Secure applications and standards (Notes)
Balabit
https://www.balabit.com/: "Privileged Access Management". Mentions Security regulations and standards.
ISO 27001
- The ISO27001 requirements sets up a framework for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS).
Clarify the connection between regulations, risk evaluations, and risk treatment procedures.
To learn more on the ISO 27001 download our [Balabit's] paper here.
PCI DSS: Payment Card Industry (PCI) Data Security Standard (DSS)
Organizations involved in payment card data management, including those that store, process, or transmit cardholder data are required to implement The Payment Card Industry (PCI) Data Security Standard (DSS). PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data.
To learn more on how to secure cardholder data from unauthorized access download or PCI specific white paper here.
NY DFS Part 500 Cybersecurity Regulation
To counter the growing threat posed by cybercriminals, the New York Department of Financial Services (NY DSF) has started a new cyber security program. The Regulation establishes the minimum cyber security requirements for all financial services conducting business in New York State or under the jurisdiction of NY DSF.
Find out more on how to secure access to information systems and nonpublic information by managing your privileged users here.
General Data Protection Regulation
The General Data Protection Regulation (GDPR) was issued by EU Parliament on 14 April 2016. The regulation builds on the foundation laid down in Directive 95/46/EC but also featuring a set of additional requirements to protect collected and processed personal data of EU citizens.
To learn more about complying with the GDPR, download our white paper here.
HIPAA
All Healthcare providers involved in storing or transferring protected health information (PHI) or electronic protected health information (ePHI) must comply with the Health Insurance Portability and Accountability Act (HIPAA).
To learn more on HIPAA download our paper here.
SOX (Sarbanes-Oxley Act)
No specific requirements for the IT industry.
ISAE 3402 (the former SAS 70).
Assurance Reports on Controls at a Service Organization. See http://isae3402.com/. SAS70 is an auditing standard. SAS means "Statements on Auditing Standards" See: http://sas70.com. SAS 70 is an auditing standard designed to enable an independent auditor to evaluate and issue an opinion on a service organization's controls. The audit report (i.e. the service auditor's report) contains the auditor's opinion, a description of the controls placed in operation, and description of the auditor's tests of operating effectiveness (if the report is a Type II). The audit report can be shared with the service organization's customers ("user organizations") and their respective auditors ("user auditors"). The service organization is responsible for describing its control objectives and control activities that would be of interest to user organizations and the respective user auditors.
Gramm-Leach-Billey Act (GLBA).
Also known as the Financial Services Modernization of 1999. An Act to enhance competition in the financial services industry by providing a prudential framework for the affiliation of banks, securities firms, and other financial service providers, and for other purposes. It repealed part of the Glass-Steagall Act of 1933.
Basel II
Basel II, initially published in June 2004, was intended to amend international standards that controlled how much capital banks need to hold to guard against the financial and operational risks banks face.
GPG
Good be: Global Public Good or Gnu Privacy Guard.
FISMA
Federal Information Security Modernization Act of 2014. updates the Federal Government's cybersecurity practices by:
Codifying Department of Homeland Security (DHS) authority to administer the implementation of information security policies for non-national security federal Executive Branch systems, including providing technical assistance and deploying technologies to such systems; Amending and clarifying the Office of Management and Budget's (OMB) oversight authority over federal agency information security practices; and by Requiring OMB to amend or revise OMB A-130 to "eliminate inefficient and wasteful reporting."
NIST CSF
The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) functions as a sum of best practices and procedure recommendations for protecting organizations’ critical assets. It was influenced by regulations such as COBIT 5, NIST 800-53, ISO/IEC 27001:2013 and ISA 62443-2-1:2009. The purpose of the framework is to help organizations establishing and achieving cybersecurity development goals.
To learn more on NIST CSF download our paper here.
OWASP
Open Web Application Security Project Our mission is to make software security visible, so that individuals and organizations are able to make informed decisions.
Uplevel
UPLEVEL applies advanced data science to aggregate and contextualize cybersecurity data from internal systems and external sources, extract meaningful insights and provide automation throughout the incident response lifecycle.
Terms:
- SIEM
- (Pronounced: SIM). Security Information and Event Management. See [Wikipedia](https://en.wikipedia.org/wiki/Security_information_and_event_management). Capabilities:
- Data Aggregation
- Log management aggregates data from many sources, including network, security, servers, databases, applications, providing the ability to consolidate monitored data to help avoid missing crucial events.
- Correlation
- looks for common attributes, and links events together into meaningful bundles. This technology provides the ability to perform a variety of correlation techniques to integrate different sources, in order to turn data into useful information. Correlation is typically a function of the Security Event Management portion of a full SIEM solution
- Alerting
- the automated analysis of correlated events and production of alerts, to notify recipients of immediate issues. Alerting can be to a dashboard, or sent via third party channels such as email.
- Dashboards
- Tools can take event data and turn it into informational charts to assist in seeing patterns, or identifying activity that is not forming a standard pattern.
- Compliance
- Applications can be employed to automate the gathering of compliance data, producing reports that adapt to existing security, governance and auditing processes.
- Retention
- employing long-term storage of historical data to facilitate correlation of data over time, and to provide the retention necessary for compliance requirements. Long term log data retention is critical in forensic investigations as it is unlikely that discovery of a network breach will be at the time of the breach occurring.
- Forensic Analysis
- The ability to search across logs on different nodes and time periods based on specific criteria. This mitigates having to aggregate log information in your head or having to search through thousands and thousands of logs.
Notes: How to use the perspector system for enhanced security?
- control the activities of users with universal permissions.
- monitor the administrative activities of outsourced systems.
- control file operations executed via strong encryption passwords (SSH, VPN, SSL/TLS, etc.)
-
Reliable log management.