Regulations, Standards, and frameworks Flashcards
What are regulations, standard and frameworks?
Compliance and regulatory frameworks are sets of guidelines and best practices. Organizations follow these to improve processes, strengthen security, and achieve other business objectives.
These frameworks give us a common language that can be used to build the culture of securitysd
THe basic CIS controls 1-20
basic CIS controls (1-6) Antivirus
Foundational CIS controls (7-16) MFA
Organizational CIS controls (security policy)
NIST - CSF overview
1) Describe your cybersecurity posture
2) Describe our target state for cybersecurity
3) Identifiy and prioritize opportunities for improvement within the context of a continuos and repeatable process
4) Asses progress toward the target state
5) Communicate amount internal and external stakeholders about cybersecurity risk.
Framework is not a one-size fits all company should taylor theri business to it
NIST CSF-Three primary components
Core - Desired cybersecurity outcomes organized in a hierarchy and aligned to more detailed guidance and controls
Profiles - Alignment of an organizations requirements and ojectives, risk appetite and resources using the desired outcomes of the framework core
Implementation - A qualitative measure of organizational cybersecurity risk managment practices
NIST RMF overview
The RMF emphazies risk management by promting the development of security privacy capablities into information systems throughout the system development life cycle (SDLC)
The mangaement of organizational risk is a key element in the organizations information security program and provides an effective framework for selecting the appropriate security controls for systems
The 7 steps of Risk management framework
- Prepare: carries out essential activities at the organization, mission and business process and information system levels of the enterprise
1: Categorize the system and the information processed, stored and transmitted by that system based impact analysis
2: Select and intial set of baseline security controls for the system based on the security categorization
3: Implement the security controls and document how the controls are deployed within the system and enviroment
4: Assess the security controls using appropriate procedures to determine the extent thing are implemented correctly
5: Authroize system operation based upon determination the organizations and its individuals is then started and the risk is accepted
6: monitor and assess selected security controls in the sytem on and ongoing basis inlcuding reporting to organizations
International organization for Standards (ISO) overivew
ISO/IEC 27001: Information technology -security techniques and mangment system
ISO/IEC 27002: 2013 IT security controls code practice for information security controls
ISO 27701: 2019 Security techniques- extension to 27001 and 27002 for privacy information managment
ISO 3100: 2018 Risk managment guidelines
SSAE SOC 2 Types overview
Type 1 - provides a description of the controls provided by the audited organization and the auditor opinion based on the descritption
Type 2 - covers a minimum period of 6 months and requires testing of the controls and an opinion from the auidtor as effectiveness based on test
SSAE SOC Type I/II frameworks
he SOC 2 report will b performed in accordance with AT-C 205 and based upon trust services criteria, with the ability to test for type 1 or 2
What is the CSA CCM?
It can be used as a tool for the systematic assessment of a cloud implementation, and provide guidnaces on which security controls should be implemented by which actor within the cloud supply chain
Benchmarks and security configuration guide
Plaform/vendor-specific guides Web servers O/S Application servers Network infrastructure devices
