Cybersecurity Interview questions
SIG
Used by an outsourcer to evaluate their service providers' risk controls. Completed by a service provider and used proactively as part of a request for proposal (RFP) response. Completed by a service provider and sent to their client(s) in lieu of completing one or multiple proprietary questionnaires. Used by an organization for self-assessment.
How do you govern various security objects?
Various security objects are governed with the help of KPI (Key Performance Indicators). Let us take the example of windows patch, agreed KPI can be 99%. It means that 99% of the PCs will have the latest or last month's patch. On similar lines various security objects can be managed.
What is the difference between VA and PT?
Vulnerability Assessment is an approach used to find flaws in an application/network whereas Penetration testing is the practice of finding exploitable vulnerabilities like a real attacker will do. VA is like travelling on the surface whereas PT is digging it for gold.
What Is Zero Trust for the Cloud?
Zero Trust is an IT security model that eliminates the notion of trust to protect networks, applications and data. This is in stark contrast to the traditional perimeter security model, which presumes that bad actors are always on the untrusted side of the network, and trustworthy users are always on the trusted side. With Zero Trust, these assumptions are nullified and all users are presumed to be untrustworthy. According to Forrester Research, a leading research and advisory firm, a Zero Trust solution must: Ensure only known, allowed traffic or legitimate application communication is allowed by segmenting and enabling Layer 7 policy. Leverage a least-privileged access strategy and strictly enforce access control. Inspect and log all traffic. Otherwise, it can be fairly simple for an attacker to gain access to a company's network. These principles may be straightforward to implement in an enterprise network, but how do they apply to the cloud? You can apply the same concepts to the cloud by driving access through a security gateway for secure least-privileged access. However, it has become clear that implementing a gateway is not enough for Zero Trust in the cloud. Your implementation must inspect all traffic for all applications, or it is not truly delivering Zero Trust. Why Companies Need Zero Trust in a Cloud Environment Implementing Zero Trust in an enterprise network is predicated on the organization itself controlling the network. It establishes where boundaries can be placed and enforces access controls to shield sensitive applications, such as those within on-premises data centers, from unauthorized access and lateral movement. Today, it's often more cost effective to host an application in the cloud instead of a data center. In fact, according to IDG, a leading technology media company, more than 73% of companies now have applications or infrastructure in the cloud.1 These cloud environments, operated by cloud service providers and SaaS vendors, are not a part of an organization's network, so the same type of network controls do not apply. As a result, most companies: Have applications and data spread out across multiple locations. Are losing insight into: Who is accessing their applications and data, or even what devices are being used to access them (e.g., smartphones, tablets, laptop, etc.), since most of their assets are on third-party infrastructure. How data is being used and shared. To address these issues, companies often use a variety of access technologies, depending on where their assets are. Most companies use a mix of: Location Technology Used for Access On-premises data centers Remote access VPN Private applications (data center, hybrid cloud) Software-defined perimeter Public cloud Inbound proxy or virtualized firewall SaaS applications CASB proxy
NIST 800-53
covers the steps in the Risk Management Framework that address security control selection for federal information systems in accordance with the security requirements in Federal Information Processing Standard (FIPS) 200. This includes selecting an initial set of baseline security controls based on a FIPS 199 worst-case impact analysis, tailoring the baseline security controls, and supplementing the security controls based on an organizational assessment of risk.[3] The security rules cover 18 areas including access control, incident response, business continuity, and disaster recoverability.[4] A key part of the assessment and authorization (formerly certification and accreditation) process for federal information systems is selecting and implementing a subset of the controls (safeguards) from the Security Control Catalog (NIST 800-53, Appendix F) . These controls are the management, operational, and technical safeguards (or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. To implement the needed safeguards or controls, agencies must first determine the security category of their information systems in accordance with the provisions of FIPS 199, "Standards for Security Categorization of Federal Information and Information Systems." The security categorization of the information system (low, moderate or high) determines the baseline collection of controls that must be implemented and monitored. Agencies have the ability to adjust these controls and tailor them to fit more closely with their organizational goals or environments ex. Access Control; Audit and Accountability; Awareness and Training; Assessment, Authorization and Monitoring; Configuration Management; Contingency Planning; Identification and Authentication; Incident Response; Maintenance; Media Protection; Personnel Security; Physical and Environmental Protection; Planning; Risk Assessment; System and Communications Protection; System and Information Integrity; System and Services Acquisition (I have a Nist and ISO spreadsheet mapping controls)
talk through processes. How do you prepare for an audit
create the audit plan, execute an audit, prepare the report, etc
SSAE 18/SOC 1
is a report that informs a service organization's customers and their customer's auditors on the controls the service organization has in place to safeguard their customer's financial statements. A SOC 1 Report (System and Organization Controls Report) is a report on Controls at a Service Organization which are relevant to user entities' internal control over financial reporting. The SOC1 Report is what you would have previously considered to be the standard SAS70 (or SSAE 16), complete with a Type I and Type II reports, but falls under the SSAE 18 guidance (as of May 1, 2017).Please see the following articles discussing the SSAE 18 guidance and additional information related to the SOC 1 (Type I and Type II) Reports:
FedRAMP
(Federal Risk and Authorization Management Program) FedRAMP is a government-wide program that provides for a standardized approach to security assessments, authorization, and continuous monitoring of cloud products and services. FedRAMP certification can be quite costly and difficult to achieve but is required if you want to host a U.S. government agency or subcontractor.
AWS
1) Accurate account information, 2) Use multi-factor authentication (MFA), 3) No hard-coding secrets, 4) Limit security groups, 5) Intentional data policies, 6) Centralize CloudTrail logs, 7) Validate IAM roles, 8) Take actions on findings (This isn't just GuardDuty anymore!), 9) Rotate keys, 10) Be involved in the dev cycle
What all should be included in a CEO level report from a security standpoint?
A CEO level report should have not more than 2 pages: A summarised picture of the state of security structure of the organisation. Quantified risk and ALE (Annual Loss Expectancy) results along with countermeasures.
ISO 27001
A specification for an information security management system (ISMS) comprised of policies and procedures that include all legal, physical and technical controls involved in your information risk management processes. ISO 27001 provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system.
What are the mitigating controls FOR AWS
AIM, MFA, Throttling setting-You can set a standard rate limit and a burst rate limit per second for each method in your REST APIs and each route in WebSocket APIsUse automated remediation such as triggering a Lambda function after every API Gateway deployment with CloudTrail and CloudWatch Events/EventBridgeUse WAF, GuardDuty and AWS Config to track any configuration changesYou can encrypt the results of all queries in Amazon S3, which Athena stores in a location known as the Amazon S3 results locationTo detect incidents, receive alerts when incidents occur, and respond to them, use these options with Amazon Athena:1. Monitor Athena with AWS CloudTrail2. Monitor Athena with CloudTrail and Amazon QuickSight3. Use CloudWatch events with Athena4. Use workgroups to separate users, teams, applications, or workloads, and to set query limits and control query costsSecure content in CloudFront by configuring HTTPS connections, configuring field-level encryption to encrypt data during transit and restricting access to contentYou can use AWS Shield Advanced for additional protections against larger and more sophisticated attacks for your applications running on Elastic Load Balancing (ELB), Amazon CloudFront and Route 53.Use WAF, GuardDuty and AWS Config to track any configuration changesCheck for any unintended open portsUse NACLs, Network firewall to control access to EC2Use WAF, GuardDuty, Securityhub and AWS Config to track any configuration changesUse AWS Security Hub to check for unintended network accessibility from your instances.Use VPC Flow Logs to monitor the traffic that reaches your instancesYou can restrict access to specific alarms and dashboards by using their ARNs in your policiesUse WAF, GuardDuty, Securityhub and AWS Config to track any configuration changesYou can enable AWS Config to track the history of resources, and Config Managed Rules to automatically alert or remediate on undesired changesYou can also use VPC endpoint for DynamoDB to enable Amazon EC2 instances in your VPC to use their private IP addresses to access DynamoDB with no exposure to the public internetmonitor configuration with AWS Config, using DynamoDB Streams to monitor uodate/modify data-plane operations,Ensure EC2 is patched automaticallyuse IAM resource-based policies to control and monitor who and what (e.g., EC2 instances) can access your container images as well as how, when, and where they can access themuse IAM resource-based policies to control and monitor who and what (e.g., EC2 instances) can access your container images as well as how, when, and where they can access themUse NACLs, Network firewall to control access to EC2Use WAF, GuardDuty, Securityhub and AWS Config to track any configuration changesYou may monitor traffic using VPC flow logs
What is compliance?
Abiding by a set of standards set by a government/Independent party/organisation. E.g. An industry which stores, processes or transmits Payment related information needs to be complied with PCI DSS (Payment card Industry Data Security Standard). Other compliance examples can be an organisation complying with its own policies.
Perform the Audit & Gather Evidence
An audit can't be a matter of opinion and must be supported by objective evidence that is: Reliable: Factual and current Relevant: Supports audit scope and can be linked to conclusions and recommendations Repeatable: The same evidence would be produced by another auditor For the exam, candidates need to know how to apply the different techniques used to gather evidence including inquiry, observation, interview, data analysis, sampling, and computer-assisted audit techniques. Often, the easiest approaches can produce the best results. Reviews of the organization's IS standards, policies and procedures can show if controls have been adequately defined and the use of system generated logs or database reporting tools can be used to measure their effectiveness.
Annex A (ISO 27001)
Annex A (Operational Controls) 5. Information security policies 6. Organization of information security 7. Human resource security 8. Asset management 9. Access control 10. Cryptography 11. Physical and environmental security 12. Operations security 13. Communications security 14. System acquisition, dev & maintenance 15. Supplier relationships 16. Information security incident mgt 17. Business continuity & security 18. Compliance
What is the difference between policies, processes and guidelines?
As security policy defines the security objectives and the security framework of an organisation. A process is a detailed step by step how to document that specifies the exact action which will be necessary to implement important security mechanism. Guidelines are recommendations which can be customised and used in the creation of procedures.
Perimeter 81 SASE
Building a Migration Plan for SASE Adoption According to Gartner: "Digitalization, work from anywhere and cloud-based computing have accelerated cloud-delivered SASE offerings to enable anywhere, anytime access from any device. Security and risk management leaders should build a migration plan from legacy perimeter and hardware-based offerings to a SASE model." You can't just flip a switch to adopt SASE and enable anywhere, anytime access from any device. Also according to Gartner: "The vast majority of enterprise SASE adoption will occur over several years, prioritizing areas of greatest opportunity in terms of cost savings, eliminating complexity and redundant vendors, and risk reduction through adoption of a zero-trust secure posture."
CCPA
California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of California, United States.
Communicating the Results of the Audit
Candidates are expected to understand how to prepare an audit report that is clear, complete, and correct. Reporting standards are outlined in theIT Assurance Framework (ITAF) IS Audit and Assurance Standard and candidates should familiarize themselves with its content before the exam. Communication skills such as facilitation, listening and empathy are important during audit planning, performance and reporting and make the difference between a report that is quickly dismissed or decisively acted upon. The audit report should cover scope, objectives, period of review, findings, conclusions, recommendations, and any limitations, such as people who could not be interviewed or documentation that couldn't be accessed. If needed, detailed evidence should be included as an appendix. Facts must be accurate and should be double checked, preferably by a peer, and recommendations need to be specific and achievable in a timeframe and at a cost proportionate to the size of the organization. Finally, before the report is issued, the distribution list should be checked to prevent sensitive information from ending up in the wrong hands. Candidates should remember that audit activity does not end with the issue of the report. A further review needs to confirm recommendations have been implemented and most organizations will implement continuous auditing to ensure controls remain relevant and are meeting their objectives.
CIA triangle?
Confidentiality: Keeping the information secret. Integrity: Keeping the information unaltered. Availability: Information is available to the authorised parties at all times.
CIS Top 20
Critical Security Controls is a prioritized set of best practices created to stop the most pervasive and dangerous threats of today
RISK
Cybersecurity risk is the probability of exposure or loss resulting from a cyber attack or data breach on your organization. Cybersecurity risk is the probability of exposure, loss of critical assets and sensitive information, or reputational harm as a result of a cyber attack or breach within an organization's network
DDoS and its mitigation?
DDoS stands for distributed denial of service. When a network/server/application is flooded with large number of requests which it is not designed to handle making the server unavailable to the legitimate requests. The requests can come from different not related sources hence it is a distributed denial of service attack. It can be mitigated by analysing and filtering the traffic in the scrubbing centres. The scrubbing centres are centralized data cleansing station wherein the traffic to a website is analysed and the malicious traffic is removed.
What are the different levels of data classification and why are they required?
Data needs to be segregated into various categories so that its severity can be defined, without this segregation a piece of information can be critical for one but not so critical for others. There can be various levels of data classification depending on organisation to organisation, in broader terms data can be classified into: Top secret - Its leakage can cause drastic effect to the organisation, e.g. trade secrets etc. Confidential - Internal to the company e.g. policy and processes. Public - Publically available, like newsletters etc.
How do you handle conflict situations
Empathy, being able to understand both sides of a conflict, showing understanding and offering solutions
If we hire you for this job, what will be the first thing you do?
Example from others: Say that you will inspect the current installation and configuration of firewalls, that you will consult the employees and check the logs, that you will basically create a good idea of the IT infrastructure they have in place, and the way it is protected. Then you will specify areas that need immediate improvement, and will proceed with necessary installations and measures. That's a good start in every job really, especially if you are their first information security analyst.
FIPS
FIPS are standards and guidelines for federal computer systems that are developed by National Institute of Standards and Technology (NIST) in accordance with the Federal Information Security Management Act (FISMA) and approved by the Secretary of Commerce. These standards and guidelines are developed when there are no acceptable industry standards or solutions for a particular government requirement. Although FIPS are developed for use by the federal government, many in the private sector voluntarily use these standards. What are the current FIPS? The most current FIPS can be found on NIST's Current FIPS webpage. Number Title 140-2 Security Requirements for Cryptographic Modules -- 01 May 25 (Supersedes FIPS PUB 140-1, 1994 January 11). 180-4 Secure Hash Standard (SHS) -- 2015 August 186-4 Digital Signature Standard (DSS) -- 13 July 197 Advanced Encryption Standard (AES)-- 2001 November 26 198-1 The Keyed-Hash Message Authentication Code (HMAC)-- 2008 July 199 Standards for Security Categorization of Federal Information and Information Systems-- 2004 February 200 Minimum Security Requirements for Federal Information and Information Systems-- 2006 March 201-2 Personal Identity Verification (PIV) of Federal Employees and Contractors -- 2013 August 202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions - 2015 August
FISMA
FISMA stands for the Federal Information Security Management Act, which the United States Congress passed in 2002: it requires federal agencies to implement information security plans to protect sensitive data. FISMA compliance is data security guidance set by FISMA and the National Institute of Standards and Technology (NIST). NIST is responsible for maintaining and updating the compliance documents as directed by FISMA. More specifically, NIST: - Sets minimum requirements for information security plans and procedures. - Recommends types of security (systems, software, etc.) that agencies must implement and approves vendors. - Standardizes risk assessment process and sets varying standards of information security based on agency risk assessments. Each agency has different levels of security requirements: the National Security Agency and Housing and Urban Development, for instance, have different risk levels and therefore different security requirements.
SOC 2 type 2
Focus on implementation of security controls and that why is faster than iso that focuses on the whole ISMS Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users' data and the confidentiality and privacy of the information processed by these systems. These reports can play an important role in: Oversight of the organization Vendor management programs Internal corporate governance and risk management processes Regulatory oversight
Planning the Audit
Good planning is the foundation of a successful audit. The Audit Charter contains the output from the planning exercise and describes the scope, objectives, approach, timeline, roles, and responsibilities for the audit. Internal audits are approved by senior management, and external audits are a central element of the contract for the audit service. CISA promotes a risk-based approach to audit planning, which means the risks to the business of using IS are identified and the control framework then reviewed to determine if appropriate risk controls are in place. An understanding of these risks and controls is how the audit scope is developed. Candidates should know how to identify risks for the organization that is being audited and how to determine the effectiveness of the control framework. Standard techniques for risk assessment can be used, but these need to be complemented with a good understanding of the unique business environment. For example, for organizations in regulated industries (HIPAA, SOX, DSS-PCI, etc.), there will be specific risks that must be considered and controls that need to be evaluated. During the planning stage, auditors must collaborate with IS and business teams to define the scope accurately and ensure everything is covered. Since regulators may ask to review audit reports, it also means the audit plan should describe how evidence will be stored and for how long. Audits should be performed as frequently as needed. An annual audit is a minimum, but it will likely be more frequent in response to other triggers, such as a response to an incident, a request from management to confirm compliance with a new regulation or the implementation of new or changed systems.
see your self in 5 years
I see myself in GRC mastering all of security frameworks, and conducting audits with the CISA certification
How to say IDK?
I'm unfamiliar with that concept but I'm more than happy to have an answer by end of day.
The Process of Auditing Information Systems
Manage the audit process in accordance with IS audit standards Plan audits, ensuring the scope matches the needs of the organization being audited Perform the audit and gather appropriate evidence Communicate the results and recommendations to stakeholders
SANS Top 25
Most Dangerous Software Errors is a list of the most widespread and critical programming errors that can lead to serious software vulnerabilities. They are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all.
What are your strengths?
My constant curiosity and desire to learn, I believe in life long learning and i'm confident this sets me up for success Examples of others: - My strenght is my adaptability, effective teamplayer, diligence in accomplishing goals. -I feel my main strength is my focus and determination in succesffully accomplishing the goals I have set out for myself. - For example, one of the personal goals i have set for myself and also something i feel is one of my greatest accomplishments was completing my dual major and dual minor while maintaining a balance between my professional and personal life. It was something that was definitely challenging and took a lot of discipline, and i was met with a variety of challenges and I also encountered discouragement form authroatitative figures. (Ex- nurse advisor consistenty pushed me to drop my second major and kept telling me that i couldn't do it.) - However, despite these challenges, by focus and persistence and maintaining a positive attitude i was able to completed both my majors and graduate with honors.
NFARs 7012/NIST 800-171
NIST SP 800-171 was developed for use on contractor and other nonfederal information systems and networks to protect Controlled Unclassified Information (CUI). DFARS Clause 252.204-7012 requires that contractors implement NIST SP 800-171 to protect systems and networks that process, store, or transmit "covered defense information" (as defined in the clause). NIST SP 800-171 provides a single, Government-wide set of performance-based security requirements that significantly reduce unnecessary specificity (e.g., as compared to prescribing detailed security controls), which enables contractors to comply in most cases by using or adapting systems and practices already in place.
How often should Patch management be performed?
Patch should be managed as soon as it gets released. For windows - patches released every second Tuesday of the month by Microsoft. It should be applied to all machines not later than 1 month. Same is for network devices, patch as soon as it gets released. Follow a proper patch management process.
Client Work experience (SG)
Policies, procedures, MSSP and EDR negotiation and managed deployment. That's actually a good one...look at the spec sheets with the Cylance EDR product and be prepped to talk through the difference between traditional antivirus and an EDR produc
risk assessment
Probability x severity x strength of controls = risk
How do you report risks?
Risk can be reported but it needs to be assessed first. Risk assessment can be done in 2 ways: Quantitative analysis and qualitative analysis. This approach will cater to both technical and business guys. The business guy can see probable loss in numbers whereas the technical guys will see the impact and frequency. Depending on the audience, the risk can be assessed and reported.
components that comprise an AWS environment and the type of threat actors involved, types of attacks against those environments.
Secrets ManagerKMSS3EC2LambdaEC2 Container RegistryEC2 Container ServiceVPCRedshiftRDS-CloudfFrontRoute53DynamoDBAPI GatewayCloudTrailCloudTrailElastiCacheElasticsearch ServiceEFSEMRKinesisMWAAGlueCloudWatch Disgruntled AdminUses Secret manager accunt to steal sensitive internal informationUses Secret manager account to steal sensitive internal information'How-Uses AWS Secret Manager account to retrieve secrets such asdatabase credentials. Then uses these secrets across AWS accountsby attaching resource-based policies to secrets. -Share secret with competitors Disgruntled AdminSteals credentials & dataHas the privileges to access KMS, access KMS and steals credentials(keys) API GETAWAY AND CLOUDTRAIL : Disgruntled AdminData Theft-Modifies API configurations in API Gateway-Data exfiltration through resource sharing with other accounts- Lateral movement between AWS accounts abusing trust relationshipsDisgruntled Admindisrupt operationsLateral movement between AWS accounts abusing trust relationshipCreates additional trails, modifies existing trailsDisgruntled AdminDisable logging to hide artifacts from the attack Lateral movement between AWS accounts abusing trust relationshipCreates additional trails, modifies existing trails
SOC
System and Organization Controls (SOC) is the name of a suite of reports produced during an audit. It is intended for use by service organizations (organizations that provide information systems as a service to other organizations) to issue validated reports of internal controls over those information systems to the users of those services. The reports focus on controls grouped into five categories called Trust Service Principles.[1] The AICPA auditing standard Statement on Standards for Attestation Engagements no. 18 (SSAE 18), section 320, "Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting", defines two levels of reporting, type 1 and type 2. Additional AICPA guidance materials specify three types of reporting: SOC 1, SOC 2, and SOC 3.
Explain risk, vulnerability and threat?
TIP: A good way to start this answer is by explaining vulnerability, and threat and then risk. Back this up with an easy to understand example. Vulnerability (weakness) is a gap in the protection efforts of a system, a threat is an attacker who exploits that weakness. Risk is the measure of potential loss when that the vulnerability is exploited by the threat e.g. Default username and password for a server - An attacker can easily crack into this server and compromise it (Here's a resource that will navigate you through cyber security attacks).
What is the difference between Asymmetric and Symmetric encryption and which one is better?
TIP: Keep the answer simple as this is a vast topic. Symmetric encryption uses the same key for both encryption and decryption, while Asymmetric encryption uses different keys for encryption and decryption. Symmetric is usually much faster but the key needs to be transferred over an unencrypted channel. Asymmetric on the other hand is more secure but slow. Hence, a hybrid approach should be preferred. Setting up a channel using asymmetric encryption and then sending the data using symmetric process.
philanthropy.
That you intend to continue to help others in information security and GRC by helping to mentor those who are trying to get into the field.
FISCAM
The Federal Information System Controls Audit Manual (FISCAM) presents a methodology for auditing information system controls in federal and other governmental entities. This methodology is in accordance with professional standards. VIEW THE 2009 FISCAM About FISCAM As computer technology has advanced, federal agencies and other government entities have become dependent on computerized information systems to carry out their operations. To help ensure the proper operation of these systems, FISCAM provides auditors with specific guidance for evaluating the confidentiality, integrity, and availability of information systems consistent with Generally Accepted Government Auditing Standards, also known as the Yellow Book; and The Financial Audit Manual. FISCAM is also consistent with National Institute of Standards and Technology's (NIST) guidelines for complying with the Federal Information Security Modernization Act of 2014 (FISMA). This law requires federal agencies to develop, document, and implement agency-wide programs to ensure information security. NIST Special Publication 800-53 provides recommended security controls for federal information systems and organizations, and appendix 3 of FISCAM provides a crosswalk to those controls. How to Access FISCAM You may download the entire FISCAM in PDF format. You may also download appendixes 1-3 as a zipped Word document to enter data to support the gathering and analysis of audit evidence.
GDPR
The General Data Protection Regulation. It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR's primary aim is to give individuals control over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU
HECVAT
The HECVAT is a questionnaire framework specifically designed for higher education to measure vendor risk. Before you purchase a third-party solution, ask the solution provider to complete a HECVAT tool to confirm that information, data, and cybersecurity policies are in place to protect your sensitive institutional information and constituents' PII.
HIPAA
The Health Insurance Portability and Accountability Act. It was created primarily to modernize the flow of healthcare information, stipulate how personally identifiable information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage.[3] The act consists of five titles. Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs.[4] Title II of HIPAA, known as the Administrative Simplification (AS)
NIST
The National Institute of Standards and Technology (NIST) is a physical sciences laboratory and a non-regulatory agency of the United States Department of Commerce. Its mission is to promote innovation and industrial competitiveness. NIST's activities are organized into laboratory programs that include nanoscale science and technology, engineering, information technology, neutron research, material measurement, and physical measurement.
OWASP Top 10
The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications. Companies should adopt this document and start the process of ensuring that their web applications minimize these risks. Using the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces more secure code.
PCI
The Payment Card Industry Data Security Standard is an information security standard for organizations that handle branded credit cards from the major card schemes. The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council.
How does a Process Audit go?
The first thing to do is to identify the scope of the audit followed by a document of the process. Study the document carefully and then identify the areas which you consider are weak. The company might have compensatory controls in place. Verify they are enough.
Special Publications (SP)
The most applicable grouping of special publications for cybersecurity is the NIST SP 800 series. The NIST Special Publication 800 series contains industry-leading recommendations for information security including risk management frameworks, security requirements, and security controls. he NIST Special Publications 1800 series is relatively new compared to the 800 or 500 series and represent practice guides for cybersecurity. The 1800 series can be thought of as the how-to guides for implementing NIST standards in organizations. Overall organizations are leveraging the NIST framework for security standards, cyber threat prevention, the basis for incident response, and how to conduct risk assessments. With the rise of cloud computing, practical guides on how to protect personally identifiable information (PII) is one of the key reasons why organizations are flocking to the NIST standards.
When should a security policy be revised?
There is no fixed time for reviewing the security policy but all this should be done at least once a year. Any changes made should be documented in the revision history of the document and versioning. In case there are any major changes the changes need to be notified to the users as well.