⚖️Complying with Laws, Regulations, and Standards
Legislators and regulators around the world take an interest in cybersecurity due to the potential impact of cybersecurity shortcomings on individuals, government, and society.
Whereas the European Union (EU) has a broad-ranging data protection regulation, cybersecurity analysts in the United States are forced to deal with a patchwork of security regulations covering different industries and information categories
General Data Protection Regulation (GDPR): This is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. It came into effect on May 25, 2018. Non-compliance can result in heavy fines. Here are some examples of the types of personal data protected under the GDPR: Basic Identity Information: This includes name, address, and ID numbers. Web Data: This includes location, IP address, cookie data, and RFID tags. Health and Genetic Data: This includes medical records, biometric data, and genetic information. Racial or Ethnic Data: This includes any data related to an individual's racial or ethnic origin. Political Opinions: This includes any data related to an individual's political views or party affiliation. Sexual Orientation: This includes any data related to an individual's sexual orientation or sexual life. Biometric Data: This includes any data related to physical, physiological, or behavioral characteristics, including facial images and fingerprints. National or State Laws: There are many national and state laws related to information security, and they vary widely. Here are a couple of examples: California Consumer Privacy Act (CCPA): This is a state statute intended to enhance privacy rights and consumer protection for residents of California, United States. The CCPA's main intent is to provide California residents with the right to know what personal data is being collected about them, whether their personal data is sold or disclosed and to whom, say no to the sale of personal data, and access their personal data. Payment Card Industry Data Security Standard (PCI DSS): This is an information security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB. The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council. It was created to increase controls around cardholder data to reduce credit card fraud. Sarbanes-Oxley Act (SOX): This is a U.S. law passed in 2002 to protect investors from fraudulent financial reporting by corporations. It mandates strict reforms to improve financial disclosures from corporations and prevent accounting fraud. SOX is administered by the Securities and Exchange Commission (SEC), which sets deadlines for compliance and publishes rules on requirements. Health Insurance Portability and Accountability Act (HIPAA): This is a U.S. federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge. Covered entities (which include healthcare providers, insurers, and their business associates) are required to implement secure electronic access to health data and to remain in compliance with privacy regulations set by HHS. Gramm-Leach-Bliley Act (GLBA): Also known as the Financial Services Modernization Act of 1999, this U.S. federal law requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. Family Educational Rights and Privacy Act (FERPA): This is a U.S. federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. FERPA gives parents certain rights with respect to their children's education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level.
🩻Key Frameworks
A cybersecurity framework serves as a guide for organizations to manage and mitigate risks associated with cybersecurity. It provides a structured methodology for identifying, implementing, monitoring, and improving the security of information systems.
🌍Center for Internet Security (CIS)
The Center for Internet Security (CIS) is a non-profit organization that works to safeguard private and public organizations against cyber threats.
Founded in 2000, CIS provides a wide range of tools, best practices, guidelines, and services to help organizations protect their systems and data from cybersecurity threats. One of the most well-known resources provided by CIS is the CIS Controls (formerly known as the CIS Critical Security Controls), a prioritized set of actions that collectively form a defense-in-depth set of best practices to mitigate the most common attacks against systems and networks.
These controls are widely recognized in the industry and provide a roadmap for organizations to improve their cybersecurity posture.
🏛️National Institute of Standards and Technology (NIST) Risk Management Framework (RMF)/ Cybersecurity Framework (CSF)
The National Institute for Standards and Technology (NIST) is responsible for developing cybersecurity standards across the U.S. federal government.
The guidance and standard documents they produce in this process often have wide applicability across the private sector and are commonly referred to by nongovernmental security analysts due to the fact that they are available in the public domain and are typically of very high quality. The National Institute of Standards and Technology (NIST), a part of the U.S. Department of Commerce, has developed several frameworks and standards to help organizations manage their cybersecurity risks.
Two of the most well-known are the Risk Management Framework (RMF) and the Cybersecurity Framework (CSF).
NIST Risk Management Framework (RMF): The RMF provides a process that integrates security, privacy, and risk management activities into the system development life cycle. The RMF is used by federal agencies in the U.S. to certify and accredit their systems, but it can also be used by non-governmental organizations.
The RMF process is divided into the following six steps:
Step 1: Categorize Information System: Identify the types of information and systems involved to determine the potential impact of a security breach. Step 2: Select Security Controls: Based on the categorization, select appropriate security controls from NIST Special Publication 800-53. Step 3: Implement Security Controls: Apply the selected controls and document how they are deployed within the system and environment of operation. Step 4: Assess Security Controls: Evaluate the controls to ensure they are implemented correctly, operating as intended, and producing the desired outcome. Step 5: Authorize Information System: Based on the assessment, make a risk-based decision whether to authorize operation of the system. Step 6: Monitor Security Controls: Continuously monitor the controls, document changes, conduct security impact analyses of changes, and report the security state of the system. NIST Cybersecurity Framework (CSF): The CSF is a set of voluntary guidelines designed to help organizations manage and reduce cybersecurity risk. It was created through collaboration between government and the private sector and is widely used in various industries.
Mainly used in the private sector.
The CSF is built around five core functions:
Identify: Develop an understanding of the organization's risk to systems, assets, data, and capabilities. Protect: Implement safeguards to ensure delivery of critical services and to limit or contain the impact of a potential cybersecurity event. Detect: Implement activities to identify the occurrence of a cybersecurity event. Respond: Develop and implement appropriate activities to take action regarding a detected cybersecurity event. Recover: Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. In Paris Daring Robbers Retreat!
🏢International Organization for Standardization (ISO)
ISO standards are developed by the International Organization for Standardization (ISO), an independent, non-governmental international organization that develops and publishes international standards.
These standards are agreed upon by experts from member countries around the world and cover a wide range of topics, from technology to food safety, to agriculture and healthcare.
ISO standards ensure that products, processes, and services are fit for their purpose.
Purpose: This standard provides requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). Key Components: It outlines a systematic approach to managing sensitive company information and ensuring its confidentiality, integrity, and availability. Organizations that meet the requirements may be certified by an accredited certification body following successful completion of an audit. ISO/IEC 27002 (Actual Practice): Purpose: This standard provides best practice recommendations on information security controls for use by those responsible for initiating, implementing, or maintaining information security management systems. Key Components: It covers organizational structure, policies, procedures, processes, and resources. The controls and control mechanisms are drawn from those listed in ISO/IEC 27001. While 27001 sets the requirements for an ISMS, 27002 provides a detailed description of the security controls that might be used to mitigate risks to information. Purpose: This is a privacy extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization's ISMS. Key Components: It provides guidance on the protection of privacy, including how organizations should manage personal information, and assists in demonstrating compliance with privacy regulations around the world. It's particularly relevant for organizations that act as data processors or data controllers as per the GDPR. ISO 31000 (Risk Management): Purpose: This standard provides international guidelines on risk management, helping organizations create a framework for managing risk. Key Components: It outlines a systematic approach to identifying, assessing, and managing risk. The standard covers principles and guidelines for creating a risk management framework and process. It's applicable to any organization regardless of size, industry, or sector. Difference between 27001 and 27002
While ISO/IEC 27001 sets out the criteria for an ISMS and allows for certification, ISO/IEC 27002 provides a detailed set of best practices that can help organizations select and implement the appropriate security controls.
👨🏽⚖️SSAE SOC 2 Type I/II
SSAE (Statement on Standards for Attestation Engagements) is a set of auditing standards and guidance on the engagements undertaken by service auditors. Developed by the American Institute of Certified Public Accountants (AICPA), SSAE provides the authoritative guidance for conducting an attestation engagement.
SOC (System and Organization Controls) reports are a part of this framework and are designed to help service organizations provide trust and transparency regarding their controls that affect user entities' financial statements and controls related to security, availability, processing integrity, confidentiality, or privacy.
There are three types of SOC reports: SOC 1, SOC 2, and SOC 3. Here, we'll focus on the SOC 1 report, which comes in two types: Type 1 and Type 2.
SOC 1 Type 1:
Purpose: Evaluates and reports on the design of controls at a service organization as of a specified point in time. Scope: Focuses on the fairness of the presentation of management's description of the service organization's system and the suitability of the design of the controls to achieve the related control objectives stated in the description. Duration: As it's a point-in-time assessment, it doesn't provide assurance about the operating effectiveness of controls over a period. SOC 1 Type 2:
Purpose: Evaluates and reports on the design and operating effectiveness of controls at a service organization over a specified period ( at least 6 months ) Scope: In addition to evaluating the design of controls (like in Type 1), it also assesses the operating effectiveness of those controls over a specified period, typically 6 to 12 months. Duration: Provides assurance on the effectiveness of controls over a period, making it more comprehensive than a Type 1 report. In essence:
Type 1 provides a "snapshot" of the service organization's control environment at a specific point in time. Type 2 provides insights into the operational effectiveness of controls over a period, offering a more thorough assessment. Organizations often start with a Type 1 report and then move to a Type 2 report in subsequent periods. User entities and their auditors often prefer Type 2 reports because they provide assurance not only on the design but also on the operational effectiveness of the service organization's controls.
⛈️Cloud Security Alliance
The Cloud Security Alliance (CSA) is a non-profit organization that was founded in 2009 to promote best practices for providing security assurance within cloud computing and to provide education on the uses of cloud computing to help secure all other forms of computing.
Here's a detailed overview of the CSA:
Mission and Vision: The CSA's mission is to define and raise awareness of best practices to help ensure a secure cloud computing environment. Their vision is to promote the use of best practices for providing security assurance within cloud computing and to provide education on the uses of cloud computing. Research Initiatives: CSA conducts research initiatives to address critical issues and challenges related to cloud computing security. These initiatives are led by CSA's working groups, which focus on various cloud security topics such as threat intelligence, incident response, mobile security, and more. Guidance and Best Practices: One of the CSA's most well-known publications is the "Security Guidance for Critical Areas of Focus in Cloud Computing," which provides a comprehensive overview of cloud security issues and best practices. Certifications and Tools: CSA offers several tools and certification programs to help cloud users and providers implement and manage cloud security. Some of these include: Cloud Controls Matrix (CCM): A cybersecurity control framework for cloud computing that's aligned with the CSA best practices. The Cloud Controls Matrix serves as a comprehensive framework for ensuring cloud security, bridging the gap between traditional security measures and the unique challenges posed by cloud environments. Consensus Assessments Initiative Questionnaire (CAIQ): A questionnaire based on the CCM, which cloud consumers and auditors can use to assess the security capabilities of cloud providers. Certificate of Cloud Security Knowledge (CCSK): A widely recognized certification that demonstrates knowledge in key cloud security areas. Global Presence: The CSA has a global presence with chapters around the world that conduct local research, hold events, and provide training. Collaboration: CSA collaborates with other industry players, including governments, to develop cloud security frameworks, standards, and certifications. They also work with other industry groups to promote cloud security best practices and standards. Events and Training: CSA organizes global events, webinars, and training sessions to educate and promote cloud security awareness. Reference Architecture: A reference architecture provides a blueprint for securely leveraging cloud computing. It offers a high-level conceptual framework that standardizes the functional components, their relationships, and the interactions required for delivering cloud services. The CSA's reference architecture aims to provide a more detailed understanding of the architectural elements comprising a cloud ecosystem and offers a cohesive structure that ensures comprehensive cloud security. In essence, the Cloud Security Alliance plays a pivotal role in shaping the future of cloud security by providing research, tools, certifications, and collaboration opportunities for professionals and organizations in the cloud computing ecosystem.
📏Benchmarks / Secure
Benchmarks and secure configuration guides play a crucial role in enhancing an organization's security posture.
These tools provide standardized sets of recommendations, best practices, and configurations to ensure systems are set up securely from the start and maintained in a secure state throughout their lifecycle
Hardening is the process of securing a system by reducing its vulnerability to unauthorized access or malicious activity.
This involves eliminating unnecessary services, applying the latest patches and updates, and configuring settings in a way that bolsters security. Remove Unnecessary Services: Disable any services or applications that are not required to reduce potential attack vectors. Patch and Update: Ensure the web server software (e.g., Apache, Nginx, IIS) is up-to-date with the latest security patches. Disable directory listing. Implement proper file and directory permissions. Use secure protocols (e.g., HTTPS) for data transmission. Adding banner information and disabling any type of directory browsing Enable SSL for encryption. Need to be able to monitor and report on access logs and error logs. Authentication and Authorization: Implement strong authentication mechanisms and ensure only authorized individuals can access the server's management functions. Logging: Enable detailed logging and regularly review logs to detect and respond to suspicious activities. Content Security: Ensure that only safe and necessary content is hosted, and regularly scan for malware. Patch Management: Regularly update the OS with the latest patches. Remove Unnecessary Services and Applications: Only install and run essential services and applications. Use strong password policies. Disable default accounts or change their passwords. Limit the use of administrative accounts. File System Security: Implement proper file and directory permissions. Use encryption for sensitive data. Network Security: Use firewalls to restrict unnecessary inbound and outbound traffic. Logging and Monitoring: Enable and regularly review system logs. Patch and Update: Ensure the application server software (e.g., Tomcat, WebSphere, JBoss) is up-to-date with security patches. Disable default accounts or change their passwords. Remove or disable default applications or samples. Authentication and Authorization: Implement strong authentication mechanisms and ensure only authorized individuals can access the server. Session Management: Use secure session handling mechanisms and set session timeouts. Isolation: Run the application server with the least required privileges and isolate it from other services. Logging: Enable detailed logging and monitor for suspicious activities. Network Infrastructure Devices (e.g., routers, switches, firewalls): Change Default Credentials: Default usernames and passwords are well-known and should be changed immediately. Disable Unnecessary Services: Turn off any services or protocols not in use. Access Control: Restrict administrative access to a limited set of IP addresses and use secure methods (e.g., SSH instead of Telnet). Patch and Update: Regularly update firmware with security patches. Configuration Backups: Regularly back up configurations and store them securely. Network Segmentation: Use VLANs and other techniques to segment the network and limit lateral movement. Logging and Monitoring: Enable logging and regularly review logs to detect and respond to suspicious activities. 
5.2 Explain the importance of applicable regulations, standards, or frameworks that impact organizational security posture.
