5.2 Explain importance of applicable regulations, standards or frameworks... Flashcards
GDPR
European Union regulation
– Data protection and privacy for individuals in the EU
– Name, address, photo, email address, bank details, posts
on social networking websites, medical information,
a computer’s IP address, etc.
Controls export of personal data
– Users can decide where their data goes
* Gives individuals control of their personal data
– A right to be forgotten
* Site privacy policy
– Details all of the privacy rights for a user
PCI DSS
Payment Card Industry
– Data Security Standard (PCI DSS)
– A standard for protecting credit cards
* Six control objectives
– Build and maintain a secure network and
systems
– Protect cardholder data
– Maintain a vulnerability management program
– Implement strong access control measures
– Regularly monitor and test networks
– Maintain an information security policy
CIS
Center for Internet Security
– Critical Security Controls for
– Effective Cyber Defense
– CIS CSC
* Improve cyber defenses
– Twenty key actions (the critical security controls)
– Categorized for different organization sizes
* Designed for implementation
- Written for IT professionals
– Includes practical and actionable tasks
NIST RMF
- National Institute of Standards and Technology
– Risk Management Framework (RMF)
– Mandatory for US federal agencies and
organizations that handle federal data - Six step process
– Step 1: Categorize - Define the environment
– Step 2: Select - Pick appropriate controls
– Step 3: Implement - Define proper implementation
– Step 4: Assess - Determine if controls are working
– Step 5: Authorize - Make a decision to authorize a system
– Step 6: Monitor - Check for ongoing compliance
NIST CSF
National Institute of Standards and Technology
– Cybersecurity Framework (CSF)
– A voluntary commercial framework
* Framework Core
– Identify, Protect, Detect, Respond, and Recover
* Framework Implementation Tiers
– An organization’s view of cybersecurity risk and
processes to manage the risk
* Framework Profile - The alignment of standards,
ISO/IEC frameworks
International Organization for Standardization /International Electrotechnical Commission
* ISO/IEC 27001
– Standard for an Information Security Management System (ISMS)
* ISO/IEC 27002
– Code of practice for information security controls
* ISO/IEC 27701
– Privacy Information Management Systems (PIMS)
* ISO 31000
– International standards for risk management practices
SSAE Soc 2 type I/II
- The American Institute of Certified Public Accountants (AICPA) auditing standard Statement on Standards for Attestation Engagements number 18 (SSAE 18)
- SOC 2 - Trust Services Criteria (security controls)
– Firewalls, intrusion detection, and
multi-factor authentication
Type I audit
– Tests controls in place at a particular point in time - Type II
– Test controls over a period of at least six
consecutive months
CSA
Security in cloud computing
– Not-for-profit organization
* Cloud Controls Matrix (CCM)
– Cloud-specific security controls
– Controls are mapped to standards, best practices,
and regulations
* Enterprise Architecture
– Methodology and tools
– Assess internal IT groups and cloud providers
– Determine security capabilities
– Build a roadmap
How do you harden an OS?
-Updates
-User account policies like minimum password length, etc
- Network Access and security
- Monitor and secure using AV and anti-malware etc
How do you harden a web server?
Secure configuration
– Information leakage: Banner information, directory browsing
– Permissions: Run from a non-privileged account,
configure file permissions
– Configure SSL: Manage and install certificates
– Log files: Monitor access and error logs
What are some ways to harden an app server?
Very specific functionality
– Disable all unnecessary services
* Operating system updates
– Security patches
* File permissions and access controls
– Limit rights to what’s required
– Limit access from other devices
How do you harden infrastructure devices?
Purpose-built devices
– Embedded OS, limited OS access
* Configure authentication
– Don’t use the defaults
* Check with the manufacturer
– Security updates
– Not usually updated frequently
– Updates are usually important
What is ISO 27001?
International Organization for Standardization (ISO) 27001 is a standard that sets out the best practice specification for an information system. The ISO guides information security by addressing people and processes as well as technology.
What is ISO 27002?
International Organization for Standardization (ISO) 27002 is a supplementary standard that focuses on the information security controls that organizations might choose to implement.
What is Soc type 1?
A Service Organization Control (SOC) Type I report addresses internal controls over financial reporting.
