Cyber Security Tutorial

Cyber Security Overview Cyber Security Introduction Cyber Crime Cyber Space Cyber Criminals Cyber Law Cyber Attackers Types of Hackers Functions of Cyber Security Method to Improve Data Security Cyber security frameworks Importance of Cyber Security Types of Cyber Security Cyber Security Fundamentals Applications of cyber security Cyber security in education sector Cyber security in health care industry Cyber security tools Cyber security policies Types of security policies Characteristics of cyber security policies Digital signature Cyber Security Standards NIST- National Institute of Standard and technology Information Technology Act ISO - International Standard for Organization ISO certification PCI DSS Standard FINRA Difference between Information Security and Cyber Security Cyber Security Vulnerability Elements of vulnerability management Social Engineering Vulnerability Assessment Vulnerability management Types of cyber security vulnerabilities Identification of security vulnerability Types of social engineering attacks Penetration Testing Penetration Testing Tools Types of penetration testing Process of Penetration Testing What is Phishing Elements of cyber security Difference between Spoofing and Phishing Difference between Network Security and Cyber Security Difference between Ethical Hacking & Cyber Security Role of artificial engineering in cyber security Cyber Forensics Definition Cyber Security job qualifications Cyber Security Prerequisites Cyber Security Identity and Access Management What is Cyber Forensics Different Types of Cybercrime Different types of cybercrime Tunneling Techniques in Cyber Security

Cyber Security Standards
2022-06-04 23:59:36

Cyber Security Standards

Top Cyber Security Frameworks/ Standards

Experts of cyber security safeguard the internet against different cyber-crimes by making different rules and protocols to follow by the user. Still, these rules and regulations have passed through different parameters to set the security standards. Cyber security standards are formulated to improve the security of IT products and an organization's IT infrastructure. These standards are the benchmark in the field of cyber security applied in the system for security reasons. The various security standards guarantee the security of the data in the system to the user and clients unexpectedly.

Cyber security standards are the guidelines that every business must follow concerning cyber security and information security. A list of this framework that holds the consistency of any standard is as follows:

NIST – National Institute of Standard and Technology

National Institute of Standards and technology is a US-based cyber security agency that brings related cryptographic standards and uses them globally. It has different versions such as NIST CSF, NIST SP 800 series like NIST SP 800-171, NIST SP 800-53, and NIST SP 1800 series. This framework act as a guide for managing cyber security risk based on the existing guideline, standards, and practices.

HIPPA- Health Insurance Probability and Accountability Act

HIPPA (health insurance probability and accountability act) standard was specially designed for the health care industry to protect patient data & can’t be leaked anyway. It maintains the patient and staff records in the hospitals, and for this, hospitals must have a strong network security team to handle all the security-related incidents. It also handles the transaction records in encrypted mode, and quarterly reports must be healthy. It ensures the security of patients' personal information about their health, making them feel safe and secure. It is also necessary to maintain the hospital's reputation, confidentiality, and integrity of patient information.

FINRA- Financial Industry Regulatory Authority

 As the name defined, financial industry regulatory authority secures an organization's financial bodies that handle the funds and are aggressively engaged in financial transactions. It is a non-profitable private organization authorized by the U.S government in which government authorities enforce and write rules governing registered brokers and broker-dealer firms in the United States. It is an independent regulatory body that has the power to take disciplinary actions against firms or individuals that abolish the industry rules. It prevents the financial industry form cyber attackers and investors from potential abuses. It ensures the ethical conduction of finances within the financial industry.

GDPR- General Data Protection Regulation

The European government defines the General Data Protection Regulation standard for the data protection of all users. This standard consists of rules and regulations for collecting and processing personal information from the European individual. It is the toughest privacy and data security law globally that imposes obligations on the organizations to collect data related to the people in the EU. European Union drafted and passed this standard, which was put into effect on May 25, 2018. This standard ensures that the data collected by the website from the user, the visitor, or the user must be notified and agree to the data collection terms and conditions or consent to the information gathering. Individuals, organizations, or others who violate its privacy and security standard will have to face penalties reaching tens of millions of euros.

Some of the key points of GDPR are:

  • Data protection principles
  • Accountability
  • Data security
  • Data protection by design and by default
  • When a user is allowed to process data
  • Consent
  • Data protection officer
  • People privacy rights   

ISO – International Organization for Standard

ISO is an international non-governmental organization that develops and publishes a wide range of industrial, propriety, and commercial standards for maintaining infrastructure, integrity, confidentiality, and availability of information in a company's data center. It was developed to provide certification and standardization to the vast range of processes, products, and materials. Different versions of ISO are as follows:

- ISO/IEC 27001

- ISO/IEC 27002

- ISO/IEC 27003

- ISO/IEC 27004

- ISO/IEC 27005

- ISO/IEC 27006

- ISO/IEC 27007.

PCI DSS- Payment Card Industry Data Security Standard

Due to debit, credit card, and other transaction cards, PCI DSS compliance came into existence to ensure that all the companies maintain a secure environment regarding the processing, storing, and transmitting of the credit card information. On September 7, 2006, it was launched to manage PCI security standards and improve account security throughout the transaction process.

The payment card industry data security standard (PCI DSS) is administered and managed by PCI Security Standard Council. This standard is opted by the organizations that accept payment through their gateway and store the user data like name and card-related information.

This compliance ensures that the organization uses up-to-date technology and the system does not have any severe vulnerabilities. This can be done by making the system undergo a security assessment. Visa, American Express, Discover, Master Card, and JCB card functioning need to develop this standard.

Some of the major needs of PCI DSS in the cyber security world are as follows:-

  • It is required to protect and maintain cardholder data.
  • It restricts the cardholder data from physical access.
  • It installs and maintains a firewall configuration in the system that encrypts data transmission across public and open networks to protect cardholder data.
  • A unique customer/ User ID is provided to the user to access the system.
  • PCI DSS helps in developing and maintaining secure application and applications.
  • This policy standard addresses information security for each person's personal information and regularly tests the security process & system.
  • PCI DSS standards keep an eye on cardholder data and network resources by monitoring and tracking their transactions.
  • It regularly uses and updates anti-virus programs or software in the system.
  • It doesn't use vendor-supply defaults and other security parameters for system passwords.

SANS Security Policy Resource

This security policy resource is a cyber security framework resource consisting of templates related to servers, network devices, and application security.

Cloud security alliance (CSA)

As the name defined, it is related to the cloud where data is stored. It’s a non-profitable organization that provides services to protect cloud data.

OWASP foundation

In the cyber security world, these are non-profitable organizations that regularly publish the top 10 security issues followed by most organizations to categorize security vulnerabilities. These security issues are mobile, web applications, web services, etc.

Patent Law

Growth and development in technology happen with new inventions, which need to be acknowledged. The inventor should be awarded and given the right to their invention.

This can be done by patent law, in which an exclusive right is granted for an invention called a patent. A patent is designed to protect the inventions for a certain period, and it's a branch of intellectual property law.

The United States Patent and Trademark Office (USPTO) is granted to provide the right to produce a product without fear of competition. The patent is granted for some time, and some incentive is given to individuals or companies to continue developing innovative new services or products.

A patent is granted to a new, useful, or natural object or process, not an obvious invention.   A tangible scientific invention like car engineers, heating oils, circuit boards, or zippers is protected by traditional patents.

A variety of inventions like business practices, coding algorithms, or genetically modified organisms are protected by overtime patents. Some other patents are:-

Utility PatentUtility patents prevent individuals and companies from using, making, or selling the invention or creation without consent. It is also known as a "patent for the invention" because it covers creating a new and improved process, product, and machine. Its validity is up to 20 years after the patent application is filed but with the regular maintenance fees paid by the patent holder.
Design Patent      This patent is registered to the unique look of a manufactured item. The unique design of the item differentiates it and displays its identity; therefore, protecting it from competitors, the design or item component is patented. For example, the automobile industry launches new car models with extensions in features and different designs. These visual elements are part of the car's identity, adding value. These changes in components need to be protected from competitors for not being copied without legal consequences.
Plant PatentNew inventions and discoveries take place in the field of the plantation, so the plant patent act protects them. This act protects a unique and new plant’s key characteristics from being sold, copied, or used by others for 20 years after the application is filed. But the condition is plant reproduction takes place asexually, being genetically identical to the original and performed through methods such as root cuttings, bulbs, division, or grafting and budding.

IPR- Intellectual Property Right

The creation of music, writing, design, invention, and other works and their creators or owners should be secured with laws protecting and enforcing their rights. Experts created intellectual property dealing with laws to protect and secure new inventions and creations in different fields. Copyright, patents, trade secrets, and trademarks are several areas of intellectual property law. Intellectual property includes the creation of minds like designs, symbols, inventions, artistic work, and literary images and names used in commerce. This right provides ownership to the person over creating their mind over a certain period. Intellectual property law is divided into two areas:

  1. Copyright and rights related to copyright.
  2. Industrial property

Under Article 27 of the Universal Declaration of Human Rights, these IPR rights are outlined regarding protecting moral and material interests resulting from the ownership of literary, scientific, or artistic productions.    

Copyright Act

Copyright is a collection of rights allotted by the law to the creators of musical, literary, dramatic, and artistic works, including cinematograph films and sound recording producers.

It is also known as the ‘Copyright Act 1957’ governs the subject of copyright law in India under the amendment by the Copyright Amendment Act 2012. It provides control and ownership to an individual's invention and is fixed in a tangible form of expression.

Copyright was designed to control piracy (making and selling copies of the original work). It balances the use and reuse of creative work against the creator's desire for literature, music, and art and monetizes their work. Areas covered / not covered by the copyright act are:-

Covered Area              Area not covered
Duration of copyrightFamiliar designs or symbols, choreographic work not has been notated, and improvisational speech that has not been written down.
Works eligible for protectionTitles, slogans, names, and short phrases
Rights of the copyright ownerProcess, procedures, concepts, ideas, methods, principles, systems, and discoveries
Who can claim copyrightVariations of typographic lettering, coloring, and ornamentation 

IT Act

IT act- Information Technology act is designed to protect digital, electronic, and online transactions in a trustworthy and lawful manner. It is a legal recognition for "electronic commerce" extended to India.

 It is also known as ITA-2000, certified by the Indian government, which aims to provide a legal infrastructure that deals with e-commerce and cybercrime in India.

This act was designed to check India's misuse of cyber networks and computers due to the boom in internet usage and cyber-attacks. This act was amended in 2008 after officially being passed in 2000 and consists of 13 chapters with 94 sections and 4 schedules. Various punishments and offenses are held under this act.        

COBIT

COBIT framework reduces IT risks and is used to achieve Sarbanes-Oxley compliance. COBIT was developed by an independent organization of IT governance professionals named ISACA in the mid-1990s. Mainly two functions are offered by ISACA Certified Information Security Manager certifications and Certified Information Auditor.

It’s one version of COBIT 5 released in 2012, including business trends and technology to help the organization balance IT and business goals. The latest version is COBIT 2019.

CIS controls

CIS controls are not like NIST CSF, which addresses risk management. Instead, it focuses on increasing resilience and reducing risk for technical infrastructure. It consists of a list of technical security and operational security control applied to any environment.

Some of the CIS controls are audit log management, penetration testing, inventory and control of enterprise assets, data protection, and malware defenses. These control help remediate identified risks by linking existing risk management frameworks and useful IT department resources.

CIS publishes security benchmarks for mobile devices, network devices, server operating systems, virtualization platforms and cloud, desktops, and web browsers. These benchmarks are security configuration guides that governments and the industry widely accept and are available for free.

Most security auditing organizations use these benchmarks to evaluate the configuration of IT infrastructure.

HITRUST Common Security Framework

This framework (HITRUST Common Security Framework) includes 14 different control categories like risk management, analysis, and operational requirements.

These controls can be applied to every organization where they scoop small focus areas for HITRUST. This framework is massive for any organization due to the heavy weight given to process and documentation.

COSO

COSO results from a joint venture of five professional organizations regarding cyber security. Its version works differently as the 2013 framework cover internal controls, and the 2017 framework covers risk management.

Conclusion:

However, cyber security standards or frameworks are policies designed by cyber security experts consisting of methods and approaches that should be followed to keep the system and its information protected.
There are various cyber security standards present in the market, and every year, some are revised, and some new are introduced according to the requirement. These are the updated standards used by each or higher-level organization to ensure the organization's security.