WEEK 2 Flashcards
SLIDES
What is the current NIST guidance for how often to change your password, based on passage of time?
a) 30 days b) 42 days c) 90 days d) never
d. Never
What do Regulations help to do?
- Mandate the “minimum standards for due care”
- Establish legally- defensible security practices
- Provide action able guidance
- Inform the types of security controls and techniques employed
What is SP 800-37
Risk Management Framework
What is SP 800-53
Security Controls for IT Systems
What is SP 800-82
Security Controls for Industrial Control Systems
What is SP 800-171
Security Controls for Nonfederal systems processing Controlled Unclassified Information
Special Publication 800-37 is centered on the Risk Management Framework (RMF), which outlines six steps federal agencies must take to secure their information systems.
WHAT ARE THOSE SIX STEPS?
CSCAAM
- Security CATEGORIZATION : based on impact analysis
- Security control SELECTION
- Security CONTROL implementation
- Security control ASSESSMENT
- Information system AUTHORIZATION
- Security control MONITORING
NIST SP 800-37
The overall goals of the guidelines in 800-37 are?
- To ensure that managing information system-related security risks aligns with the organization’s business objectives and overall risk strategy
- To ensure that security controls are integrated into the organization’s enterprise architecture and system development lifecycle
- To support continuous security monitoring and transparency of security and risk- related information
- To achieve more secure information and information systems within the federal government through the implementation of appropriate risk mitigation strategies
The Purpose of NIST SP 800-53 Revision 4: (Security and Privacy Controls for Federal Information Systems and Organizations) is to?
- To provide guidelines for selecting security controls for information systems supporting federal agencies. The guidelines apply to all components of an information system that process, store or transmit federal information.
- To optimize security, this publication recommends first selecting an initial set of baseline security controls, then customizing these baseline controls, and finally supplementing the controls based on assessments of risk.
EU-US Privacy Shield
- Designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration
- Provide companies a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce
- Self-certification model
PCI-DSS
Payment Card Industry Data Security Standards
- Founded in 2006 by AMEX, Discover, JCB International, Master Card, and Visa
- Help merchants and financial institutions understand and implement standards
- Help vendor sunder stand and implement standards for creating secure payment solutions.
Gramm- Leach- Bliley Act
Organizations that provide services to the financial industry
Originally SAS-70 requirements
SAS-70 replaced by Statement on Standards for Attestation Engagements No. 16 (SSAE-16)
SSAE-16 defined and formalized security audits, management duties, etc.
Security Program: Set yourself up for success!
- Infrastructure Protection
- Application Security
- Security Operations
- Governance
- Project/Program Management • Business Partners
Compliance Creep
Requirements expand over time
- Organization becomes subject to new requirements as business grows
- Baseline standards become more rigorous because of increasing oversight in industry
- Scope of organization’s business operation grows
- We almost never retire requirements (especially security)!
Techniques for Compliance
- Outsource compliance activities
• Best as short-term solution - Add headcount to execute compliance as a project
- Purchase a GRC (Governance, Risk, and
Compliance) package or service
• Most cost-effective, long-term solution
• Scalable, little upfront costs