Cybersecurity Essentials - Module 22 Cheat Sheet

# Module 22: Governance and Compliance :::success Here is a cheat sheet generated from the course content using ChatGPT. It recaps the main concepts of each module, definitions and examples. At the end of (almost) each part, you will find a link to online related flashcards. ::: ### 22.1 Governance --- #### 22.1.2 Governance - **Definition**: IT security governance establishes who is authorized to make decisions about cybersecurity risks and ensures strategies align with business objectives and regulations. - **Difference from IT Security Management**: Governance focuses on accountability and decision-making, while management implements controls to mitigate risks. **Key Roles in Data Governance**: - **Data Owner**: Ensures policy compliance, assigns information classification, and determines access criteria. - **Data Controller**: Decides the purpose and methods of processing personal data. - **Data Processor**: Processes personal data on behalf of the data controller. - **Data Custodian**: Implements classification and security controls as per data owner’s rules. - **Data Steward**: Ensures data meets business needs and regulatory requirements. - **Data Protection Officer**: Oversees data protection strategy. --- #### 22.1.3 Cybersecurity Policies - **Definition**: A high-level document outlining an organization's cybersecurity vision, including goals, scope, and responsibilities. - **Key Functions**: - Demonstrates commitment to security. - Sets behavior standards for processes, technology, and assets. - Ensures consistent system operations and hardware/software use. - Defines legal consequences for violations. - Provides senior management support to security teams. **Types of Cybersecurity Policies**: 1. **Master Cybersecurity Policy**: Blueprint for an organization’s cybersecurity program, serving as the strategic plan for implementing controls. 2. **System-Specific Policy**: Developed for specific devices or systems, focusing on standardization for approved applications, software, configurations, hardware, and hardening countermeasures. 3. **Issue-Specific Policy**: Addresses operational issues, circumstances, or conditions requiring detailed requirements and directions. --- #### 22.1.4 Types of Security Policies **Common Security-Related Policies**: 1. **Identification and Authentication Policy**: Specifies who can access resources and the verification procedures. 2. **Password Policy**: Defines minimum password requirements and update frequency. 3. **Acceptable Use Policy**: Establishes rules for accessing and using network resources, including violation consequences. 4. **Remote Access Policy**: Guides secure remote access to internal networks and resources. 5. **Network Maintenance Policy**: Details procedures for updating operating systems and applications. 6. **Incident Handling Policy**: Provides steps for reporting and responding to security incidents. 7. **Data Policy**: Rules for processing, storing, classifying, and handling data (e.g., confidential or public). 8. **Credential Policy**: Sets password composition rules (e.g., length, complexity). 9. **Organizational Policy**: Guides work processes, including change management and asset management policies. >[!Warning]Recap >IT security governance determines who is authorized to make decisions about cybersecurity risks within an organization. It demonstrates accountability and provides oversight to ensure that any risks are adequately mitigated and that security strategies are aligned with the organization’s business objectives and are compliant with regulations. Good data governance programs have a data owner, controller, processor, custodian, steward, and protection officer. A cybersecurity policy is a high-level document that outlines an organization’s vision for cybersecurity, including its goals, needs, scope and responsibilities. High-level cybersecurity policies include: a primary policy, a system-specific policy, and an issue-specific policy. Specific security policies include: ID and authentication, password, acceptable use, network maintenance, incident handling, data, credential, and organizational. Guiding principles for human resources for cybersecurity governance include: background checks, onboarding/off boarding, clean desk, need to know, separation of duties, mandatory vacations, and job rotations. ### 22.2 The Ethics of Cybersecurity --- #### 22.2.2 Ethics of a Cybersecurity Specialist - **Definition**: Ethics helps cybersecurity specialists distinguish right from wrong, ensuring decisions align with legal and organizational standards. - **Key Ethical Perspectives**: 1. **Utilitarian Ethics**: Maximizes the greatest good for the greatest number; actions are judged by their consequences. 2. **The Rights Approach**: Respects individuals' fundamental rights, including truth, privacy, and safety. 3. **The Common Good Approach**: Focuses on benefiting the entire community by pursuing shared values and goals. --- #### 22.2.3 The Ten Commandments of Computer Ethics The Computer Ethics Institute created these principles: 1. Do not harm others using a computer. 2. Do not interfere with others' computer work. 3. Do not snoop in others' files. 4. Do not use a computer to steal. 5. Do not bear false witness using a computer. 6. Do not copy or use proprietary software without payment. 7. Do not use others' computer resources without authorization. 8. Do not appropriate others' intellectual output. 9. Consider the social consequences of your programs or systems. 10. Always respect and consider others when using computers. --- #### 22.2.4 Exploring Cyber Ethics Evaluate workplace scenarios using the **Ten Commandments of Computer Ethics** to determine whether actions are ethical or unethical. --- #### 22.2.5 Cybercrime - **Categories of Cybercrime**: 1. **Computer-Targeted Crime**: Targets computers directly (e.g., malware, hacking, DoS attacks). 2. **Computer-Assisted Crime**: Uses computers to commit crimes (e.g., fraud, theft). 3. **Computer-Incidental Crime**: Stores information related to crimes (e.g., illegal downloads). - Cybercrime is growing rapidly due to the availability of tools requiring minimal expertise. - **Agencies Combating Cybercrime**: - FBI Internet Crime Complaint Center (IC3) - InfraGard - Software and Information Industry Association (SIIA) --- #### 22.2.6 Cyber Laws - **Statutory Law**: Enforces civil and criminal penalties for unauthorized computer access (e.g., Computer Fraud and Abuse Act). - **Administrative Law**: Governs public bodies' actions, addressing intellectual property theft and fraud (e.g., FCC, FTC). - **Common Law**: Establishes precedents and constitutional bases for computer security laws. --- #### 22.2.7 Federal Information Security Management Act (FISMA) - **Purpose**: Protects federal IT systems from cybercriminals. - **Requirements**: - Risk assessments - Annual inventory of IT systems - Policies and procedures to reduce risk - Security awareness training - Testing and evaluation of controls - Incident response procedures - Continuity of operations plan --- #### 22.2.8 Industry-Specific Laws 1. **Finance**: The Gramm-Leach-Bliley Act (GLBA) restricts sharing information with third parties and allows opt-out provisions for individuals. 2. **Corporate Accounting**: The Sarbanes-Oxley Act (SOX) sets financial and corporate accounting standards for publicly traded firms. 3. **Credit Card**: PCI DSS enforces contractual rules to protect cardholder data during transactions, with fines for non-compliance. 4. **Cryptography**: Import/export regulations ensure national security and prevent misuse of encryption technologies. --- #### 22.2.9 Security Breach Notification Laws - **Electronic Communications Privacy Act (ECPA)**: Protects electronic communications (e.g., email) from unauthorized access. - **Computer Fraud and Abuse Act (CFAA)**: Criminalizes unauthorized computer access and trafficking of access credentials. --- #### 22.2.10 Protecting Privacy - **Privacy Act of 1974**: Regulates federal agencies' handling of personal data. - **Freedom of Information Act (FOIA)**: Provides public access to government records, with exceptions. - **Family Education Records and Privacy Act (FERPA)**: Governs access to students' educational records, transferring rights at age 18. - **Children's Online Privacy Protection Act (COPPA)**: Requires parental consent for data collection from children under 13. - **Children's Internet Protection Act (CIPA)**: Protects children under 17 from harmful online content. - **Video Privacy Protection Act (VPPA)**: Limits sharing of rental histories; amended to allow user consent for sharing. - **Health Insurance Portability and Accountability Act (HIPAA)**: Establishes safeguards for electronic health information. - **California Senate Bill 1386**: Mandates disclosure of personal data breaches. - **Privacy Policies**: Ensure organizational compliance with privacy laws. - **Privacy Impact Assessment (PIA)**: Ensures proper handling of personally identifiable information (PII). --- #### 22.2.11 International Laws - **Convention on Cybercrime**: First international treaty addressing digital crimes (e.g., fraud, child pornography). - **Electronic Privacy Information Center (EPIC)**: Promotes global privacy and open government policies. >[!Warning]Recap >As a cybersecurity specialist, you need to understand both the law and an organization’s interests. The theory of utilitarian ethics is based on the principle that the consequence of an action is the most important factor in determining if the action is moral or not. The rights approach is guided by the principle which states that an individual has the right to make their own choices, which cannot be violated by another person’s decision. The common good approach proposes that ethical actions are those that benefit the entire community. There are ten commandments of computer ethics. They generally cover the things you should not do with a computer: don’t use a computer to harm others, interfere with other people’s work, don’t snoop in other people’s files, don’t use a computer to steal (including software and intellectual output) or lie, don’t use other peoples computer resources without permission and without compensation, do think about the consequences of the program you are creating, and always use a computer in ways that demonstrate respect for others. There are three categories of cybercrime: computer-targeted, computer-assisted, and computer-incidental. In the U.S, there are three primary sources of computer security laws and regulations: statutory law, administrative law, and common law. FISMA was created by the U.S. Congress to cover federal agencies’ IT systems. Some industries also have specific laws about cybercrime: finance, corporate accounting, credit cards, and cryptography. Two security breach notifications laws are ECPA and CFAA. Some US privacy laws include the Privacy Act of 1974, the FOIA, FERPA, COPPA, CIPA, VPPA, HIPAA, and PIA. International efforts to target cybercrime are growing. Ratified by 65 states, the Convention on Cybercrime is the first international treaty that is addressing internet and digital crimes, dealing particularly with copyright infringement, computer-related fraud, child pornography and violations of network security. ### 22.3 IT Security Management Framework --- #### 22.3.1 The Twelve Domains of Cybersecurity **ISO/IEC 27000 Series**: Best practices for information security management systems (ISMS) published by ISO and ICO. The framework defines twelve domains: 1. **Risk Assessment**: Evaluates quantitative and qualitative risks for specific threats. 2. **Security Policy**: Establishes rules on data access and behavior within the organization. 3. **Organization of Information Security**: Governance model for securing information. 4. **Asset Management**: Inventory and classification of organizational information assets. 5. **Human Resources Security**: Security measures for employee onboarding, movement, and exit. 6. **Physical and Environmental Security**: Protects physical facilities and information. 7. **Communications and Operations Management**: Oversees technical security controls for systems and networks. 8. **Information Systems Acquisition, Development, and Maintenance**: Embeds security in the lifecycle of information systems. 9. **Access Control**: Limits user access to networks, systems, applications, and data. 10. **Information Security Incident Management**: Anticipates and responds to breaches. 11. **Business Continuity Management**: Ensures critical operations resume post-disruption. 12. **Compliance**: Confirms adherence to information security policies, standards, and regulations. **Note**: Unlike the OSI model, ISO 27000 uses domains instead of layers, with direct relationships between domains. --- #### 22.3.2 Control Objectives and Controls - **Control Objectives (ISO 27001)**: High-level requirements for ISMS, serving as a checklist during audits. Achieving compliance provides assurance to partners. - **Controls (ISO 27002)**: Guidelines to implement control objectives. Example: - **Objective**: Control network access. - **Control**: Enforce strong passwords with mixed characters. --- #### 22.3.3 Controls as Guidelines - Controls are not mandatory; they provide neutral guidance for meeting objectives. Organizations can choose appropriate methods to comply. --- #### 22.3.4 Mapping to ISO 27002 Controls - Common control objectives: 1. Prevent unauthorized access: Implement user authentication. 2. Address software vulnerabilities: Apply security patches promptly. 3. Manage incidents effectively: Develop a response plan. 4. Protect sensitive data: Encrypt data in transit and at rest. --- #### 22.3.5 ISO 27000 and the CIA Triad - **Statement of Applicability (SOA)**: Tailors ISO controls to prioritize: - **Confidentiality**: Protecting data access. - **Integrity**: Ensuring data accuracy. - **Availability**: Maintaining system uptime. **Examples**: - Google prioritizes Confidentiality and Availability. - Amazon emphasizes Availability to support sales. --- #### 22.3.6 States of Data ISO controls address data in three states: 1. **In Process**: Ensures accuracy during use (responsibility of programmers). 2. **At Rest**: Protects stored data (handled by hardware specialists). 3. **In Transit**: Secures transmitted data (managed by network teams). --- #### 22.3.7 Safeguards - ISO controls align with three safeguard types: 1. **People**: Training and awareness. 2. **Technology**: Secure configurations and tools. 3. **Policy**: Senior management’s directives. **Example**: A policy to protect incoming and outgoing data must be implemented by IT professionals, not management. --- #### 22.3.8 National Cybersecurity Workforce Framework Developed by NIST, this framework categorizes cybersecurity work into seven main roles: 1. **Operate and Maintain**: Ensures efficient IT system performance. 2. **Protect and Defend**: Analyzes and mitigates threats. 3. **Investigate**: Examines cyber events and attacks. 4. **Collect and Operate**: Conducts specialized operations. 5. **Analyze**: Reviews cybersecurity intelligence. 6. **Oversee and Govern**: Leads and manages cybersecurity efforts. 7. **Securely Provision**: Designs and builds secure IT systems. --- #### 22.3.9 CIS Critical Security Controls CIS offers a prioritized set of security measures: 1. **Basic Controls** (limited resources): - Hardware and software inventory - Vulnerability management - Secure configurations - Log analysis 2. **Foundational Controls** (moderate resources): - Malware defenses - Data recovery - Boundary defense - Account monitoring 3. **Organizational Controls** (significant resources): - Security training - Incident management - Penetration tests --- #### 22.3.10 Cloud Controls Matrix (CCM) - Developed by the Cloud Security Alliance (CSA), CCM maps cloud security controls to industry standards. - Features **197 control objectives** across **17 domains**, such as governance, risk management, and mobile security. - Recognized as a cloud security assurance standard. --- #### 22.3.11 Compliance Assurances 1. **Independent Audits**: - Type I: Confirms controls at a specific time. - Type II: Confirms controls over a six-month period. 2. **CMMC Certification**: - Verifies cybersecurity hygiene for organizations serving the U.S. Department of Defense. - Levels range from basic practices to advanced capabilities against threats. >[!Warning]Recap >The 12 Domains of Cybersecurity are: risk assessment, security policy, organization of information security, asset management, human resources security, physical and environmental security, communications and operations management, information systems acquisition and development and maintenance, access control, information security incident management, business continuity management, and compliance. Control objectives define the high level requirements for implementing a comprehensive information security management system within an organization. Controls show how to accomplish an organization’s control objectives. They establish guidelines for implementing, maintaining, and improving the management of information security in an organization. ISO 27000 is a universal framework that is applicable to every type of organization. An organization must identify which domains, control objectives and controls apply to its environment and operations. Most organizations create an SOA to tailor the available control objectives and controls to best meet its priorities around confidentiality, integrity and availability. The ISO controls specifically address security objectives for data in process, at rest (in storage) and in transit. NIST created the National Cybersecurity Workforce Framework to support organizations seeking cybersecurity professionals. CIS developed a set of critical security controls (basic, foundational, and organizational) to help organizations with different levels of resources and expertise at their disposal to improve their cyber defenses. The CSA provides security guidance to any organization that uses cloud computing or wants to assess the overall security risk of a cloud provider. Their Cloud Controls Matrix (CCM) maps cloud-specific security controls to leading standards, best practices and regulations. The CSA CCM is considered a de-facto standard for cloud security assurance and compliance. Service providers must assure their client organizations that the security controls they implement are properly designed and operate effectively. An attestation report (SSAE or SOC) will confirm that controls are in place at a specific point in time (Type I) or managed over a period of at least six months (Type II). The CMMC establishes five certification levels that range from ‘basic cyber hygiene practices’ to ‘enhanced practices that provide more sophisticated capabilities to detect and respond to APTs.’