5.2 Regulations, Standards, Frameworks

Security Regulations and Standards

Compliance = meeting the standards of regulations, policies, and laws

GDPR - data protection and privacy for individuals in Europian Union data regulation - controls export of personal data - gives individuals control of their personal data

PCI DSS - standard for protecting credit cards

International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) - ISO/IEC 27001 = standard for an Information Security Management System (ISMS) - ISO/IEC 27002 = code of practice for information security controls - ISO/IEC 27701 = privacy information management systems (PIMS) - PII management and privacy - ISO/IEC 31000 = international standards for risk management practices

Security Frameworks

Center for Internet Security (CIS - CIS CSC)

NIST Risk Management Framework (RMF) - mandatory for US federal agencies that use federal data - has 6 steps (categorize, select, implement, assess, authorize, monitor)

NIST Cybersecurity Framework (CSF) - voluntary commercial framework - framework core: identify, protect, detect, respond, recover - framework implementation tiers: organization's view of cybersecurity risk and processes to manage the risk - framework profile: alignment of standards, guidelines, and practices to the framework core

SOC 1 = report that informs a service organization’s customers and their customer’s auditors on the controls that the service organization has in place to safeguard their customer’s financial statements

SSAE SOC 2 Type I/II SOC 2 - Trust Services Criteria (security controls) - firewalls, intrusion detection, and multi-factor authentication - Type I audit = tests controls in place at a particular point in time - Type II audit = tests controls over a period of at least six consecutive months

Cloud Security Alliance (CSA) = security in cloud computing - Cloud Control Matrix (CCM) = cloud-specific security controls, controls are mapped to standards, best practices, and regulations

Secure Configurations

Web server hardening - information leakage: banner information, directory browsing - permissions: run from a non-privileged account, configure file permissions - configure SSL: manage and install certificates - log files: monitor access and error logs

Operating system hardening - updates: running most updated version of that OS - user accounts: minimum password lengths and complexity

Previous5.1 Types of Controls Next5.3 Policies for Organizational Security

Last updated 1 year ago

Was this helpful?