the cloud?
2. and what is their security framework?

Answer 9

1. CSA - cloud security alliance
2. CCM (cloud controls matrix)
   This is a framework for cloud-specific security controls
   Controls are mapped to standards, best practices, and regulations.

This framework contains lots of things including Methodology and tools, ways to assess internal IT groups and cloud providers, ways to determine security capabilities, and how to build a roadmap so that you can continually improve your security.

Question 10

Where would guides for secure configurations of hardware devices or software usually come from?

Answer 10

Hardening guides are specific to the software or manufacturer and you can usually get feedback from the manufacturer or the developer of the software.

Question 11

In cybersecurity what does banner usually mean?

Answer 11

This is usually a text displayed by a host server containing details like software type and version running in a system or server.
You don’t want too much of this to be shown and tell attackers all of your business.

Question 12

Should a web server be running from a privileged account?

Answer 12

No, a web server should be running from a non-privileged account.