Chapter 5 - 01 - Discuss Various Regulatory Frameworks, Laws, and Acts - 02_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Why Organizations Need Compliance Q IT security regulation and standards improve overall security of an organization by meeting regulatory requirements O Improved security, in turn, prevents security breaches, which can cost loss to company O Customer trusts the organization in belief that their information is safe Why Organizations Need Compliance Information security compliance should be a requirement than a choice for organizations, since the money, time, and efforts invested in the compliance is worth more than the cost of risks. The advantages that regulatory framework compliance brings for an organization include: = Improved Security: IT security regulations and standards improve the overall security of an organization by meeting baseline regulatory requirements. These baseline requirements ensure consistent data security. = Minimized Losses: Improved security can prevent security breaches, which otherwise can lead to losses, repair costs, legal fees, or hefty fines. = Maintenance of Trust: Data breaches cause companies to lose their reputation and trust from customers. Compliances makes customers trust an organization with the belief that their information is safe. * Increased Control: An organization’s security increases with increased controls such as preventing employees from committing mistakes, implementing strong credential systems and encryption systems, or monitoring outside threats. Module 05 Page 506 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Identifying Which Regulatory Framework to Comply An organization needs to assess itself to determine which regulatory framework applies to it best ofe ¢ For example, following table shows different regulations and which organization would be subject to the scope of the regulatory framework B by C e e b Lt Y Any company or office that deals with healthcare data, including, but not limited to, doctor’s offices, insurance companies, business associates, and employers Sarbanes Oxley Act U.S. public company boards, management, and public accounting firms Federal Information Security Management Act of 2002 (FISMA) Al federal agencies must develop a method of protecting information systems Gramm Leach Bliley A A Biiey Act {GLBA) Payment Card Industry Data Security Standard (PCI-DSS) Companies that offer financial products or services to individuals such as loans, financial or investment advice, or insurance Companies handling credit card information Copyright © by EC-Council. All Rights Reserved. Reproduction Is Strictly Prohibited. Identifying Which Regulatory Framework to Comply An organization must perform a self-assessment to ascertain the regulatory frameworks that best applies to it. This compliance assessment involves identifying gaps between the existing control environment and an organization’s requirements. However, this is a challenging task wherein an organization should fully understand its needs and function to understand which controls suit its size and complexity. When assessing compliance, an organization must consider the following: * Financial institution letters; » National Institute of Standards and Technology publications; * Industry implementation guidance and recommendations—for example, international standards such as I1ISO 27002 or the National Institute of Standards and Technology Framework for cybersecurity enhancement; and = Notice the cybercrimes, new exploits, and new trends to ascertain the possibility of a large-scope breach. For example, following table shows different regulations and which subject to the scope of the regulatory framework. Regulatory Framework organization would Organizations within Scope Health Insurance Portability and Accountability Act (HIPAA) Any company or office that deals with healthcare data, including, but not limited to, doctor’s offices, insurance companies, business associates, and employers Sarbanes Oxley Act U.S. public company boards, management, and public e accounting firms Module 05 Page 507 be Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Federal Information Security Management Act of 2002 (FISMA) Gramm Leach Bliley Act (GLBA) Exam 212-82 All federal agencies must develop a method of protecting | information systems Companies that offer financial products or services to individuals such as loans, financial or investment advice, or insurance Payment Card Industry Data Security Standard (PCI-DSS) Companies handling credit card information Table 5.1: Different Regulatory Framework and Organizations within the Scope of Regulatory Framework Module 05 Page 508 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Deciding on How to Comply to Regulatory Framework O When an organization falls within scope of certain regulatory framework, it needs to correctly interpret regulatory requirements in the regulator framework to be complied with QO Based on those regulatory requirements, an organization needs to establish policies, procedures, and security controls to manage and maintain compliance For example, the following table shows some of the PCI-DSS regulatory requirements: PCI-DSS requirement No 1.1.1: “A formal process for approving and testing all network PCI-DSS requirement no 1.1.6: router configurations.” Jjustification for use of all services, protocols, and ports allowed, including connections and changes to the firewall and R PCI-DSS Requirement No 1.2.1: “Restrict “Documentation and business Regulatory requirements documentation of security features inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.” Provision for detecting all unauthorized Policies, procedures, and controls to satisfy the requirements network connections to/from an organization’s IT assets implemented for those protocols considered to be insecure.” Policies, procedures, and Provision for looking insecure protocols = and services running on systems controls to satisfy the requirements Copyright © by | cil All Rights Reserved. Reproduction is Strictly Prohibited Deciding on - - How to t o gu Re Comp PCI-DSS requirement no 1.3.1: “Implement a DMZ to limit lv latorv Regulatory requirements Framework (Cont ) d) inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.” PCI-DSS Requirement No 1.3.2: “Limit inbound Internet traffic t to IP addresses within the DMZ.” PCI-DSS Requirement NO 1.3.5: “Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.” i 1 Policies, procedures, and controls to satisfy the requirements Provision for checking how traffic is flowing across the DMZ to/from the internal network PCI-DSS PCI-DSS requirement no 5.1: “Deploy anti-virus software on all systems commonly aoffected by malicious software (particularly personal computers and servers).” Regulatory requirements PCI-DSS requirement no 5.3: “Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.” Policies, procedures, and controls to satisfy the requirements Provision for detecting malware infection when anti-virus protection is disabled on the machines ~— Copyright © by | mncil All Rights Reserved. Reproduction ks Strictly Prohibited Deciding on How to Comply to Regulatory Framework An organization needs to correctly interpret its regulatory requirements once it has confirmed its framework. Then, it must analyze and interpret the collected information to determine how the collected information is relevant to an organization’s services. Next, discuss and sort all an organization’s internal/external personnel ambiguities, uncertainties, and problems faced during the interpretation of the identified compliance information. Assess and determine the order for suitable compliance requirements such as important implications and risks of possible breaches. Module 05 Page 509 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Separate/group the compliance requirements that are perceived as, first, important and central; then, only important; and finally, pertinent, but incidental, for an organization’s operations. Based on the regulatory requirements, an organization needs to establish proper policies, procedures, and security controls to organize its information security. For example, the following table shows some of the PCI-DSS regulatory requirements. PCI-DSS PCI-DSS requirement No 1.1.1: “A formal process for approving and testing all network connections and changes to the firewall Regulatory requirements Policies, procedures, and controls to satisfy the requirements and router configurations.” PCI-DSS Requirement No 1.2.1: “Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.” Provision for detecting all unauthorized network connections to/from an organization’s IT assets Table 5.2: PCI-DSS Requirement No 1.1.1 and 1.2.1 PCI-DSS Regulatory requirements PCI-DSS requirement no 1.1.6: “Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.” Policies, procedures, and controls to satisfy the Provision for looking insecure protocols and services running on requirements systems Table 5.3: PCI-DSS Requirements No 1.1.6 PCI-DSS PCI-DSS requirement no 1.3.1: “/mplement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.” Regulatory requirements PCI-DSS Requirement No 1.3.2: “Limit inbound Internet traffic to IP addresses within the DMZ.” PCI-DSS Requirement NO 1.3.5: “Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.” Policies, procedures, and controls to satisfy the requirements Provision for checking how traffic is flowing across the DMZ to/from the internal network Table 5.4: PCI-DSS Requirement No 1.3.1,1.3.2,1.3.5 Module 05 Page 510 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 PCI-DSS PCI-DSS requirement no 5.1: “Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).” Regulatory requirements PCI-DSS requirement no 5.3: “Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.” Policles, procedures, and Provision for detecting malware infection when anti-virus... protection is disabled on the machines controls to satisfy the.. requirements Table 5.5: PCI-DSS Requirement No 5.1 and 5.3 Module 05 Page 511 Certified Cybersecurity Technician Copyright © by EG-Souncil All Rights Reserved. Reproduction is Strictly Prohibited.