Standards and Regulations
ISO Standards
Too many numbers! These are all the ISO documents I have found within the test-relevant parts of the (ISC)2 material. I'll mark in yellow those that will appear the most, and in grey those that are unlikely to need you to recognize by number (but know the concept!), no color for medium likelihood.
- 15288 — Security that should be build into a device, especially ICS / PLC / SCADA and IoT.
- 15408 — Common Criteria
- 17789 — Cloud Computing Architecture, defines "What is 'cloud'?"
-
19086-1
— SLA concepts
19086-2 — SLA metrics
19086-3 — SLA core requirements - 19441 — Interoperability and portability
- 19944 — Data flow across devices and cloud services
- 20000 — SMS — Information Technology Service Management System
- 20933 — DAPS — Distributed application platforms and services
- 22237 — 7-part series on physical environment
- 27001 — Standard to which to certify
- 27002 — Best practice guidelines (how to do 27001)
- 27005 — Information security risk management
- 27014 — Governance of Information Security (make it consistent and standardized, measurable, comprehensive, and modular)
- 27017 — Security guidelines, controls for cloud
- 27018 — PII for cloud
- 27034 — Application security, ONF or Organizational Normative Framework, and ANF or Application Normative Framework
- 27036 — Supply-chain security.
- 27050 — Digital forensics, along with 27037, 27041, 27042, 27043
- 28000 — Supply chain (and other 2800*)
- 31000 — Risk management framework
U.S. Government requirements and documents
FISMA says U.S. Government agencies must come up with security plans, NIST docs say how.
FedRAMP is about U.S. Government use of cloud technology.
FIPS 140-2 specifies approved cryptography, software and hardware.
- Run by NIST
- Tested by accredited labs
- Vendors pay for testing
-
Four levels of increasing security, roughly:
- FIPS 140-2 Level 1 = correct implementation
- FIPS 140-2 Level 2 = tamper-evident
- FIPS 140-2 Level 3 = tamper-resistant
- FIPS 140-2 Level 4 = automatic zeroizing, strongly tamper-resistant even in a sophisticated lab environment
NIST special publications. Again, yellow is more likely to appear, uncolored is medium likelihood:
| SP 800-37 | RMF = Risk Management Framework,
how to apply 800-53 controls,
with a 6-step process CSIAAM:
|
| SP 800-39 | RMF = Risk Management Framework overview, how to manage risk |
| SP 800-53 | "Security and Privacy Controls for
Federal Information Systems and
Organizations" It's a catalog of security controls, applied to all U.S. federal government information and IT systems. |
| SP 800-64 | Application security (through SDLC or Software Design Life Cycle) |
| SP 800-82 | Guide to ICS (Industrial Control Systems) |
| SP 800-145 | Defines "cloud" and associated terms. |
| SP 800-160 | Security for IoT and ICS |
Seen in some training / review material, unlikely to be on test (because there aren't yet cloud service providers with data centers in Iran or Syria or DPRK):
- ITAR = International Trade in Arms Regulations — military items
- EAR = Export Administration Regulations — for "dual use" items like crypto
- Wassenaar Arrangement = international export agreements not to export weapons or dual-use technologies to certain countries
SOC (formerly SAS 70, now SSAE) = auditing reports
| Type 1 Auditor's opinion on accuracy and completeness of management's description of the system, plus suitability of the system's design. |
Type 2 Type 1 plus an audit of the effectiveness of those controls over a declared period, usually 6 or 12 months. |
|
| SOC 1 Report for financial auditors and investors. |
||
| SOC 2 Report for IT staff, regulators, and business partners. |
||
| SOC 3 A pass/fail summary of SOC 2, brochure-type content for current or potential customers. |
||
Intended recipients of SOC 2 should have sufficient knowledge to use the details, address any of the five Trust Services:
- Security (mostly access control)
- Availability
- Processing Integrity (is it complete, accurate, timely, authorized)
- Confidentiality
- Privacy
SSAE = Statement on Standards for Attestation Engagements. It's an auditing standard for service organizations. It was SSAE 16, since May 2017 it's SSAE 18.
Common Criteria
More onCC & EAL
CC = Common Criteria, EAL1 (just functionally tested) up to EAL7 (formally verified design and tested). Most commercial offerings are EAL4. Trusted Solaris was EAL4+. The Integrity-178B real-time operating system used in some U.S. military aircraft has been certified as EAL6+. So far, that's the highest ever achieved.
National and International Laws for P&DP or Privacy and Data Protection
- OECD —
Organization for Economic Cooperation
and Development —
Privacy and Security Guidelines —
aims to globally protect privacy through a
practical, risk-management-based approach.
Should follow these principles:
- Collection Limitation
- Data Quality
- Purpose Specification
- Use Limitation
- Security Safeguards
- Openness
- APEC — Asia-Pacific Economic Cooperation — Privacy Framework — Ensure free flow of information and open conduct of business within the region, while protecting privacy (but not as stringently as EU)
- EU —
GDPR —
General Data Protection Regulation —
Updated 95/46/EU to include:
- Consent
- Transfers abroad
- The right to be forgotten
- Establishing the role of the data protection officer
- Access requests
- Home state regulation
- increased sanctions
- National laws compliant with EU GDPR:
- Argentina
- Australia — Privacy Act 1988, since 2014 Australian Privacy Principles
- New Zealand
- EFTA — Switzerland, Lichtenstein, Norway, Iceland
- Japan
- Canada — PIPEDA
- And more recent additions, probably
less prominent in the question pool:
- Androrra
- Israel
- Uruguay
- If they say "international", assume that EU citizens will be at least some of the data subjects.
- They won't make you guess whether Estonia and Albania are in the EU now (yes, no); specific countries named in questions will be obviously in (France, Belgium) or out (Egypt, Chile).
- U.S. — no single federal
law, privacy is recognized differently in
certain states and in certain circumstances.
- HIPAA — Health Insurance Portability and Accountability Act — Dept Health & Human Services
- GLBA —
Gramm-Leach-Bliley Act,
a.k.a. Financial Modernization
Act of 1999, run by FDIC,
for financial institutions,
has 3 sections:
- Financial Privacy Rule — regulates collection and disclosure of private financial information
- Safeguards Rule — requires financial institutions to implement security
- Pretexting Provisions — prohibit accessing private information using false pretenses
- SOX — SarBox — Sarbanes-Oxley — created in response to Enron corporate corruption, for publicly-traded companies
- FERPA — Family Educational Rights and Privacy, to protect any student data (including adults in college), at 18 parents can't get student data without consent
- COPPA — Children's Online Privacy Protection Act 1998, up to age 13
- EU-U.S. Privacy Shield Exists, but model contracts are the usual solution
Industry Regulations
PCI DSS
- Merchant levels 1 (top) down to 4
- Based on annual number of transactions
- Never store CVV
- Either tokenize or encrypt stored or transmitted data
There's far more detail but the above should be enough. Simplified version of merchant levels and auditing, enough to know if this less likely question topic appears:
- 1 (top): by a certified auditor
- 2: by someone outside your organization
- 3: by your employee from another department
- 4 (entry): self-evaluation
Highly Regulated Industries
They have their own specialized compliance regulations. For example, NERC or North American Electric Reliability Corporation.
CSA Cloud Security Alliance
STAR — Security, Trust, and Assurance Registry
- Level 1, Self-Assessment
- Level 2, Attestation — independent 3rd party using CSA CCM (Cloud Controls Matrix) and ISO 27001
- Level 3, Ongoing Monitoring Certification — publish results related to security monitoring based on a cloud trust protocol
CCM — Cloud Controls Matrix
- Inventory of cloud security controls arranged into separate domains
- Cross-referenced to other frameworks such as COBIT, ISO, NIST
CAIQ — Consensus Assessments Initiative Questionnaire — self-assessment done by cloud providers
Not on the exam, but...
I am personally very skeptical of the CSA material.
Definitely memorize the above for the exam.
But in the real world, I think that
Texas Health and Human Services
has really done this right.
Contracting with HHS
HHS Information Security Controls
ENISA — European Network and Information Security Agency
"Cloud Computing: Benefits, Risks, and Recommendations for Information Security" lists top eight security risks, it oddly doesn't mention availability. Less likely to appear.
- Loss of governance
- Lock-in
- Isolation failure
- Compliance risk
- Management interface failure
- Data protection
- Malicious insider
- Insecure or incomplete data deletion
GAPP — Generally Accepted Privacy Principles
AICPA (American Institute of Certified Public Accountants) standard for privacy, it describes 74 (!) principles.
CSA Enterprise Architecture:
These are some other quasi-official lists you might need to know.
-
SABSA (Sherwood Applied Business Security Architecture)
has
frameworks
- Business Requirements Engineering Framework
- Engineering Framework
- Risk and Opportunity Management Framework
- Policy Architecture Framework
- Security Services-Oriented Architecture Framework
- Governance Framework
- Security Domain Framework
- Through-Life Security Service Management and Performance Management Framework
-
ITIL (Information Technology Infrastructure Library)
has
volumes
- Service Strategy
- Service Design
- Service Transition
- Service Operation
- Continual Service Improvement
-
TOGAF (The Open Group Architecture Framework)
has
services
- Presentation Services
- Application Services
- Information Services
- Infrastructure Services
- Jericho / Open Group has its rather silly Jericho Forum Cloud Cube Model. Ooh, look, you can divide things into two categories in three different ways. Knowing "Jericho = Cube" is plenty.