Chapter 32: 5.2 Regulations, Standards, and Frameworks
Regulations, standards, and legislation
GDPR: General Data Protection Regulation – https://gdpr-info.eu/
National, territory, or state laws
Payment Card Industry Data Security Standard (PCI DSS)
Key frameworks
Center for Internet Security (CIS)
National Institute of Standards and Technology (NIST) Risk Management Framework (RMF)/ Cybersecurity Framework (CSF)
https://www.nist.gov/cyberframework
-
-
-
- Framework Core
- Implementation Tiers
- Framework Profiles
-
-
International Organization for Standardization (ISO) 27001/27002/27701/31000
SSAE SOC 2 Type I/II
Cloud security alliance
Cloud control matrix
Reference architecture
Benchmarks / Secure Configuration Guides
Platform / vendor-specific guides
Web server
OS
Application server
Network infrastructure devices
CIS
NVD
STIGs
Discussed in the 501 materials, but not the 601
Regulatory
NERC CIP – https://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx
Non-regulatory
National vs International
FedRAMP – https://www.fedramp.gov/
US-EU Safe Harbor Framework (old) – https://www.ftc.gov/tips-advice/business-center/privacy-and-security/u.s.-eu-safe-harbor-framework
EU-US Privacy Shield Framework (new) – https://www.privacyshield.gov/EU-US-Framework
Industry-specific
HITRUST CSF – https://hitrustalliance.net/hitrust-csf/