5.2 Explain the importance of applicable regulations, standards, or frameworks that impact organizational security posture

  • Regulations, Standards, and Legislation
    • General Data Protection Regulation (GDPR)
    • National, Territory, or State Laws
    • Payment Card Industry Data Security Standard (PCI DSS)
  • Key Frameworks
    • Center for Internet Security (CIS)
    • National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) / Cybersecurity Framework (CSF)
    • International Organization for Standardization (ISO) 27001/27002/27701/31000
    • SSAE SOC 2 Type I/II
    • Cloud Security Alliance
    • Cloud Control Matrix
    • Reference Architecture
  • Benchmarks/Secure Configuration Guides
    • Platform/Vendor-Specific Guides
      • Web Server
      • OS
      • Application Server
      • Network Infrastructure Devices

A Framework is a set of rules or best practices that an organization can adopt to secure their infrastructure, reduce risk, and improve processes.

A framework can be regulatory or non-regulatory.  A regulatory framework is one that is imposed by a local, state, or federal government.  An organization subject to a regulatory framework must follow it.  A non-regulatory framework is one created by an industry organization or trade group.  An organization is not required to follow a non-regulatory framework, but it is recommended.  The organization may have to choose between multiple non-regulatory, industry-specific frameworks.

Frameworks can be national or international.  An organization may do business differently in different countries and therefore may require the use of different frameworks.

By adopting a framework, an organization may secure additional contracts or gain recognition.  For example, an oil company may only hire vendors that have recognized health and safety policies.  An organization that does not adopt an industry-recognized framework may be held liable in the event of an incident.  For example, a vendor who does not have a health and safety policy may be held criminally negligent in the event of an easily preventable accident.

An organization may need to hire an industry expert or lawyer to ensure that they have implemented the correct frameworks.  Ignorance of the law is not an excuse.

Examples of regulatory frameworks

  • State and federal occupational health and safety regulations (personal protective equipment, working at heights, lock out)

  • Food and Drug Administration Food Safety and Drug Safety regulations

  • Health Insurance Portability and Accountability Act (regulates health information)

  • Sarbanes-Oxley (regulates publicly traded corporations)

An important law in the European Union is the General Data Protection Regulation (GDPR).  It protects the personal information of EU citizens.  An organization may not collect data about an EU citizen unless at least one of the following criteria is met

  • The subject has given consent

  • To fulfill contractual obligations with a data subject

  • To comply with the law

  • To protect the vital interests of the subject or another individual

  • To do something that is in the public interest

  • To do something that is in the interest of the data processor (unless these interests are in conflict with those of the subject)

The subject has the following rights

  • The right to access his personal information and to know how it is being processed

  • The right to transfer his personal information from one system to another

  • The right to be forgotten.  This was replaced with the right of erasure.  A subject has the right to request that his data be erased unless the legitimate interests of the controller are greater than the interests of the subject.

A data processor must

  • Design data protection into their business processes

  • Perform risk management on data collection processes

  • Use pseudonymization

  • Maintain records of data processing

  • Appoint a data protection officer

If you violate the GDPR, you could receive a warning, an audit, or a fine of up to 20 million Euros or 4% of your annual revenue, whichever is greater.

The GDPR applies to all companies that process data belonging to EU citizens, not just those that are present in the EU.

Examples of non-regulatory frameworks

  • Payment Card Industry Data Security Standards (regulates payment card data security and storage)

Examples of industry-specific frameworks

  • Nuclear safety regulations

  • Financial Crimes Enforcement Network

Some important frameworks

  • Payment Card Industry Data Security Standard (PCI DSS).  PCI regulates the way that credit card data is stored and transmitted.  Some of the things that it covers

    • Firewall to protect credit card data

    • OS hardening

    • Changing default passwords

    • Protecting stored credit card data

    • Limitations on what type of credit card data can be stored

    • Encryption

    • Encrypted transmission of data

    • Antivirus

    • Vulnerability management programs

    • Authentication of authorized users

    • Audit trails

    • Information security policy

  • Center for Internet Security (CIS).  CIS provides about 100 different benchmarks.  Each benchmark is a document that outlines the best way to securely configure a type of technology.  Some of the products covered

    • Google Chrome

    • Firefox

    • Cisco Routers

    • Cisco Switches

    • Amazon Web Services

    • Microsoft Windows Server

    • Microsoft Exchange

    • Docker

    • Oracle Database

    • VMware

    • Zoom

  • National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) / Cybersecurity Framework (CSF).  The Risk Management Framework is a 7-step process that is used to implement security and privacy risk management.

    • Prepare – plan a risk management strategy

    • Categorize – group different types of information

    • Select – choose the required controls

    • Implement – implement the controls

    • Assess – validate whether the controls are working

    • Authorize – authorize the system to operate

    • Monitor – monitor and update the system

  • International Organization for Standardization (ISO) 27001/27002/27701/31000.  ISO makes different standards for quality assurance and management.  For your organization to say that it is compliant with an ISO standard, it must undergo a formal audit.

    Each standard is given a different number.  The family of ISO 2700 standards all cover information security.

    • ISO 27001 – covers the requirements for a formal information security management system

    • ISO 27002 – covers the requirements for a formal information security management system and security controls

    • ISO 27701 – privacy extension for ISO 27001.  Covers the use and storage of Personally Identifying Information

    • ISO 31000 – family of frameworks for risk management

  • Statement on Standards for Attestation Engagements are standards that are put out by American Institute of Certified Public Accountants (AICPA) Auditing Standards Board.  It is a Generally Accepted Accounting Standard.  The current version is version 18.

    The purpose of the standard is to conduct an audit of a financial system.  When an audit is implemented, the standard results in a report known as a SOC Type 1 or SOC Type 2, which shows that a financial statement is accurate, complete, and fair.  But, it can theoretically be applied to any other subject.  In other words, does the organization have internal controls to prevent fraud and bad behavior?  Can we trust what they say?

    • A SOC Type 1 report is an assessment of the design of the organization’s internal controls.
    • A SOC Type 2 report is an assessment of the operating effectiveness of the organization’s internal controls.  If the controls are designed well but people bend the rules, then the controls are meaningless.
  • Cloud Security Alliance.  The Cloud Security Alliance is a group that promotes best practices and education with respect to cloud security.  The Cloud Security Alliance publishes a questionnaire (almost 200 questions) that you can use to evaluate whether a cloud provider is up to standard.

  • Cloud Controls Matrix.  The Cloud Controls Matrix is a framework for security a cloud service.  It is developed by the Cloud Security Alliance.  There are 197 controls that can be implemented across 17 different domains of cloud technology.  The domains include

    • Audit and Assurance

    • Application & Interface Security

    • Business Continuity Management and Resillence

    • Change Control and Configuration Management

    • Cryptography, Encryption and Key Management

    • Datacenter Security

    • Data Security and Privacy

    • Governance, Risk Management and Compliance

    • Human Resources Security

    • Identity & Access Management

    • Interoperability & Portability

    • Infrastructure & Virtualization Security

    • Logging and Monitoring

    • Security Incident Management, E-Discovery, & Cloud Forensics

    • Supply Chain Management, Transparency & Accountability

    • Threat & Vulnerability Management

    • Universal EndPoint Management

  • Reference Architecture.  A Reference Architecture is a template for a common configuration.  We should follow the template to ensure that our configuration is secure.  The reference might also tell us how different parts of the system work together.

A Benchmark is a minimum standard that an organization can use to ensure that their devices are properly configured.  A benchmark may also be known as a “best practice”.

The benchmark may be issued by a specific vendor such as Cisco, Juniper, or Fortinet.  For example, Cisco publishes a Cisco IOS Security Configuration Guide, which is over 3000 pages long.  This guide covers the best security practices for configuring Cisco routers, switches, and access points.  A vendor will usually know best about how its devices should be configured.

A benchmark may also be issued for a type of platform such as a web server, operating system, application server, or network device.  This benchmark is not vendor-specific, and is written in general terms, and is therefore not exhaustive.

A General-Purpose Guide outlines general security policies for an organization but is not specific to a device or technology.

Areas where we might find a common or vendor-specific configuration guide.

  • Web Servers

    • Apache

    • Nginx

    • Cloudflare

    • IIS

    • LiteSpeed

    • Google

  • Operating Systems

    • Microsoft Windows

    • macOS

    • UNIX / Linux

  • Application Servers

  • Network Infrastructure Devices

    • Switches

    • Routers

    • Firewalls

    • Wireless Access Points