Lesson 8
IEEE 802 LAN/MAN Standard Family
defines how various types of LAN and Man protocols work:
IEC standard will be most applicable from what perspective?
most applicable from an IT perspective related to physical computer and networking hardware
NIST Special Publications 800
series contains many standards that provide guidance for information systems security activities
true or false: The U.S. doesn't have one comprehensive data protection laws. Instead, many laws focus on different types of data found I different vertical industries
true
true or false: the international organization for standardization (ISO) publishes many standards for multiple agencies
true -international standard book number (ISBN) -open systems interconnection (OSI) reference model
International Telecommunications Union (ITU) Telecommunication Sector
-A United Nations Agency -Formed in 1865, it's responsible for managing and promoting information and technology issues -ITU-T (Telecommunications Sector) performs all ITU standards work -Responsible for ensuring the efficient and effective production of standards covering all fields of telecommunications for all nations
Gramm-Leach-Bliley Act (GLBA)
-Addresses the privacy and security of consumer financial information -Aka: Financial Services Modernization Act of 1999 -Due to financial institutions' vulnerability to fraud, they must follow GLBA privacy and security rules to mitigate data breaches and identify theft -Any financial transaction such as borrowing, lending, credit counseling, debt collection, or similar activities requires special attention in maintaining privacy of consumer data -Requires financial institutions to protect consumers' nonpublic financial information
Internet Architecture Board provides oversight to the following:
-Architecture for internet protocols and procedures -Processes used to create standards -Editorial and publication procedures for RFC's -Confirmation of IETF chair and technical area directors
Payment Card Industry Data Security Standard (PCI DSS) requirements
-Build and maintain secure networks -Protect cardholder data -Maintain a vulnerability management program -Implement strong access control measures -Regularly monitor and test networks -Maintain any information security policy
Standards the World Wide Web Consortium (W3C) created:
-Cascadign Style Sheets (CSS) -Common Gateway Interface (CGI) -HyperText Markup Language (HTML) -Simple Object Access Protocol (SOAP) - Web Services Description Language (WSDL) - Extensible Markup Language (XML)
Compliance
-Compliance is the act of following laws, rules, and regulations that apply to your organization -Slide 68 & 69 ex. of compliance laws
Internet Architecture Board
-Considered a sub-committee of the IETF -Serves as an advisory body to the Internet Society (ISOC)
European Telecommunications Standards Institute Cyber Security Technical Committee (ETSI)
-Develops standards for information and communications technologies that are commonly adopted by member countries in the European Union -Covers both wired and various wireless communications technologies -Proposed standards to enforce privacy and security for organizations and citizens across Europe
National Institute of Standards and Technology (NIST):
-Federal agency within the U.S. Department of Commerce Founded in 1901, its mission is to "promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life." -Provides standards for measurement and technology on which nearly all computing devices rely upon.
Internet Engineering Task Force
-First met in 1986 -Develops and promotes internet standards -Purpose is to "make the internet work better" -Focuses on the engineering aspect of internet communications and attempts to avoid policy and business questions -Works closely with W3C and ISO/IEC focusing on standards of TCP/IP or the internet protocol suite -Open organization, no membership requirements -All participants are volunteers -Example of contributions include: RFC 5878 Transport Layer Security (TLS) Authorization Extensions
Personally Identifiable Information (PII)
-First, middle and last name -Home mailing address -Social Security numbers -Driver's license numbers -Financial account data, such as account numbers or personal identification numbers (PINs) -Health data and biometrics data -Authentication credentials, such as logon, usernames, passwords
The Federal Information Security Modernization Act of 2014
-Formally assigned the DHS the responsibility for developing, implementing, and ensuring federal government-wide compliance as per FISMA information security policies, procedures and security controls -Does not introduce additional security requirements -Defines the roles, responsibilities, accountabilities, requirements, and practices that are needed to fully implement FISMA security controls and requirements -Enacted in December 2014
International Electrotechnical Commission (IEC)
-Formed in 1906 and works closely with the ISO -Preeminent organization for developing and publishing international standards for technologies related to electrical and electronic devices and processes
International Organization for Standardization (ISO)
-Formed in 1946 and based out of Geneva, Switzerland -Comprised of a network of 161 national standards institutes -Nongovernmental international organization -Goal is to develop and publish international standards -Serves as a bridge between the public and private sectors -Additional goal is to develop standards that do not cater to either public or private sector, but instead reach consensus
Institute of Electrical and Electronics Engineering (IEEE)
-Formed in 1963, it's the world's largest professional association for the advancement of technology -International nonprofit focusing on developing and distributing standards that relate to electricity and electronics
World Wide Web Consortium (W3C)
-Formed in 1990 -Marked a turning point in the way users accessed resources on the internet -Created protocols and guidelines to unify the word wide web -Approximately 419 members representing businesses, nonprofit -organizations, universities and government agencies
Payment Card Industry Data Security Standard (PCI DSS)
-International standard for handing transactions involving payment card -Protects payment card users from fraud and to preempt legislative requirements on the industry -Requires layers of controls to protect all payment card-related information as it's processed, transmitted and stored -Compliance is required to do business with any of the member organizations -Violation could cause a company to lose their ability to process payment cards
ISO/IEC 27002
-Is an update to the now withdrawn ISO 17799 -Growing family of general information security standards -Provides organizations with best-practice recommendations on information security management
Federal Information Security Management Act of 2002 (FISMA)
-It's now the primary law that defines how federal agencies must secure their IT systems -Created in response to the September 11, 2001, terrorist attacks -The attacks stressed the need for better information security in the federal government -After the attacks, the realization was made that computer security for federal IT systems weren't where they needed to be -Applies to federal agencies and their IT systems -Later amended by FISMA 2014
American National Standards Institute (ANSI)
-Leading standards agencies in the United States, formed in 1918 -Goal is to strengthen the U.S. marketplace within the global economy -Strives to ensure the safety and health of consumers and the protection of the environment -Oversees the creation, publication, and management of standards/guidelines that directly affect businesses in every sector -Produces standards that affect nearly all aspects of IT -Primarily addresses standards that support software development and computer system operations
How is Privacy and Information Security Related?
-Most federal data protection laws contain both privacy and information security requirements -Privacy is a person's right to control the use and disclosure of their own personal information -Information Security is the process used to keep data private. Security is the process, privacy is the result
The Family Educational Rights and Privacy Act (FERPA)
-Passed in 1974, it applies to any education agency or institution that receives federal funding -Primary goal is to protect the privacy of student records -Includes written documents, computer media, video film and photographs
The Health Insurance Portability and Accountability Act (HIPAA)
-Passed in 1996 and amended in 2009 -Data protection rules that address the security and privacy of personally identifiable health information -Protected Health Information (PHI): Any individually identifiable information about a person's health -Health plans, health care clearinghouses, and any health care provider that transmits PHI in an electronic form are included under this Act
The Children's Internet Protection Act
-Passed in 2000 -Requires certain schools and libraries to filter offensive internet content to that children cannot access it -CIPA defines a minor as anyone under the age of 17 -Offensive content includes any visual depictions that are considered obscene, child pornography, or anything harmful to minors if the computer is accessed by a minor
the international electrotechnical commission (IEC) adresses
-Power Generation -Power Transmission and Distribution -Commercial and consumer electrical appliances -Semiconductors -Electromagnets - Batteries - Solar Energy - Telecommunications
The Sarbanes-Oxley Act (SOX)
-Protects investors from financial fraud -Applies to publicly traded companies that must register with the SEC -SOX provisions requires companies to verify the accuracy of their financial information -Protects investors from fraudulent financial activities
Under FERPA, students (or their parents if the student is under 18) have the following rights:
-Right to know what data is in the student's record and the right to inspect and review the record -Right to request that a school correct errors in a student record -Right to consent to have certain kinds of student data released
ISO/IEC 27002 divides the new standard into 12 major sections:
-Risk Assessment -Security Policy -Organization of Information Security -Asset Management -Human Resources Security -Physical and Environmental Security - Communications and Operations Management - Access Control - Information Systems Acquisition Development and Maintenance - Information Security Incident Management - Business Continuity Management - Compliance
SP 1800 NIST Cybersecurity Practice Guides
A sub series of special publications initiated by NIST in 2015. it extends SP 800 and targets issues related to implantation of cybersecurity in the public and private sectors
Best known standards related to information security is
IEEE 802 LAN/MAN Standard family
BLUF:
Is an important committee that has substantial influence over many standards that affect the internet
SOX Section 404:
Requires an organization executive officers to establish, maintain, review and report on the effectiveness of the company's internal controls over financial reporting
ANSI Code:
Standard that defines a set of values used to represent characters in a computers
Payment Card Industry Data Security Standard (PCI DSS) Vendors include
Visa, Mastercard, Discover, American Express, Japan Credit Union etc.
Compliance usually asks the questions:
What are the rules? How must the rules be followed?