ISC S1

From M1 to M5

National Institute of Standards and Technology (N.I.S.T.) Cybersecurity Framework

• Established in 1901 to promote US research capabilities.

• In 1995, NIST branched out into cybersecurity with the publication: NIST Special Publication (SP) 800-12

• There to protect us. It’s a systematic implementation of hardware that can be:

  • Transmitted,

  • Modified

  • Accessed

  • Stored securely & efficiently.

  • Need to constantly reevaluate technology.

THREE NIST Frameworks:

1. NIST Cybersecurity Framework (CSF)

2. NIST Privacy Framework

3. NIST SP 800-53 (Security and Privacy)

(1.) Cybersecurity Framework (CSF)

• Voluntary, but recommended

• Three primary components

  • Framework Core

  • Framework Implementation Tiers

  • Framework Profile

Framework CORE

• The Framework Core is a set of plain language controls created to protect critical IT infrastructure. It helps organizations identify, assess, and manage cybersecurity risks cost-effectively and repeatably.

  The 5 Focus Areas:

  • Identify

  • Protect

  • Detect

  • Respond

  • Recover

Framework Implementation Tiers

• Implementation Tiers inform an organization about how effective their Framework Profiles are at implementing cybersecurity practices.

  Each Tier Includes:

  • Risk Management Process

  • Risk Management Program Integration

  • External Participation

Framework Profiles

show the success or failure of an organization's information security implementation.

Tier 1 Partial (Lowest)

• Least sophisticated cybersecurity practices.

• Partial/No integration into the organizational process

• Process: Ad-hoc; not strategic or aligned with organization priorities.

• Integration: Ad-hoc; minimal or no integration into organizational processes.

• External Participation: Isolated and not evaluated.

Tier 2 Risk-Informed

• Risk-Informed integration.

  • Process: Prioritized based on organizational risk.

  • Integration: Aware of risks but not managed to a high degree

    • External Participation: Aware, but no set policy/inconsistent

Tier 3 Repeatable

• Repeatable integration

• Happens on an ongoing basis

  • Process: Needs formally documented policies

  • Integration: Integrated into planning and communicated regularly among leadership

    • External Participation: There is a governance council to manage external risk

Tier 4 Adaptive

• Most sophisticated

• Adaptive integration

  • Process: interactive improvements of internal/external incidents and be responsive 

  • Integration: Manage risk organization-wide where cyber risk is prioritized

    • External Participation:Robustly participates in info-sharing activities and contributes to the cybersecurity community at large.

Framework Profiles

• Mechanisms by which NIST recommends how to measure and minimize risks

• Profiles are like implementation guides with specific insights into industries 

• Considerations should include:

  • Organizational Goal

  • Industry goals

  • Legal Requirements

  • Industry best practices

  • Risk management

What are the three categories NIST recommends for cybersecurity risk management?

1. Current Profile – Represents the current state of the organization's risk management practices.

2. Target Profile – Represents the desired future state of cybersecurity risk management.

3. Gap Analysis – Identifies the differences between the Current and Target Profiles to guide improvement efforts.

What is the NIST Privacy Framework and how does it relate to the NIST Cybersecurity Framework (CSF)?

• Published in 2020 for data protection.

• Industry agnostic – applicable across all sectors.

• Has a similar structure to the NIST CSF.

• Uses comparable risk management approaches,
  BUT applies them differently to privacy-specific subject matter.

What are the eight areas of focus ("functions") in the NIST Privacy Framework?

• Identify-P/C

• Govern-P

• Control-P

• Communicate-P

• Protect-P/C

• Detect-P

• Respond-P

• Recover-P

Identify (P/C)

(Privacy & Cybersecurity Framework)
What are the company's privacy risks related to data activities?

Govern (P)

(Privacy Framework)
What is the best governance—policies, processes, and procedures—for managing privacy?

Control (P)

(Privacy Framework)
What is the management approach for privacy risks related to data?

Communicate (P)

(Privacy Framework)
How should the organization drive dialogue around privacy risks to data?

Protect (P/C)

(Privacy & Cybersecurity Framework)
What safeguards should be implemented for privacy risks related to data?

Detect (C)

(Cybersecurity Framework)
How should the organization detect data privacy risks and events?

Respond (C)

(Cybersecurity Framework)
How should the organization respond to data privacy risks and events?

Recover (C)

(Cybersecurity Framework)
How should the company continue business after data privacy events?

• What are the three implementation models in NIST SP 800-53?

1. Common (Inheritable) Control

2. System-Specific Control

3. Hybrid Control

Common (Inheritable) Control NIST (SP 800-53)

Controls implemented at the organizational level that are inheritable by multiple information systems.

System-Specific Control NIST (SP 800-53)

Controls implemented directly at the information system level, unique to that system.

Hybrid Control NIST (SP 800-53)

Controls where some components are implemented organizationally, and others at the system level, depending on what’s appropriate.

What is NIST SP 800-53: Security and Privacy Controls for Information Systems and Organizations?

• The standard for federal information systems.

• Stricter than the NIST Privacy Framework or Cybersecurity Framework.

• Designed to protect against sophisticated threats, not just based on cost-effectiveness.

• Contains over 1,200 detailed controls.

• Applies to systems processing, storing, or transmitting data.

• Helps meet:

  • Office of Management and Budget (OMB) Circular A-130 (requires controls for federal info systems)

  • Federal Information Security Modernization Act (FISMA) (requires minimum security/privacy controls)

• Target Audience: Admins, developers, auditors, privacy/security personnel, commercial entities.

What are the organizational responsibilities under NIST SP 800-53?

• Define clear security and privacy requirements.

• Use trustworthy system components (hardware, software, firmware).

• Perform rigorous planning and system development.

• Apply secure practices during system integration.

• Document comprehensive privacy/security practices.

• Conduct continuous monitoring to assess control effectiveness.

How is NIST SP 800-53 organized?

is subdivided into 20 control families covering organizational risk. In addition, optional control enhancements are included to promote best practices.

NIST SP 800-53: AC - Access Control

How does the organization manage application and resource access?

NIST SP 800-53: AT - Awareness and Training

How should the company deliver training on information security risk?

NIST SP 800-53: AU - Audit and Accountability

How does the company evaluate information security controls?

NIST SP 800-53: CA - Assessment, Authorization, and Monitoring

How does the organization assess threats?

NIST SP 800-53: CM - Configuration Management

How are assets and software configured securely?

NIST SP 800-53: CP - Contingency Planning

How is the company prepared for downtime and outages?

NIST SP 800-53: IA - Identify and Authenticate

How is identification and authentication managed?

NIST SP 800-53: IR - Incident Response

How is the organization prepared to react to information security events?

NIST SP 800-53: MA - Maintenance

How does the company ensure secure maintenance of infrastructure?

NIST SP 800-53: MP - Media Protection

How is information on physical media managed and protected?

NIST SP 800-53: PE - Physical and Environmental Protection

How are facilities secured from intrusion or harm?

NIST SP 800-53: PL - Planning

How does the organization manage information security planning?

NIST SP 800-53: PM - Program Management

How does the organization securely manage its information security programs?

NIST SP 800-53: PS - Personnel Security

How are employees evaluated for potential compromise?

NIST SP 800-53: PT - PII Processing and Transparency

How is personally identifiable information (PII) managed?

NIST SP 800-53: RA - Risk Assessment

How is environmental risk evaluated?

NIST SP 800-53: SA - System and Services Acquisition

How are systems securely evaluated and acquired?

NIST SP 800-53: SC - System and Communication Protection

How is data securely transmitted digitally?

NIST SP 800-53: SI - System and Information Integrity

How is the integrity of data maintained and evaluated?

NIST SP 800-53: SR - Supply Chain Management

How does the company secure its supply chain?

What does NIST divide its control families into?

• Controls (objectives to be implemented for family baseline conformance)

• Control Enhancements (best practices)

What approach does the Privacy Framework use to allow adaptation to specific business environments?

A risk-based and outcome-based approach, which includes considerations of objectives and results.

What do the functions of the NIST Privacy Framework Core organize?

They organize foundational privacy activities at the highest level to manage privacy risk. This includes understanding and managing data processing, enabling risk management decisions, determining interactions with individuals, and improving through continuous learning.

What is not an emphasis of the functions of the NIST Privacy Framework Core?

Interacting with groups is not an emphasis of the functions of the framework.

What is the purpose of privacy and data security standards, and how do they create trust between consumers and enterprises?

• They exist to protect an individual's private life and keep data out of the public domain.

• Laws create trust between consumers and enterprises by regulating how those entrusted with data use it.

What is the difference between privacy laws in the US and the EU?

• In the US, there is no federal law that regulates all personal data.

• In the EU, the General Data Protection Regulation (GDPR) applies universally.

• Some states, like California (CA), have similar privacy laws for their citizens.

What is a data breach?

A data breach is the exposure of confidential information to unauthorized persons.

What are the two types of data breaches?

Intentional or Unintentional

What are some significant consequences of data breaches?

include reputation harm, disruption, financial loss, data loss, etc.

What is the average cost of a data breach?

The average cost of a data breach is $4 million due to costs such as:

• Detection and escalation (forensics and investigations)

• Notifications to necessary parties

• Post-breach responses (fines and correction services)

• Loss of business revenue due to system shutdowns

What risks do data breaches expose consumers to?

Data breaches expose consumers to the risk of identity and monetary theft.

What is the Health Insurance Portability and Accountability Act (HIPAA) and when was it established?

HIPAA was established in 1996 to promote national standards of healthcare privacy and security.

What does HIPAA govern?

the privacy of Electronic Protected Health Information (PHI).

Who are considered covered entities under HIPAA?

Covered entities under HIPAA include:

• Health care providers

• Health plans

• Healthcare clearinghouses (institutions that electronically transmit medical data)

• Any service provider who needs access to PHI

What are the circumstances under which PHI can be disclosed?

PHI can be disclosed to:

• The owner of the information

• For treatment, payment, and operation

• With valid authorization/permission

• Limited redacted data for research

• For public interest and benefit activities provided by law

What are the requirements for electronic PHI under HIPAA?

Every covered entity must:

• Ensure confidentiality, integrity, and availability of all electronic PHI

• Protect against reasonably anticipated threats to security and impermissible uses or disclosures

What types of safeguards does HIPAA require?

HIPAA requires:

• Administrative safeguards: such as signing responsibilities, training, plans, etc.

• Physical safeguards: such as physical locks on workstations and doors, and access controls

What is the purpose of the Health Info Tech for Economic and Clinical Health (HITECH) amendment to HIPAA?

HITECH amended HIPAA to:

• Increase penalties for violations

• Require patients to get the option for electronic/paper forms

• Add business associates as a "covered entity"

• Require breach notifications to affected individuals within 60 days

What is the General Data Protection Regulation (GDPR) and when was it passed?

The GDPR was passed by the European Union in May 2018 to regulate the privacy of all data.

Why is GDPR considered one of the strictest privacy laws?

GDPR is considered one of the strictest privacy laws in the world and imposes steep penalties for violations.

Who does GDPR apply to?

• Data processors based in the EU, even if processing takes place outside the EU.

• Data processors not based in the EU if offering goods or services to those in the EU or monitoring their behavior.

• EU Embassies outside of EU borders.

What was the Safe Harbor Framework and why did it fail?

The Safe Harbor Framework was created to transfer data between the US and the EU but failed in 2015 because the EU determined it was not strict enough.

What replaced the Safe Harbor Framework and what happened to it?

The Privacy Shield replaced the Safe Harbor Framework in 2016, but it was invalidated by the EU in 2020.

What are the six principles of GDPR?

• Lawfulness, fairness, transparency

• Purpose limitations

• Data minimization

• Accuracy

• Storage limitation

• Integrity and confidentiality

What does Lawfulness, fairness, transparency mean under GDPR?

In accordance with laws, the data subject's rights must be respected, and data processing must be transparent to individuals.

What does Purpose limitations mean under GDPR?

Data cannot be used for purposes other than what it was originally intended for.

What does Data minimization mean under GDPR?

Can’t store anything more than what is necessary. Ex. SSN

What does Accuracy mean under GDPR?

Data must be accurate and kept updated.

What does Storage limitation mean under GDPR?

Can only store data for a limited time or as long as needed.

What does Integrity and Confidentiality mean under GDPR?

Data must be processed securely and be protected.

What are Payment Card Industry Data Security Standards (PCI DSS)?

PCI DSS is a framework for processing payments and securing cardholder data, particularly Primary Account Number (PAN). It consists of 6 goals and 12 requirements that organizations must implement to protect cardholder data and secure systems involved in payment processing.

What is Goal 1 of PCI DSS and its associated requirements?

Goal: Build and Maintain a Secure Network and Systems.

PCI DSS Requirements:

1. Install and maintain a firewall configuration to protect cardholder data.

2. Do not use vendor-supplied defaults for system passwords and other security parameters.

What is Goal 2 of PCI DSS and its associated requirements?

Goal: Protect Cardholder Data.
PCI DSS Requirements:
3. Encrypt transmission of cardholder data across open, public networks.
4. Protect stored cardholder data.

What is Goal 3 of PCI DSS and its associated requirements?

Goal: Maintain a Vulnerability Management Program.
PCI DSS Requirements:
5. Protect all systems against malware and regularly update anti-virus software or programs.
6. Develop and maintain secure systems and applications.

What is Goal 4 of PCI DSS and its associated requirements?

Goal: Implement Strong Access Control Measures.
PCI DSS Requirements associated:
7. Restrict access to cardholder data through use of need-to-know restrictions.
8. Identify and authenticate access to system components.
9. Restrict physical access to cardholder data.

What is Goal 5 of PCI DSS and its associated requirements?

Goal: Regularly Monitor and Test Networks.
PCI DSS Requirements associated:
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.

What is Goal 6 of PCI DSS and its associated requirements?

Goal: Maintain an Information Security Policy.
PCI DSS Requirements associated with Goal 6:
12. Maintain a policy that addresses information security for all personnel.

PCI DSS Requirement 1: Install and maintain a firewall configuration to protect cardholder data.

Enforce, for both physical and software-defined networking technologies, network policies that control network traffic between two or more logical or physical network segments.

PCI DSS Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

Establish formalized processes and procedures to apply secure configurations to all system components and wireless environments.

PCI DSS Requirement 3: Protect stored cardholder data.

Minimize the storage of account data. Sensitive data should not be stored after authorization. Cardholder data should be rendered unreadable using cryptography. Secure cryptographic keys and define their life cycles.

PCI DSS Requirement 4: Encrypt transmission of cardholder data across open, public networks.

Encrypt data in transit when transactions are submitted to the card network across the internet and other public networks.

PCI DSS Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs.

Implement software to protect against malware and phishing attacks.

PCI DSS Requirement 6: Develop and maintain secure systems and applications.

Ensure all system components have the most recent critical security patches. Internally developed software must follow secure development coding practices.

PCI DSS Requirement 7: Restrict access to cardholder data by business need to know.

Apply strict requirements to granting access to cardholder data on a need-to-know basis. Periodically revoke access when no longer necessary.

PCI DSS Requirement 8: Identify and authenticate access to system components.

Ensure every user has a unique ID. Use strong authentication mechanisms and require multifactor authentication for access to the cardholder data environment (CDE).

PCI DSS Requirement 9: Restrict physical access to cardholder data.

Create physical barriers to server rooms, switch closets, and other equipment that stores or processes cardholder data.

PCI DSS Requirement 10: Log and monitor all access to system components and cardholder data.

Implement network monitoring that provides audit trails and logs activity. Review for suspicious behavior.

PCI DSS Requirement 11: Test security of systems and networks regularly.

Perform external vulnerability scans at least once every three months and achieve a passing score. Regularly perform penetration testing to identify internal and external vulnerabilities.

PCI DSS Requirement 12: Support information security with organizational policies and programs.

Create, enforce, and regularly update written policies for each stage of the payment process. Define employee responsibilities and procedures to protect account data.

Can an employer access an employee’s Personal Health Information (PHI) under HIPAA without consent if it’s required for continued employment?

No. Under the HIPAA Privacy Rule, an employer cannot access an employee’s PHI without explicit authorization from the individual. Even if the employer claims it is required for continued employment, the individual’s consent is still mandatory. HIPAA strictly protects the privacy of health information unless an exception applies.

Does the General Data Protection Regulation (GDPR) apply to a company based in the EU if its data processing is conducted outside the EU?

Yes. The GDPR applies regardless of where processing occurs. The GDPR applies even though it processes data remotely from the U.S. The regulation covers all organizations located in the EU or handling data of EU citizens.