ITSEC101: Common Compliance Frameworks for Privacy and Security
Introduction
In this installment of ITSEC101, I have curated list of common compliance frameworks that a defender will likely come across in their career.
This is just an introductory overview of the frameworks. Look for future articles in which I take a closer look at them. Note: I left the CIS Critical Security Controls off the list, as I have already provided an overview in a previous article and this article focuses more on compliance frameworks.
The National Institute of Standards and Technology (NIST) Special Publications (SPs)
The National Institute of Standards and Technology (NIST) is part of the US government focused on the development of standards and guidelines for information and cyber security. The documents are meant for the government sector, but are made freely available to the public so that organizations can take advantage of them.
Their offerings are referred to as Special Publications (SPs), and cover a wide range of topics from general risk management guidance, to step-by-step instructions for addressing specific technologies.
There are two main series that apply to the various domains of IT security: the 800 series, and the 1800 series. Other standards are applicable, though they might be more specific in their scope, such as the 500 series.
Here are some common SPs utilized by non-government entities:
SP 800-30: Guide for Conducting Risk Assessments
SP 800-37: The Risk Management Framework (RMF)
SP 800-53: Security and Privacy Controls for Information Systems and Organizations
SP 800-61: Incident Response Recommendations and Considerations for Cybersecurity Risk Management
SP 800-88: Guidelines for Media Sanitization
SP 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
SP 800-207: Zero Trust Architecture
(No SP #): The Cybersecurity Framework (CSF)
SP 1800-31: Improving Enterprise Patching for General IT Systems
SP 1800-35: Implementing a Zero Trust Architecture
SP 1800-39: Implementing Data Classification Practice
ISO/IEC 27000
The International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) collaborate to provide globally recognized standards related to technology.
ISO has published more than 25,000 standards on everything from camera film speed (ISO 6) to technical drawing scales (ISO 5455) and even the exact method for brewing a cup of tea for sensory testing (ISO 3103)!
Together with IEC, ISO publishes the 27000 series of standards, which focus on information security, cyber security, and privacy protection. Unlike the NIST standards, the ISO/IEC standards are not free. However, companies can pay for the standards and become certified to prove their compliance and their dedication to security.
ISO/IEC 27001: This focuses on the development of an Information Security Management System (ISMS).
ISO/IEC 27002: This focuses on security control selection.
ISO/IEC 27005: This focuses on risk management.
ISO/IEC 27017: This focuses on cloud security.
ISO/IEC 27018: This focuses on protecting personally identifiable information (PII) in cloud environments.
ISO/IEC 27032: This focuses on cybersecurity.
ISO/IEC 27701: This focuses on including privacy management in the 27001 and 27002 standards.
Payment Card Industry Data Security Standard (PCI DSS)
The Payment Card Industry Security Standards Council (PCI SSC) is a collaboration of major credit card vendors who have developed the Payment Card Industry Data Security Standard (PCI DSS) to promote global security of payment data.
The PCI DSS is not codified into law globally, or federally in the US, but has been adopted by some US states. Its enforcement primarily lies in the agreements made between merchants and payment processors. Any organization that accepts, processes, stores or transmits credit card information must comply, and compliance levels depend on the volume of transactions processed annually. his includes merchants, service providers, financial institutions and third-party vendors.
There are 12 core requirements, and each contains a number of sub-requirements, of which there are over 300.
The 12 core requirements are:
Install and Maintain Network Security Controls
Apply Secure Configurations
Protect Stored Account Data
Encrypt Transmission of Cardholder Data
Protect Systems Against Malware
Develop and Maintain Secure Systems
Restrict Access to Cardholder Data
Authenticate Access to System Components
Restrict Physical Access to Cardholder Data
Log and Monitor Access
Test Security Systems Regularly
Maintain an Information Security Policy
Health Information Portability and Accountability Act (HIPPA)
The Health Information Portability and Accountability Act (HIPPA) is a use law codified in 1996 to protect patient health information (PHI), with national standards for PHI privacy and security.
The HIPPA Security Rule is an offshoot of HIPPA that focuses on the protection of electronic-PHI (ePHI). It dictates various Safeguards to protect the confidentiality, integrity and availability of ePHI that is created, received, maintained, or transmitted by covered entities and their business associates. It is flexible and scalable, and does not prescribe the use of specific technologies. It is enforced by the Office of Civil Rights (OCR), part of the US Department of Health and Human Services (HHS).
There are three primary types of Safeguards, with a number of subcategories in each: Administrative Safeguards, Physical Safeguards, and Technical Safeguards. Their names are a little misleading, because the overall focus of all three is on the development and maintenance of administrative controls (i.e. policies, procedures, standards and guidelines) that address various aspects of information security.
This has been further enhanced by the Health Information Technology for Economic and Clinical Health Act (HITECH Act), ratified into law in 2009, it strengthened the privacy and security provisions of the HIPPA Privacy and Security Rules.
Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)
The Cloud Security Alliance (CSA) is a global organization that focuses on promoting best practices for cloud computing. One of their offerings is the Cloud Controls Matrix (CCM). This framework is designed to address critical aspects of cloud computing.
The current version of the CCM is v4. It consists of 17 domains, with 197 total control objectives. It was designed to align with other common frameworks. As of v4, it has also been combined with the Consensus Assessment Initiative Questionnaire (CAIQ), which is used to evaluate cloud providers.
The 17 domains are:
Audit Assurance & Compliance (AAC)
Application & Interface Security (AIS)
Business Continuity Management & Operational Resilience (BCR)
Change Control & Configuration Management (CCC)
Cryptography, Encryption & Key Management (CEK)
Datacenter Security (DCS)
Data Security & Privacy Lifecycle Management (DSP)
Governance, Risk Management & Compliance (GRC)
Human Resources Security (HRS)
Identity & Access Management (IAM)
Interoperability & Portability (IPY)
Infrastructure & Virtualization Security (IVS)
Logging & Monitoring (LOG)
Security Incident Management, E-Discovery & Cloud Forensics (SEF)
Supply Chain Management, Transparency & Accountability (STA)
Threat & Vulnerability Management (TVM)
Universal Endpoint Management (UEM)
Control Objectives for Information and Related Technologies (COBIT)
The Information Systems Audit and Control Association (ISACA) is a global organization dedicated to advancing various fields of IT Security. It provides training, certifications, and developed the framework Control Objectives for Information and Related Technologies (COBIT).
COBIT focuses on aligning IT processes with business objectives. It is a holistic approach that ensures enterprise-wide coverage of aligning IT governance with stakeholder needs, with emphasis on the interconnectivity of systems as a single entity as opposed to isolated components, and the separation of duties for governance and management processes. The latest version is COBIT 2019, which has been modified to focus on integration with other frameworks. It is primarily used for Governance, Risk and Compliance (GRC) activities. ISACA requires membership for any of its resources, and some require payment.
The components of COBIT are:
Framework
Process Descriptions
Control Objectives
Management Guidelines
Maturity Models
Service Organization Control (SOC)
The American Institute of Certified Public Accountants (AICPA) developed a framework intended to assist organizations with demonstrating the effectiveness of their security programs, and security controls.
SOC is generally used by service providers, especially those responsible for their customer’s data, to prove the effectiveness of their security controls, and their overall commitment to security best-practices.
The framework is based on the Trust Services Criteria, which comes from the Committee of Sponsoring Organizations (COSO) framework: Security, Availability, Processing Integrity, Confidentiality and Privacy.
There are three types of report generated after a SOC audit:
SOC 1: Financial Reporting Controls
SOC 2: Trust Service Criteria Controls
SOC 3: A publicly available, high-level version of SOC 2
There are also two types of each report available: Type 1 and Type 2. A Type 1 report covers control audits at a specific point in time, whereas a Type 2 report covers control audits over a defined period. A Type 2 report will give a better idea of how well an organization performs in maintaining consistency of its security program.
General Data Protection Regulation (GDPR)
The European Union (EU) passed the General Data Protection Regulation (GDPR) in 2018, to protect the personal data and privacy of individuals. All organizations that process the personal data of EU citizens must comply. It is the driving force behind the cookie warning pop-ups on every website.
Some of its key features include:
Data Protection Principles
Rights of Individuals
Consent
Data Breach Notifications
Accountability
Fines
Federal Information Security Modernization Act (FISMA)
The Federal Information Security Modernization Act (FISMA) is a 2002 US law (updated 2012) that establishes a framework for protecting government information, operations and assets against cybersecurity threats. It overseen by the Office of Management and Budget (OMB).
It requires federal agencies to develop, document and implement comprehensive information security programs to address the CIA of their IT systems. They must also conduct annual system reviews and risk assessments, and conduct ongoing vulnerability assessments. The NIST standards are developed to meet these requirements.
Federal Risk and Authorization Management Program (FedRAMP)
The Federal Risk and Authorization Management Program (FedRAMP) is a US government initiative established in 2011 to evaluate the security practices of federally contracted cloud service providers, and ensure compliance with strict standards. It is overseen by the General Services Administration (GSA) and Joint Authorization Board (JAB).
Its key features include:
Standardized Security
Authorization Process
Continuous Monitoring
Levels of Authorization
Conclusion
There are many frameworks that can help organizations assess their current security programs, or build solid programs from the ground up. They can also be leveraged to prove an organization’s dedication and help foster trust with their customers, and the general public. Some of them are mandatory for organizations in specific sectors, such as government or financial, or for organizations that provide specific services, and can result in hefty penalties if compliance is not maintained. It is important for a defender to understand which mandatory regulatory frameworks apply to their organization, and which can offer additional benefit.
Daily Cuppa
Today’s cup of tea is Organic Green Tea provided by Newman’s Own. Certified organic, and full of refreshing flavor!
If you enjoyed this article or the site in general you can buy the author a cup of tea to show your support. He is also available for work.