CompTIA Security+ SY0-601 – 5.2 Regulations, standards, or frameworks that impact security

1. Regulations, standards, and legislation

In this video, I’m going to be talking about regulation standards and legislations that you may see appear on your exam. Now, there’s basically one law and a standard that I want to mention that your exam may test you on. You’re not going to go in depth into these laws, these two laws on a standard, but you want to make sure you know them. Let’s get into it. So the first thing that we want to mention is there is a law that is affecting the world right now called GDPR. Now. This really affects the European Union. So GDPR stands for the General Data Protection Regulation. So here’s what this is. This is a law that affects companies doing business in the European Union and all the countries that are affected by the EU. Or I should say within the EU.

Now, GDPR is known to be one of the biggest privacy law on the planet, one of the most restrictive, and one of the law that’s about to be replicated in many countries. In fact, California just implemented something that’s similar to it. Now, the GDPR, what is it for your exam? Realistically, all you need to know is that it deals with privacy, people’s personal information, what these big tech companies are doing with people’s information. Technically, it’s all you need to know about your exam. But let’s talk a little bit more about it. So these big tech companies and organizations and websites are keeping your data, tracking your data, and storing your data. So what this law is saying is that you know what you have to tell people, what they’re what you’re tracking.

You have to tell people what you’re going to be doing with the data. And you have to give people control of their data so they can go in and delete the data or opt not to have their data collected. You see this a lot on websites. You ever been to a website lately? And you got to always accept the cookie, something new that you’ve probably seen last couple of year or two. And the reason that’s GDPR at work this is organizations have to tell you that, you know what, we’re going to be storing your personal information, your browsing history. So we need to let you know that our cookie is doing this. GDPR has finds you a percentage of your global sales. If you’re not in compliance with it, you must have what’s known as a Data Protection Officer, somebody’s in charge of protecting the data within the organization.

Now, the other law I want to talk about is PCI, DSS or Payment card industry data security standard. So PCI, remember, is about credit cards. If you store credit cards, you fall under PCI compliance. Here’s what this is. Now, PCI is not a law. PCI is a standard that you must meet and be in compliance to. If not, your company can’t process credit cards. So here’s the scenario. You have organizations today storing people’s credit cards in their system so people can come back and buy stuff. Generally e commerce. You go to an ecommerce site and they tell you, okay, you’re at my website. Make an account, store your credit card, buy things, come back, log in, buy more stuff like Amazon would.

And now you fall on the PCI compliance because what the government is saying is that you know what you need to secure people’s credit card information, and the credit card processor is going to make sure that you’re in PCI compliance. This is going to be things like encrypting the credit card information. It’s going to be things like close on our ports and securing the edge parts of your network. In order to stay PCI compliant, you generally have PCI audits that are done and PCI scans. So every couple of weeks or a couple of months, you got to get these scans and audits done. The frequency of the scans in the audits, physical audits by auditors, and the electronic scans, these are scans you’re going to pay for. It depends on how many swipes or how many cards you’re doing.

So if you don’t fall on if you miss PCI compliance, the credit card processor may not allow you to process credit cards. Put your business in jeopardy. Now, these are two laws that is particularly called out on your exam. You want to make sure that you know them because they may show up on your test. The other one here is they’re going to have a variety of different laws that could affect your organization that’s nationally that’s within a specific territory or state law. And from a security perspective, it’s against the law to do business without following the law. Right? You can’t open a business and store information, process information, collect information without not knowing the local laws and regulations of the country that you’re in.

Many industries are highly regulated. For example, banking industries are regulated how to store data. They regulate what type of data they can collect. So our medical industries with HIPAA compliance, HIPAA, the Health Insurance Portability and Accountability Act, that law deals with storage of medical information here in the United States, in your country, if you’re not in the United States, may have different laws, and it’s within the organization’s own interests. For them. I shouldn’t say interest mandatory that they do that. They find the laws that pertain to them and make sure that they are in compliance to it.

2. Key frameworks

In this video I’m going to be covering a good variety of different frameworks that you may see appear on your exam. Now these frameworks are basically standards and different forms of certifications that your organization can get or follow to best manage information security. These are things I mostly cover in my more security management management courses. And as a security administrator or security technician, you want to make sure that you just know what they are. You want a high level overview of to know what they are so you can better understand them. Not to mention the exam may actually a few questions on them. We have a lot of them to cover. Let’s knock them out. So the first thing I want to mention is a great organization called the center for Internet Security.

Now by the way, there’s a lot of links in this document. I’m going to make sure I include the links in the description of this video. So we have a link here that goes to what is known as the center for Internet Security. Now this is a great place to go and check out all the latest and security news. They Talk first of all, it’s a nonprofit organization. There’s that GDPR thing we talked about in previous video. Always get agreed to the cookies. So right now they’re going to go through common security, best practices, common security tools, security threats. This is like the all in one place to go to learn about security, to just get security tools. It’s basically It security the entire thing in one giant website. And they promote finding security threads, eradicating threads, pushing of information security.

Notice started telling us the top threats last month and they basically go through a lot of things. I could spend all day on this website. You may want to check it out to help promote the world of information security. Now the other one here that we want to talk about is going to be something called the Risk Management Framework. This comes from NIST RMF. The NIST RMF the risk management framework. So we’re going to talk about risk management in another section. But the RMF gives you a set and here is the Risk Management framework. The RMF gives you what is known. You can see in this circle right here, it gives you a set of controls, a process to manage controls, to manage risk. You see, security is based on risk management.

Always remember this, you can’t buy a bicycle for $5 and spend $10 protecting it. You must do a risk assessment to understand the value of this asset, the threats to the asset, and then you have to understand what controls to protect the asset. So NIST came up with a framework to say, okay, when you’re doing risk assessments and select and implement the controls, this is the process to follow. So the process they have is the first thing you want to do when selecting controls to secure your systems. You want to categorize your system secret top secret confidence. You want to be able to categorize them. Then you want to select what controls applies to what system.

So maybe top secret systems are off the network. Secret systems are encrypted. And then when you select the controls, you got to implement those controls. Then you got to actually go in there and assess them. Once you implement them, you got to assess the controls to make sure they’re adequate for the protection of those assets. Once you say, okay, you know what, these controls are adequate. Now you can go in and authorize the system. Don’t authorize the system. If you have not assessed the control, then finally you’re going to monitor. So you authorize it, then you could monitor the controls and see if they’re consistently protecting the asset. And then you basically start it again to review your controls.

Why do we start it again? Because the world of security threats changes, the world of technology changes. There’s always going to be new threats, new data, new types of things out there that you’re going to have to consistently keep reassessing and selecting and implementing new controls to secure your data. For example, the type of firewalls we have today, the next generation firewalls we have today, couldn’t even be conceived about or taught about in the year 2000. So things change, and we got to keep changing our infrastructure to go with it. Okay, the next thing here we’re going to take a look at is a big one. This is the International Organizations for Standards, or ISO.

In particularly, our exam is going to access three different ISO standards. Now, before I get into it, I want to mention what are ISO standards? So ISO Standards, the International Organization for Standards, publishes a series of standards documents. And basically, if you’re able to meet these particular requirements in the documents, you can be certified in it. I’ll give you an example. ISO 27,001. That’s one you need to know for your exam. ISO 27,001 is going to be about implementing information security management systems. Now, ISO 27,002 is what’s known as code of practice. It’s about the controls used in ISO 27,000, more elaborated on the controls that was in the ISO 27,001.

Let me break this down for you. So I’m going to give you a good example. Amazon. Do you store your data in the Amazon cloud? You better say yes, because if you have an Amazon account, it’s in the Amazon cloud. Do you store your health data? Probably yes. Your health care provider probably uses some kind of cloud systems to store your medical records. So you got your medical records, you got your credit card, you got all the data you bought Netflix, all that stuff is in the cloud. So you have all this information in the cloud. The question would be, how secure is your data in the Amazon cloud? What assurance? External assurance, amazon is going to say, yeah, we are most secure in the world.

What external assurance do we have that Amazon is secure in our information? What external assurance do we have that Amazon has a good system to manage security controls and manage security in general? Well, let’s find out. So Amazon is ISO certified. So we can actually go and verify that. We can go here and say, you know what? AWS, is that certified? So let’s see. So here is Amazon certificate. Amazon is saying that, you know what, we are ISO 27,001 certified. That means that Ernest and Young, their accountant, has audited them and say that they are certified, that they have good information security management systems.

Now, how do you go about getting a certification? Well, Amazon is going to have to prove a lot of criteria. Amazon would have had to prove how they assess their systems, what type of controls they’re applying, and is it adequate and are they improving it, and are they constantly assessing for new threats out there a lot of criteria it takes to get this certification. So if you’re doing business with a company that is ISO certified, you have some kind of external assurance that, you know what, somebody went into that company and audit their company to see if they have good security controls, right? The next time you do business with a company, ask yourself, are they securing my data? If the ISO certified, you have some external assurance that they do have.

So, looking back at the exam objectives here, you could see that the 27,002 is really ISO 27,001 more expanded on. So ISO 27,001 is like, do you have this information security management system? ISO 27,001 is going to say, well, we’re going to use these controls. Now, the elaboration of those controls more in depth with those controls, that’s considered ISO 27,002. Now the other one is 27. 27. Seven one. This one is about having privacy information management system. Now, towards the end of this course, we’ll talk more about privacy, but if you have a good system to manage people’s private information, you’re going to have to show how you’re storing it, where you’re storing it, how is it encrypted, who has access to it, how are you preventing external access.

This is going to form a basis of a privacy information management system. If you want to get certified in this, it’s a 27 701. The other one here is 31,000. This is Risk management, the guidelines for implementing risk management. So some organizations are going to have amazing risk management systems in place. We’ll talk more about what are risk management systems in another section, but good risk management. The ability to identify your assets, to conduct a qualitative quantitative assessment, be able to respond to these risk adequately, being able to mitigate and accept and transfer the risk, and so on. We’re going to have to have good risk management procedures in order to get that certification.

Okay? The other one here we’re talking about is going to be more of an accountant thing, but you may be involved in it as part of it. So there is what is known as SSAE, the statements on standards for attestation engagement, SoC Two in particular, service and organizational controls. A lot of words there. These are really known as SoC audits. That’s what these are really known as. This is what you see them as, SoC Audit. So an SoC audit is done by your accountant, not by you, by your accountant firm that does your accounting. And basically what this does is now, I have a link here to explain more of it to you, but I’m going to explain it to you guys right now.

SoC one and SoC two. Now, SoC One, let me go back here. You guys can follow the link to get more information, but I’m going to tell you basically all you need to know for your exam. SoC Audits, which is service and organization controls, are done by your accounting company. Basically, they come in to audit your company. SoC One audits are generally done. SoC One is generally done, or I should say SoC One reports are reports for accounting controls. SoC One is basically saying that you’re following good accounting standards and you produce an accurate statements based on the accounting control. SoC Two is what your exam is talking about. SoC Two comes in a type One and a type Two.

SoC Two reports looks at the CIA, confidentiality, integrity and availability, privacy and security. So it’s looking at the It controls within your organization to make sure that you’re keeping your data confidential, you’re maintaining integrity, you have good availability controls. You’re managing your security and securing privacy of people’s information. This is more of an It type thing that they’re auditing to make sure your controls are good. And then they come in at type one, type two. So type one is at a particular date, and then type Two, I think, is over a period of time that the controls were adequate. I’ll show you guys a good example of this. So big businesses have to get audited, and they generally publish it.

Now, there is such a thing as an SoC Two report. SoC three. Let’s put AWS SoC report and we could see SoC compliance for AWS. And you notice that there is an SoC Two, which they’re going to look at security, availability, confidentiality report. But for this, you have to log into the Amazon and actually see it. SoC Three reports are basically available so we can go and take a look at it. So what this is going to do so Ernest and Young did the audit big accounting company to Amazon, and it said, in our opinion, the control over the Amazon systems was reasonably assured, and it really was secure. And so they’re pretty happy with what they saw.

Notice this one lasts about a six month period. When I was telling you guys, it basically goes over about a six month period when they’re evaluating the controls. Okay, the last thing here we’ll talk about is going to be Cloud Security Alliance. Now the Cloud Security Alliance is an organization that promotes cloud practices. They’re most famous for producing what’s known as guidance, cloud security guidance documents. That’s what they’re most famous where they make a document. Now if you take my cloud Security classes, it’s a document that I recommend reading. Review them gives you a lot of concepts on clouds and controls, but they do have some specific things. So one of them is the Cloud Control Matrix, and I have a link here for this.

Now the Cloud Control Matrix, this is a document that basically gives you and talks of 133 control objectives across 16 covering all of cloud technology. They’re basically going to be giving you some of the main controls that we need to know in order to secure a cloud and particularly 133 control objectives that should be done when working in the cloud. You can imagine how really good this is to use and study. I recommend this to my cloud security students when I’m teaching those classes. Also you have the reference architecture and this is going to be for the EA. This is how Cloud is basically how the cloud systems should be designed. So this one here is going to look at best practices to design in cloud systems. Okay, so quite a lot of stuff there.

I’m going to put some links into this video. You guys can review them if you need to. I did cover basically everything you need to know you don’t have follow the links if you don’t want to, if you want to order on more information, don’t forget if you work in this security, you will become exposed to this. For example, work in an organization. You’re going to see accountants doing SoC audit, working as a security administrator. You’re going to realize that that company is ISO certified or it’s not. When conducting risk assessment, you might look for some guidance and see, you know what, risk management framework. And one thing I can’t stress enough, go down this rabbit hole and take a look at the center for Internet Security.

Check out that website. The link is there and you can spend all day on this website. You’ve learned so much. They have so much education. Create a login, log into it, check it out, see what you learn from it. A lot of documents, a lot of threats, something you want to keep an eye on on a daily basis. Ask the security, the administrator.

3. Secure configuration guides

In this quick video, I’m going to be talking about benchmarks and secure configuration guides. So let’s get started. When you are configuring things such as your Web server, your operating system, your applications, your network infrastructure devices, you should follow good industry best practices, benchmarks when you compare it against other systems or ways things should be configured generally, good practices of best practices. You see in this section here, they’re talking about benchmarks or secure configuration guides. The best place to get good configuration guides, whether you’re configuring a particular Web server or an operative or an application or network device, is generally from the manufacturers themselves.

Also, you can use many different third party frameworks for this, and we talked about a few different frameworks, whether it’s following ISO standards, whether it’s far on the risk management framework, whether it’s far in certain regulatory laws and regulations. But the way you configure devices like a Web server is going to really be dependent on what type of Web server. Is it an old IBM WebSphere? Is it a Microsoft IIS? Is it an Apache web server? The way you would configure operating systems and how you update them and the best practices on that. Check your vendor, check your industry best practices for that.

And the method you configure them can even be dependent on the industry you’re in. Financial institutions and bankers may have different regulatory requirements. It requires different levels of encryption, encryption or different forms of configurations on your systems. So the best thing to do is you just can’t go out and configure a system, do some research, know what those best practices are. Sometimes even the vendor will tell you the best way to configure the systems. If not, look at your local laws and regulations or look around and find frameworks of best practices when it comes to configuring your systems.

• Category: Uncategorized