Course 1

13 June 2023 14:28

Compliance is the process of adhering to internal standards and external regulations.

From <https://www.coursera.org/learn/foundations-of-cybersecurity/supplement/xu4pr/controls-frameworks-and-
compliance>

Examples of frameworks that were introduced previously include the NIST Cybersecurity Framework
(CSF) and the NIST Risk Management Framework (RMF).

From <https://www.coursera.org/learn/foundations-of-cybersecurity/supplement/xu4pr/controls-frameworks-and-
compliance>

The Federal Energy Regulatory Commission - North American Electric

Reliability Corporation (FERC-NERC)
FERC-NERC is a regulation that applies to organizations that work with electricity or that are involved
with the U.S. and North American power grid. These types of organizations have an obligation to Protected health information (PHI): Information that relates to the past, present, or future physical or
prepare for, mitigate, and report any potential security incident that can negatively affect the power mental health or condition of an individual
grid. They are also legally required to adhere to the Critical Infrastructure Protection (CIP) Reliability Security architecture: A type of security design composed of multiple components, such as tools and
Standards defined by the FERC. processes, that are used to protect an organization from risks and external threats
The Federal Risk and Authorization Management Program Security controls: Safeguards designed to reduce specific security risks
Security ethics: Guidelines for making appropriate decisions as a security professional
(FedRAMP®) Security frameworks: Guidelines used for building plans to help mitigate risk and threats to data and
FedRAMP is a U.S. federal government program that standardizes security assessment, authorization, privacy
monitoring, and handling of cloud services and product offerings. Its purpose is to provide consistency Security governance: Practices that help support, define, and direct security efforts of an organization
across the government sector and third-party cloud providers. Sensitive personally identifiable information (SPII): A specific type of PII that falls under stricter
Center for Internet Security (CIS®) handling guidelines
CIS is a nonprofit with multiple areas of emphasis. It provides a set of controls that can be used to
From <https://www.coursera.org/learn/foundations-of-cybersecurity/supplement/QQItc/glossary-terms-from-week-3>
safeguard systems and networks against attacks. Its purpose is to help organizations establish a better
plan of defense. CIS also provides actionable controls that security professionals may follow if a security
incident occurs.
General Data Protection Regulation (GDPR)
GDPR is a European Union (E.U.) general data regulation that protects the processing of E.U. residents’
data and their right to privacy in and out of E.U. territory. For example, if an organization is not being
transparent about the data they are holding about an E.U. citizen and why they are holding that data,
this is an infringement that can result in a fine to the organization. Additionally, if a breach occurs and
an E.U. citizen’s data is compromised, they must be informed. The affected organization has 72 hours to
notify the E.U. citizen about the breach. A playbook is a manual that provides details about any operational action, such as how to respond to a
security incident. Organizations usually have multiple playbooks documenting processes and procedures
Payment Card Industry Data Security Standard (PCI DSS) for their teams to follow. Playbooks vary from one organization to the next, but they all have a similar
PCI DSS is an international security standard meant to ensure that organizations storing, accepting, purpose: To guide analysts through a series of steps to complete specific security-related tasks.
processing, and transmitting credit card information do so in a secure environment. The objective of this For example, consider the following scenario: You are working as a security analyst for an incident
compliance standard is to reduce credit card fraud. response firm. You are given a case involving a small medical practice that has suffered a security
The Health Insurance Portability and Accountability Act (HIPAA) breach. Your job is to help with the forensic investigation and provide evidence to a cybersecurity
HIPAA is a U.S. federal law established in 1996 to protect patients' health information. This law prohibits insurance company. They will then use your investigative findings to determine whether the medical
patient information from being shared without their consent. It is governed by three rules: practice will receive their insurance payout.
1. Privacy In this scenario, playbooks would outline the specific actions you need to take to conduct the
2. Security investigation. Playbooks also help ensure that you are following proper protocols and procedures. When
3. Breach notification working on a forensic case, there are two playbooks you might follow:
Organizations that store patient data have a legal obligation to inform patients of a breach because if • The first type of playbook you might consult is called the chain of custody playbook. Chain of custody is
patients' Protected Health Information (PHI) is exposed, it can lead to identity theft and insurance the process of documenting evidence possession and control during an incident lifecycle. As a security
fraud. PHI relates to the past, present, or future physical or mental health or condition of an individual, analyst involved in a forensic analysis, you will work with the computer data that was breached. You and
whether it’s a plan of care or payments for care. Along with understanding HIPAA as a law, security the forensic team will also need to document who, what, where, and why you have the collected
professionals also need to be familiar with the Health Information Trust Alliance (HITRUST®), which is a evidence. The evidence is your responsibility while it is in your possession. Evidence must be kept safe
security framework and assurance program that helps institutions meet HIPAA compliance. and tracked. Every time evidence is moved, it should be reported. This allows all parties involved to
know exactly where the evidence is at all times.
International Organization for Standardization (ISO) • The second playbook your team might use is called the protecting and preserving evidence playbook.
ISO was created to establish international standards related to technology, manufacturing, and Protecting and preserving evidence is the process of properly working with fragile and volatile digital
management across borders. It helps organizations improve their processes and procedures for staff evidence. As a security analyst, understanding what fragile and volatile digital evidence is, along with
retention, planning, waste, and services. why there is a procedure, is critical. As you follow this playbook, you will consult the order of volatility,
System and Organizations Controls (SOC type 1, SOC type 2) which is a sequence outlining the order of data that must be preserved from first to last. It prioritizes
The American Institute of Certified Public Accountants® (AICPA) auditing standards board developed this volatile data, which is data that may be lost if the device in question powers off, regardless of the
standard. The SOC1 and SOC2 are a series of reports that focus on an organization's user access policies reason. While conducting an investigation, improper management of digital evidence can compromise
at different organizational levels such as: and alter that evidence. When evidence is improperly managed during an investigation, it can no longer
• Associate be used. For this reason, the first priority in any investigation is to properly preserve the data. You can
• Supervisor preserve the data by making copies and conducting your investigation using those copies.
• Manager
• Executive From <https://www.coursera.org/learn/foundations-of-cybersecurity/supplement/xNrn4/tools-for-protecting-business-
operations>
• Vendor
• Others
They are used to assess an organization’s financial compliance and levels of risk. They also cover
confidentiality, privacy, integrity, availability, security, and overall data safety. Control failures in these
areas can lead to fraud.
Pro tip: There are a number of regulations that are frequently revised. You are encouraged to keep up-
to-date with changes and explore more frameworks, controls, and compliance. Two suggestions to
research: the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act.

From <https://www.coursera.org/learn/foundations-of-cybersecurity/supplement/xu4pr/controls-frameworks-and-
compliance>