Chapter 5 - 01 - Discuss Various Regulatory Frameworks, Laws, and Acts PDF

Summary

This document discusses various regulatory frameworks, laws, and acts relevant to information security, including PCI-DSS, HIPAA, GDPR, SOX, GLBA, ISO Information Security Standards, the Digital Millennium Copyright Act (DMCA), and the Federal Information Security Management Act (FISMA).

Full Transcript

Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Module Discuss Various Regulatory Frameworks, Laws, and Acts Learn to Design and Develop Security Policies Flow \ ' &%.. Understand Information Security Governance and Compliance. Learn to Conduct Different Types of Security and Awareness Training Program , Discuss Various Regulatory Frameworks, Laws, and Acts This section explains the need for compliance and how to comply with a regulatory framework. This section also explains the various regulatory frameworks, laws, and acts. It describes frameworks, laws, and acts such as the Payment Card Industry Data Security Standard (PCI-DSS), Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR), Sarbanes—Oxley Act (SOX), Gramm-Leach-Bliley Act (GLBA), ISO Information Security Standards, Digital Millennium Copyright Act (DMCA), and Federal Information Security Management Act (FISMA). Module 05 Page 502 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Regulatory Frameworks Compliance It is often required for the organizations to comply with some type of security regulation Complying with regulatory frameworks is a collaborative effort between governments and private bodies to encourage voluntary/mandatory improvements to cybersecurity IT security regulatory frameworks contain a set of guidelines and best practices Copyright © by | pyrig L All Rights Reserved, 8 Reproductionis Strictly ¥y Prohibited Regulatory Frameworks Compliance (Cont’d) Role of Regulatory Frameworks Compliance in an Organization’s Administrative Security Regulatory Frameworks Example: PCI-DSS: q 3: Encrypt cardholder data Example: Encryption Policy Standards Example: Encryption standards such as Data Encryption Standard, Advanced Encryption Standard, and Rivest-Shamir-Adleman algorithm Example: Data encryption procedures, practices, and guidelines Procedures, Practices, and Guidelines Copyright © by L All Rights Reserved. Reproduction Is Strictly Prohibited. Regulatory Frameworks Compliance Regulatory framework compliance is a set of guidelines and best practices established in order for organizations to follow and, thus, meet their regulatory needs, enhance processes, improve protection, and accomplish any other objectives based on the industry and data types maintained. It is often required for the organizations to comply with some type of security regulation. Complying with regulatory frameworks is a collaborative effort between governments and private bodies to encourage voluntary/mandatory improvements to cybersecurity. Module 05 Page 503 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Regulatory compliance prevents organizations from incurring large fines or being victim to data breaches. Most organizations comply with more than one regulatory framework. Deciding which framework, policies, and controls are best compatible with an organization’s compliance goals is a difficult task. At the same time, regulatory framework compliance has an evolving nature because organizational environments are always in flux. Generally, these guidelines are leveraged by = Internal auditors and other stakeholders who assess the controls an organization requires; = External auditors who assess the controls an organization requires; and = QOthers/third parties (private/governments) such as key customers and investors who assess risk before collaborating with an organization. IT security regulatory frameworks contain a set of guidelines and best practices. IT security regulatory frameworks inform businesses that they need to follow these guidelines and best practices to meet regulatory requirements, improve security, and achieve certain business objectives. To ensure cybersecurity, organizations regulatory framework compliance: must Regulatory Frameworks implement the following standards to meet Example: PCI-DSS: Requirements 3: Encrypt cardholder data Example: Encryption Policy Standards Procedures, Practices, and Guidelines Example: Encryption standards such as Data Encryption Standard, Advanced Encryption Standard, and Rivest-Shamir-Adleman algorithm Example: Data encryption procedures, practices, and guidelines Figure 5.1: Role of Regulatory Frameworks Compliance in an Organization’s Administrative Network Security Regulatory Frameworks: Under a framework, an organization must document its policies, standards as well as procedures, practices, and guidelines. Each of these aspects have different purposes; hence, they cannot be combined into one document. Examples of regulatory frameworks include the Payment Card Industry—Data Security Standard (PCI-DSS) Requirement 3: Protect stored cardholder data. = Policies Policies are high-level statements dealing with the administrative network security of an organization. These are leveraged by an organization’s senior management. Organizations require at least one policy in place. A policy is viewed as a business mandate and has a top-down management. Some examples of policy include email and encryption policies. They generally outline the o Security roles and responsibilities, Module 05 Page 504 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 o Scope of information to be secured, o Description of the required controls for securing information, and o References to standards and guidelines that support the policies. Standards Standards comprise specific low-level mandatory controls or controls related to the implementation of a specific technology useful for enforcing and supporting policies and ensuring consistent businesses security. As noted earlier, this includes password policy such as password standards for password complexity, or encryption policy, which include standards such as data encryption standard (DES), advanced encryption standard (AES), and Rivest—-Shamir—Adleman algorithms. Procedures, Practices, and Guidelines Procedures or standard operating procedures (SOP) comprise step-wise instructions useful for implementing the controls that are defined by multiple policies, standards, and guidelines such as a procedure for secure Windows installation or data encryption procedure, practices, and guidelines. Guidelines comprise recommendations, but non-mandatory controls, as well as general statements, administrative instructions, or best practices useful for supporting standards or acting as a reference when no standards in place. Guidelines and best practices are interchangeable. These changes are environment-dependent and must be reviewed more often than standards and policies. For example, a standard may state that a password should be eight characters or more, while a supporting guideline may state that it is also a best practice to follow password expiration and data encryption guidelines. Module 05 Page 505 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Why Organizations Need Compliance Q IT security regulation and standards improve overall security of an organization by meeting regulatory requirements O Improved security, in turn, prevents security breaches, which can cost loss to company O Customer trusts the organization in belief that their information is safe Why Organizations Need Compliance Information security compliance should be a requirement than a choice for organizations, since the money, time, and efforts invested in the compliance is worth more than the cost of risks. The advantages that regulatory framework compliance brings for an organization include: = Improved Security: IT security regulations and standards improve the overall security of an organization by meeting baseline regulatory requirements. These baseline requirements ensure consistent data security. = Minimized Losses: Improved security can prevent security breaches, which otherwise can lead to losses, repair costs, legal fees, or hefty fines. = Maintenance of Trust: Data breaches cause companies to lose their reputation and trust from customers. Compliances makes customers trust an organization with the belief that their information is safe. * Increased Control: An organization’s security increases with increased controls such as preventing employees from committing mistakes, implementing strong credential systems and encryption systems, or monitoring outside threats. Module 05 Page 506 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Identifying Which Regulatory Framework to Comply An organization needs to assess itself to determine which regulatory framework applies to it best ofe ¢ For example, following table shows different regulations and which organization would be subject to the scope of the regulatory framework B by C e e b Lt Y Any company or office that deals with healthcare data, including, but not limited to, doctor’s offices, insurance companies, business associates, and employers Sarbanes Oxley Act U.S. public company boards, management, and public accounting firms Federal Information Security Management Act of 2002 (FISMA) Al federal agencies must develop a method of protecting information systems Gramm Leach Bliley A A Biiey Act {GLBA) Payment Card Industry Data Security Standard (PCI-DSS) Companies that offer financial products or services to individuals such as loans, financial or investment advice, or insurance Companies handling credit card information Copyright © by EC-Council. All Rights Reserved. Reproduction Is Strictly Prohibited. Identifying Which Regulatory Framework to Comply An organization must perform a self-assessment to ascertain the regulatory frameworks that best applies to it. This compliance assessment involves identifying gaps between the existing control environment and an organization’s requirements. However, this is a challenging task wherein an organization should fully understand its needs and function to understand which controls suit its size and complexity. When assessing compliance, an organization must consider the following: * Financial institution letters; » National Institute of Standards and Technology publications; * Industry implementation guidance and recommendations—for example, international standards such as I1ISO 27002 or the National Institute of Standards and Technology Framework for cybersecurity enhancement; and = Notice the cybercrimes, new exploits, and new trends to ascertain the possibility of a large-scope breach. For example, following table shows different regulations and which subject to the scope of the regulatory framework. Regulatory Framework organization would Organizations within Scope Health Insurance Portability and Accountability Act (HIPAA) Any company or office that deals with healthcare data, including, but not limited to, doctor’s offices, insurance companies, business associates, and employers Sarbanes Oxley Act U.S. public company boards, management, and public e accounting firms Module 05 Page 507 be Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Federal Information Security Management Act of 2002 (FISMA) Gramm Leach Bliley Act (GLBA) Exam 212-82 All federal agencies must develop a method of protecting | information systems Companies that offer financial products or services to individuals such as loans, financial or investment advice, or insurance Payment Card Industry Data Security Standard (PCI-DSS) Companies handling credit card information Table 5.1: Different Regulatory Framework and Organizations within the Scope of Regulatory Framework Module 05 Page 508 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Deciding on How to Comply to Regulatory Framework O When an organization falls within scope of certain regulatory framework, it needs to correctly interpret regulatory requirements in the regulator framework to be complied with QO Based on those regulatory requirements, an organization needs to establish policies, procedures, and security controls to manage and maintain compliance For example, the following table shows some of the PCI-DSS regulatory requirements: PCI-DSS requirement No 1.1.1: “A formal process for approving and testing all network PCI-DSS requirement no 1.1.6: router configurations.” Jjustification for use of all services, protocols, and ports allowed, including connections and changes to the firewall and R PCI-DSS Requirement No 1.2.1: “Restrict “Documentation and business Regulatory requirements documentation of security features inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.” Provision for detecting all unauthorized Policies, procedures, and controls to satisfy the requirements network connections to/from an organization’s IT assets implemented for those protocols considered to be insecure.” Policies, procedures, and Provision for looking insecure protocols = and services running on systems controls to satisfy the requirements Copyright © by | cil All Rights Reserved. Reproduction is Strictly Prohibited Deciding on - - How to t o gu Re Comp PCI-DSS requirement no 1.3.1: “Implement a DMZ to limit lv latorv Regulatory requirements Framework (Cont ) d) inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.” PCI-DSS Requirement No 1.3.2: “Limit inbound Internet traffic t to IP addresses within the DMZ.” PCI-DSS Requirement NO 1.3.5: “Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.” i 1 Policies, procedures, and controls to satisfy the requirements Provision for checking how traffic is flowing across the DMZ to/from the internal network PCI-DSS PCI-DSS requirement no 5.1: “Deploy anti-virus software on all systems commonly aoffected by malicious software (particularly personal computers and servers).” Regulatory requirements PCI-DSS requirement no 5.3: “Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.” Policies, procedures, and controls to satisfy the requirements Provision for detecting malware infection when anti-virus protection is disabled on the machines ~— Copyright © by | mncil All Rights Reserved. Reproduction ks Strictly Prohibited Deciding on How to Comply to Regulatory Framework An organization needs to correctly interpret its regulatory requirements once it has confirmed its framework. Then, it must analyze and interpret the collected information to determine how the collected information is relevant to an organization’s services. Next, discuss and sort all an organization’s internal/external personnel ambiguities, uncertainties, and problems faced during the interpretation of the identified compliance information. Assess and determine the order for suitable compliance requirements such as important implications and risks of possible breaches. Module 05 Page 509 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Separate/group the compliance requirements that are perceived as, first, important and central; then, only important; and finally, pertinent, but incidental, for an organization’s operations. Based on the regulatory requirements, an organization needs to establish proper policies, procedures, and security controls to organize its information security. For example, the following table shows some of the PCI-DSS regulatory requirements. PCI-DSS PCI-DSS requirement No 1.1.1: “A formal process for approving and testing all network connections and changes to the firewall Regulatory requirements Policies, procedures, and controls to satisfy the requirements and router configurations.” PCI-DSS Requirement No 1.2.1: “Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.” Provision for detecting all unauthorized network connections to/from an organization’s IT assets Table 5.2: PCI-DSS Requirement No 1.1.1 and 1.2.1 PCI-DSS Regulatory requirements PCI-DSS requirement no 1.1.6: “Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.” Policies, procedures, and controls to satisfy the Provision for looking insecure protocols and services running on requirements systems Table 5.3: PCI-DSS Requirements No 1.1.6 PCI-DSS PCI-DSS requirement no 1.3.1: “/mplement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.” Regulatory requirements PCI-DSS Requirement No 1.3.2: “Limit inbound Internet traffic to IP addresses within the DMZ.” PCI-DSS Requirement NO 1.3.5: “Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.” Policies, procedures, and controls to satisfy the requirements Provision for checking how traffic is flowing across the DMZ to/from the internal network Table 5.4: PCI-DSS Requirement No 1.3.1,1.3.2,1.3.5 Module 05 Page 510 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 PCI-DSS PCI-DSS requirement no 5.1: “Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).” Regulatory requirements PCI-DSS requirement no 5.3: “Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.” Policles, procedures, and Provision for detecting malware infection when anti-virus... protection is disabled on the machines controls to satisfy the.. requirements Table 5.5: PCI-DSS Requirement No 5.1 and 5.3 Module 05 Page 511 Certified Cybersecurity Technician Copyright © by EG-Souncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Regulatory Frameworks, Laws, and Acts h 4 Payment Card Industry Data Security Standard (PCI-DSS) The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle cardholder information for major debit, credit, prepaid, e-purse, ATM, and POS cards PCI DSS applies to all entities involved in payment card processing — including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process, or transmit cardholder data PCI Data Security Standard — High Level Overview lO e Build and Maintain a figfi Secure Network ——— Maintain a Vulnerability p Implement Strong f Management Program Regularly Monitor and Test Networks U SRR R I a Access Control Measures = Maintain an Information Security Policy —— https://www.pcisecuritystondards.org Failure to meet the PCI DSS requirements may result in fines or the termination of payment card processing privileges h 4 Regulatory Frameworks, Laws, and Acts Payment Card Industry Data Security Standard (PCI-DSS) Source: https://www.pcisecuritystandards.org The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards. This standard offers robust and comprehensive standards Module 05 Page 512 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 and supporting materials to enhance payment card data security. These materials include a framework of specifications, tools, measurements, and support resources to help organizations ensure the safe handling of cardholder information. PCI DSS applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process, or transmit cardholder data. PClI DSS comprises a minimum set of requirements for protecting cardholder data. The Payment Card Industry (PCI) Security Standards Council has developed and maintains a high-level overview of PCI DSS requirements. PCI Data Security Standard — High Level Overview Install and maintain a firewall configuration to protect Build and Maintain a Secure cardholder data Network Do not use vendor-supplied defaults for system passwords and other security parameters Protect stored cardholder data Protect Cardholder Data Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Implement Strong Access Control Measures Use and regularly update anti-virus software or programs Develop and maintain secure systems and applications Restrict access to cardholder data by business need to know Assign a unique ID to each person with computer access Restrict physical access to cardholder data Regularly Monitor and Test Networks Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Maintain an Information Maintain a policy that addresses information security for all Security Policy personnel Table 5.6: Table Showing the PCI Data Security Standard—High-Level Overview Failure to meet PCI DSS requirements may result in fines or the termination of payment-card processing privileges. Module 05 Page 513 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Health Insurance Portability and Accountability Act (HIPAA) HIPAA's Administrative Simplification Statute and Rules Electronic Transaction and Code Set Standards Specifies a series of administrative, physical, and technical safeguards Security Rule for covered entities to use to ensure the confidentiality, integrity, and availability of electronically protected health information National Identifier Enforcement Rule Requires every provider who does business electronically to use the same health care transactions, code sets, and identifiers Provides federal protections for the personal health information held by covered entities and gives patients an array of rights with respect to that information Privacy Rule Requirements