CompTIA Security SY0-601 Exam: Regulations, Standards, and Frameworks

Objective: Explain the importance of applicable regulations, standards, or frameworks that impact organizational security posture.

Topics:
- General Data Protection Regulation (GDPR)
- Payment Card Industry Data Security Standard (PCI DSS)
- Center for Internet Security (CIS)
- National Institute of Standards and Technology (NIST)
- NIST Cybersecurity Framework (CSF)
- NIST Risk Management Framework (RMF)
- International Organization for Standardization (ISO)
- Cloud Security Alliance (CSA)

Industry-Standard Frameworks and Reference Architectures
The security architecture of an organization is based on some type of security framework. If an organization is bound by regulations, it must base its security architecture on these regulations. An organization that is multinational or that does business in another country could be subject to additional restrictions, based on regulatory compliance in that country.
When designing an organizational security architecture, in addition to regulations, the components taken into consideration include standards, frameworks, and guides. Standards describe specific mandatory controls based on policies. Guides, or guidelines, provide recommendations or good practices. A framework generally includes more components than a guide and is used as a basis for the implementation and management of security controls.

Regulatory and Non-regulatory Requirements
Regulatory requirements are created by government agencies and are mandated by law. Regulation can exist on an international, national, or local level. Noncompliance with regulatory requirements can result in serious consequences for organizations, including financial implications such as fines or negative effects on stock values and investor relations.

Examples of regulatory requirements for U.S. organizations include the following:
- The Health Insurance Portability and Accountability Act (HIPAA) of 1996 sets national standards for protecting health information.
- The Gramm–Leach–Bliley Act (GLBA) establishes privacy rules for the financial industry.
- The Payment Card Industry Data Security Standard (PCI DSS) is designed to reduce fraud and protect customer credit card information.
- The Sarbanes–Oxley Act (SOX) governs financial and accounting disclosure information.

The preceding list provides common requirements for U.S. organizations; however, multinational organizations are generally required to comply with both national and international regulations. The General Data Protection Regulation (GDPR) is a European Union (EU) law for data protection and privacy that many U.S. organizations comply with.
Non-regulatory requirements are developed by agencies that develop technology, metrics, and standards for the betterment of the science and technology industry. The National Institute of Standards and Technology (NIST) is an example of a U.S. non-regulatory organization. The European Union Agency for Network and Information Security (ENISA) is a similar organization that focuses on information security expertise for the EU.
Many non-regulatory bodies assist organizations by offering guidance in implementing legislation and improving the overall security of critical information infrastructure and networks.

Industry-Specific Frameworks
A framework provides a foundation to strengthen an organization’s security posture and guide regulation compliance. Organizations use frameworks to ensure legal compliance, demonstrate security posture, and reduce liability. An organization’s decision to use a particular framework might depend on the industry, the organization’s location, or the organization’s size. Common security frameworks include the following:
- The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) 27002 provide best practice recommendations on information security management.
- The ISO/IEC 27001 is a standard for information security management, for which organizations may be certified if they meet the requirements.
- The ISO/IEC 27701 extends ISO 27001 with enhancements for privacy in order to establish and maintain information management systems specific to privacy.
- The ISO/IEC 31000 provides a framework for the risk management process.
- Service Organizational Control (SOC) 2 results in a report provided to service providers that attests to their practices around confidentiality, integrity, availability, and privacy. Organizations that do business with security service providers, including cloud service providers, should ensure that each of these vendors has a SOC 2 report. This report provides a mechanism for vendors to communicate their controls externally.
- The National Institute of Standards and Technology (NIST) is a U.S. government–based entity that provides a cybersecurity framework for government and various industries.
- Control Objectives for Information and Related Technology (COBIT) is a set of best practices for IT management.
- The Committee of Sponsoring Organizations (COSO) of the Treadway Commission is a widely accepted control framework for enterprise governance and risk management.
- The Health Information Trust Alliance Common Security Framework (HITRUST CSF) is a security framework developed specifically for healthcare information.
- Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) provides foundational security guidance for cloud vendors and helps customers with assessment of cloud service providers.

The SOC 2 report helps organizations such as cloud service providers provide assurance of their controls to existing and prospective customers.
For example, the U.S. Department of Energy’s Sandia National Laboratories is responsible for providing the framework for supervisory control and data acquisition (SCADA) security policy that is specific to SCADA systems. On the international front, the G7 finance ministers and central bank governors issued a set of fundamental elements of cybersecurity for the financial sector. This guidance was produced to help banks improve cybersecurity and promote the consistency of cybersecurity approaches among G7 partners. U.S. federal agencies are required to follow the NIST Risk Management Framework (RMF). NIST recently introduced the NIST Cybersecurity Framework (CSF), which resulted from a collaboration between the government and the private sector.

Of course, organizations have different regulatory compliance goals, so choosing the correct framework is important to the overall security posture of an organization. Some general observations about frameworks follow:
- ISO/IEC 27002 can be used for any industry but tends to be used by cloud providers that want to validate active security programs.
- NIST is specific to U.S. government agencies but can be and is often applied in just about any other industry.
- COBIT is most commonly used to attain compliance with the Sarbanes–Oxley Act (SOX).

A myriad of other frameworks work for different industries.

For example, educational institutions might choose Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE). OCTAVE was developed by Carnegie Mellon University’s Computer Emergency Response Team (CERT) and takes a strategic approach to information security.
The choice of framework depends on many factors. Not using any framework leads to a haphazard approach to managing risk and reducing vulnerabilities.

Benchmarks and Secure Configuration Guides
Benchmarking typically determines how much of a load a system, device, or server can handle by comparing two or more systems or components of a system. The most common use of a benchmark is to measure performance. Applying that concept to security is the principle behind security benchmarks and secure configuration guides. Perhaps the most widely used resource for benchmarks is the Center for Internet Security (CIS). CIS is the main provider of more than 100 configuration guides and comprehensive checklists for various platforms that help organizations mitigate security vulnerabilities.
Benchmarks and guides are useful because they include desirable characteristics. For example, they are based on use cases in which security is paramount, and they take technology performance into consideration. CIS benchmarks and secure configuration guides are based on international best practices and are commended by industry vendors and governing bodies.

Platform- and Vendor-Specific Guides
CIS benchmarks provide guidance on creating a secure configuration posture for an organization. Each CIS benchmark undergoes two phases of consensus review by subject matter experts and allows for feedback from the community.

Some of the benchmark categories follow:
- Desktops and web browsers
- Mobile devices
- Network devices
- Security metrics
- Servers
- Operating systems
- Virtualization platforms and cloud

In addition to the CIS benchmarks, many vendors provide platform- and product-specific guides that cover web and application servers, operating systems, and network infrastructure devices. For example, the Microsoft Security Response Center (MSRC) provides prescriptive guidance, and Cisco provides a wide library of documents and best practices on securing Cisco devices. In addition, NIST produces specific guides and documents such as Guidelines on Securing Public Web Servers.

General-Purpose Guides
General-purpose security guides are available as guidance for organizations that might just want some guidance on servers that are used for general purposes. For example, NIST publishes the Guide to General Server Security, which addresses general security issues related to typical servers. The guide addresses the underlying operating system, server software, and ways to maintain a secure configuration.
The General-Purpose Operating System Security Requirements Guide (SRG) and the Operating System Security Requirements Guide are informational tools for improving the security of Department of Defense (DoD) systems. The General-Purpose Operating System Protection Profile (OSPP) guide also is available. This guide was created as a joint effort between the National Information Assurance Partnership (NIAP) and the British Standards Institution (BSI) to develop a Common Criteria Protection Profile that is often used in the certification process in accordance with ISO/IEC 15408 and the Common Criteria.

Quiz questions:

1. Which of the following are the most compelling reasons that secure configuration baselines have been established? (Select three.) A. Industry representatives B. Organizational requests C. Government mandates D. Regulatory bodies

2. Your organization is looking to move the internally developed and managed HR system to a SaaS vendor. Which of the following should you request from the vendor? A. SOX report B. COBIT C. SOC 2 report D. Benchmark guides

Answer 1: A, C, and D. Security baselines are often established by government mandates, regulatory bodies, or industry representatives. For example, think of the PCI DSS requirements established by the credit card industry for businesses that collect and transact using credit information. Answer B is incorrect because organizational requests are merely requests, and security baselines are often established to comply with some type of regulation or standard.
Answer 2: C. A SOC 2 report provides evidence to a third-party attestation around the service provider’s security controls. Answer A is incorrect because SOX is a regulatory standard governing financial accounting. Answer B is incorrect because COBIT provides a set of best practices for IT management. Answer D is incorrect because benchmark guides are usually available to anyone and only serve as guides, though they still need to be followed.