Chapter 5 - 01 - Discuss Various Regulatory Frameworks, Laws, and Acts - 01_ocred_fax_ocred.pdf
Document Details
Uploaded by barrejamesteacher
null
EC-Council
Tags
Related
- Chapter 5 - 01 - Discuss Various Regulatory Frameworks, Laws, and Acts - 01_ocred.pdf
- Chapter 5 - 01 - Discuss Various Regulatory Frameworks, Laws, and Acts - 02_ocred.pdf
- Chapter 5 - 02 - UISG and Compliance Program - 02_ocred.pdf
- Chapter 5 - 02 - UISG and Compliance Program - 03_ocred.pdf
- Chapter 5 - 02 - UISG and Compliance Program - 02_ocred_fax_ocred.pdf
- Chapter 5 - 02 - UISG and Compliance Program - 03_ocred_fax_ocred.pdf
Full Transcript
Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Module Discuss Various Regulatory Frameworks, Laws, and Acts Learn to Design and Develop Security Policies Flow \ ' &%.. Understand Information Security Governance and Compliance. Learn to Conduct Diff...
Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Module Discuss Various Regulatory Frameworks, Laws, and Acts Learn to Design and Develop Security Policies Flow \ ' &%.. Understand Information Security Governance and Compliance. Learn to Conduct Different Types of Security and Awareness Training Program , Discuss Various Regulatory Frameworks, Laws, and Acts This section explains the need for compliance and how to comply with a regulatory framework. This section also explains the various regulatory frameworks, laws, and acts. It describes frameworks, laws, and acts such as the Payment Card Industry Data Security Standard (PCI-DSS), Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR), Sarbanes—Oxley Act (SOX), Gramm-Leach-Bliley Act (GLBA), ISO Information Security Standards, Digital Millennium Copyright Act (DMCA), and Federal Information Security Management Act (FISMA). Module 05 Page 502 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Regulatory Frameworks Compliance It is often required for the organizations to comply with some type of security regulation Complying with regulatory frameworks is a collaborative effort between governments and private bodies to encourage voluntary/mandatory improvements to cybersecurity IT security regulatory frameworks contain a set of guidelines and best practices Copyright © by | pyrig L All Rights Reserved, 8 Reproductionis Strictly ¥y Prohibited Regulatory Frameworks Compliance (Cont’d) Role of Regulatory Frameworks Compliance in an Organization’s Administrative Security Regulatory Frameworks Example: PCI-DSS: q 3: Encrypt cardholder data Example: Encryption Policy Standards Example: Encryption standards such as Data Encryption Standard, Advanced Encryption Standard, and Rivest-Shamir-Adleman algorithm Example: Data encryption procedures, practices, and guidelines Procedures, Practices, and Guidelines Copyright © by L All Rights Reserved. Reproduction Is Strictly Prohibited. Regulatory Frameworks Compliance Regulatory framework compliance is a set of guidelines and best practices established in order for organizations to follow and, thus, meet their regulatory needs, enhance processes, improve protection, and accomplish any other objectives based on the industry and data types maintained. It is often required for the organizations to comply with some type of security regulation. Complying with regulatory frameworks is a collaborative effort between governments and private bodies to encourage voluntary/mandatory improvements to cybersecurity. Module 05 Page 503 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Regulatory compliance prevents organizations from incurring large fines or being victim to data breaches. Most organizations comply with more than one regulatory framework. Deciding which framework, policies, and controls are best compatible with an organization’s compliance goals is a difficult task. At the same time, regulatory framework compliance has an evolving nature because organizational environments are always in flux. Generally, these guidelines are leveraged by = Internal auditors and other stakeholders who assess the controls an organization requires; = External auditors who assess the controls an organization requires; and = QOthers/third parties (private/governments) such as key customers and investors who assess risk before collaborating with an organization. IT security regulatory frameworks contain a set of guidelines and best practices. IT security regulatory frameworks inform businesses that they need to follow these guidelines and best practices to meet regulatory requirements, improve security, and achieve certain business objectives. To ensure cybersecurity, organizations regulatory framework compliance: must Regulatory Frameworks implement the following standards to meet Example: PCI-DSS: Requirements 3: Encrypt cardholder data Example: Encryption Policy Standards Procedures, Practices, and Guidelines Example: Encryption standards such as Data Encryption Standard, Advanced Encryption Standard, and Rivest-Shamir-Adleman algorithm Example: Data encryption procedures, practices, and guidelines Figure 5.1: Role of Regulatory Frameworks Compliance in an Organization’s Administrative Network Security Regulatory Frameworks: Under a framework, an organization must document its policies, standards as well as procedures, practices, and guidelines. Each of these aspects have different purposes; hence, they cannot be combined into one document. Examples of regulatory frameworks include the Payment Card Industry—Data Security Standard (PCI-DSS) Requirement 3: Protect stored cardholder data. = Policies Policies are high-level statements dealing with the administrative network security of an organization. These are leveraged by an organization’s senior management. Organizations require at least one policy in place. A policy is viewed as a business mandate and has a top-down management. Some examples of policy include email and encryption policies. They generally outline the o Security roles and responsibilities, Module 05 Page 504 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 o Scope of information to be secured, o Description of the required controls for securing information, and o References to standards and guidelines that support the policies. Standards Standards comprise specific low-level mandatory controls or controls related to the implementation of a specific technology useful for enforcing and supporting policies and ensuring consistent businesses security. As noted earlier, this includes password policy such as password standards for password complexity, or encryption policy, which include standards such as data encryption standard (DES), advanced encryption standard (AES), and Rivest—-Shamir—Adleman algorithms. Procedures, Practices, and Guidelines Procedures or standard operating procedures (SOP) comprise step-wise instructions useful for implementing the controls that are defined by multiple policies, standards, and guidelines such as a procedure for secure Windows installation or data encryption procedure, practices, and guidelines. Guidelines comprise recommendations, but non-mandatory controls, as well as general statements, administrative instructions, or best practices useful for supporting standards or acting as a reference when no standards in place. Guidelines and best practices are interchangeable. These changes are environment-dependent and must be reviewed more often than standards and policies. For example, a standard may state that a password should be eight characters or more, while a supporting guideline may state that it is also a best practice to follow password expiration and data encryption guidelines. Module 05 Page 505 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.
