5.2 Explain importance of applicable regulations, standards or frameworks
ISO 27701
Provides specific requirements and guidance for establishing, implementing, maintaining, and continually improving an information system with private data.
SOC Type III
less detailed report certifying compliance with SOC2
The Cloud Security Alliance Cloud Controls Matrix (CSA CCM) maps to which of the following compliance standards? (Select all that apply.)
1. ISO - International Organization for Standardization - int. standard for information technology security. maps to CSA CCM 2. SOX - Sarbanes-Oxley Act - helps to protect investors from fraudulent financial reporting by large corporations. maps to CSA CCM 3. NIST - National Institute of Standards and Technology - provides a security policy for how private sector orgs. can assess and improve their ability to prevent, detect, and respond to cyber attacks. Maps to CSA CCM
Which of the following protection and accountability principles does the General Data Protection Regulation (GDPR) provide to consumers? (Select all that apply.)
1. data minimization - A data controller should only collect and process as much data as necessary for the purposes specified. 2. Integrity and confidentiality 3. Purpose limitation - The GDPR ensures organizations must process data that was collected for the explicit purposes specified to the data subject
ISO 31000
A risk management framework that assists an organization in integrating risk management into day to day functions.
ISO 27002
A supplementary standard that focuses on the information security controls that organizations might choose to implement.
A legacy application is preparing to migrate its client-server infrastructure to a cloud environment. The capability delivery manager submits a request for a proposal to various cloud service providers (CSPs). What standardized metric should the CSPs use to evaluate themselves for the project? A. CSA CCM B. SSAE C. NIST CSF D. ISO
A. CSA CCM
A company contracted by the Department of Defense is bound to comply with the Federal Information Security Management Act (FISMA) to reduce the security risk to federal information and data while managing federal spending on information security. This compliance pertains to which type of legislation? A. National B. Industry specific C. International D. Non-regulatory
A. National - FISMA is a United States national law
A global transportation company completes a risk assessment against their information technology infrastructure and would like to implement a cybersecurity framework to help manage their information security by addressing people and processes, as well as technology. Which is the best solution for the company to purchase? A. 27701 B. 27002 C. 31000 D. 27001
D. 27001
A large online retailer is responsible for protecting consumer accounts by encrypting transmitted data, using and maintaining firewalls to prevent unauthorized access, restricting data and physical access to accounts, and maintaining access logs. These requirements are part of which benchmark for consumer data protection? A. PC DSS B. NIST CSF C. HIPPA D. Regulatory
A. PC DSS - a set of 12 requirements aimed to ensure companies that process, store, or transmit credit card info. maintain a secure environment.
SOC Type I
Addresses internal controls over financial reporting.
ISO 27001
A standard that sets out the best practice specifications for an information system.
In the International Organization for Standardization (ISO) series, which of the following contains what organizations must do when implementing an information system that processes private data? A. 27001 B. 31000 C. 27701 D. 27002
C. 27701
Which of the following requires informed consent before data can be collected, processed or retained? A. GLBA B. SOX C. GDPR D. PCI DSS
C. GDPR - European Union's General Data Protection Regulation - personal data cannot be collected, processed, or retained without the individual's informed consent.
Which Service Organization Control (SOC) level of reporting in the Statements on Standards for Attestation Engagements (SSAE) assesses the ongoing effectiveness of the security architecture of a system in a certain period of time? A. Type III B. Type I C. Type II D. ISO 27701
C. Type II - provides assurances about the effectiveness of controls in place in an org. within a given timeframe
CIS-CAT
Center for Internet Security Configuration Access Tool. - Can be used with automated vulnerability scanners to test compliance against these benchmarks.
CSA CCM
Cloud Security Alliance Cloud Controls Matrix. - A framework that provides guidance in security domains, including application security. identity and access management, mobile security, encryption, and key management, and data center operations.
A company needs to evaluate the overall security posture of the firm. Analyze the following options to determine which is the best solution. A. National Checklist Program (NCP) B. Security Technical Implementation Guides (STIGs) C. Center for Internet Security COnfiguration Access Tool (CIS-CAT) D. Center for Internet Security Risk Assessment Method (CIS-RAM)
D. Center for Internet Security Risk Assessment Method (CIS-RAM) - Can be used to perform an overall evaluation of security posture.
A company is determining what should be in a contract with a new Cloud Service Provider (CSP). Which resource from the Cloud Security Alliance will give the company the baseline level of security competency that the CSP should meet? A. Enterprise reference architecture B. Security guidance C. Statements on Standards for Attestation Engagements (SSAE) D. Cloud controls matrix
D. Cloud controls matrix - The cloud controls matrix lists specific controls and assessment guidelines that should be implemented by CSPs.
Industry specific
Govern certain industreis, such as financial and healthcare organizations. - e.g., PC DSS and HIPAA
GLBA
Gramm-Leach-Bliley Act - Federal law in the US and is a vertical law for the financial sector.
Non-regulatory
Identifies common standards and best practices that companie can follow. - Not required by law.
ISO
International organization for Standardization - an international standard for informatin technology security.
NCP
National Checklist Program - Provides checklists and benchmarks for a variety of operating systems and applications.
NIST CSF
National Institute of Standards and Technology Cyber Security Framework - Provides a security policy for how private sector organizations can assess and imporve their ability to prevent, detect, and respond to cybersecurity attacks
PCI DSS
Payment Card Industry Data Security Standard - Defines the safe handling and storage of financial information.
SOX
Sarbanes-Oxley Act - Mandates the implementation of risk assessments, internal controls, and audit procedures in the United States.
STIGs
Secure Technical Implementation Guides. - Hardening guidelines for a variety of software and hardware solutions.
SSAE
Statements on Standards for Attestation Engagements (SSAE) - an audit specification guide developed for accountants.