Chapter 5.2 Explain the importance of applicable regulations, standards, or frameworks that impact organizational security posture
Benchmarks
A benchmark is a documented list of requirements that is used to determine whether or not a system, device, or software solution is allowed to operate within a securely managed environment.
Secure Configuration Guides
A general purpose security configuration guides are more generic in their recommendations rather than being focused on a single software or hardware product.
Key Security Frameworks
A security framework is a guide or plan for keeping organizational assets safe. It provides a structure to the implementation of security for both new organizations and those with a long security history.
SSAE Reports
American Institute of Certified Public Accountants (AICPA) established the auditing standard for Statement on Standards for Attestation Engagements (SSAE). Type 1 reports focus on security descriptions, while Type 2 reports focus on security on the assurance of security controls. SOC 3 reports provide a security assurance assessment that can be openly distributed.
CIS
Center for Internet Security (CIS) provides OS, application, and hardware security configuration guides for a wide range of products.
Cloud Security Alliance
Cloud Security Alliance (CSA) is a not for profit group that focuses on promoting security best practices in relation to cloud computing. The CSA Cloud Control Matrix (CCM) is a cybersecurity framework for cloud environments. The CSA reference architecture or Enterprise Architecture (EA) is a set of cloud security tools and an operational methodology to assess the security of a cloud computing environment.
Compliance
Compliance is the act of conforming to or adhering to rules, policies, regulations, standards, or requirements. Compliance is an essential element of security governance.
GDPR
General Data Protection Regulation (GDPR) is a data protection and privacy law to protect citizens of the European Union (EU) and the European Economic Area (EEA). It focuses on managing the processing/use of and transfer of PII outside of the EU and EEA.
ISO 27001
ISO 27001 establishes guidelines for implementing an information security management system (ISMS).
ISO 27002
ISO 27002 prescribes best practices for the implementation and use of security controls within each of the 14 control groups from ISO 27001.
ISO 27701
ISO 27701 describes how to establish and maintain a privacy information management system (PIMS).
ISO 31000
ISO 31000 is a family of standards and guidelines for implementing a risk management based security program.
RMF/CSF
National Institute of Standards and Technology (NIST) established the Risk Management Framework (RMF) and the Cybersecurity Framework (CSF). These are both US government guides for establishing and maintaining security, but the CSF is designed for critical infrastructure and commercial organizations, while the RMF establishes mandatory requirements for federal agencies.
PCI DSS
Payment Card Industry Data Security Standard (PCI DSS) is a collection of requirements for improving the security of electronic payment transactions.