A threat actor does not care about the law, compliance, regulations, and security best practices. In fact, they are hopeful that your organization is lax on many of these specifications and frameworks in order to leverage them for malicious intent. While regulatory compliance is designed to provide legally binding guidelines for industries and governments, they do not provide the necessary means to stay secure. Compliance does not equal security. They are best practices that point toward good cyber security hygiene, but implementing them without good processes, people, training, and diligence will leave you susceptible to a breach. Therefore, when reviewing leading regulatory compliance initiatives, consider the following:
How they apply to your organization based on laws, sensitive information, contracts, industry, and geography.
What compliance overlaps exist between the regulations and what processes can satisfy multiple requirements.
Consider adopting the strictest guidelines for your initiatives. The strictest and most comprehensive requirement will ensure coverage for any overlap.
Scoping is critical and applying the rules to sensitive systems is often not enough to provide good security. Consider the effort and cost of increasing the scope to mitigate risks through any connected system that could affect the legislative required scope. This is typically referred to as zones.
Therefore, keep in mind that any regulatory compliance requirements are the absolute minimum your organization should be doing when protecting your assets. If you are not meeting the minimums or have lapses in the requirements, you are an easy target for a vulnerability or exploit. Table 19-1 summarizes the leading regulatory compliance initiatives and when they may explicitly call for vulnerability management, patch management, or reference third-party prior art.
Table 19-1 Regulatory Compliance Requirements for Vulnerability and Patch Management
Abbreviation URL | Name | Public Website (URL) | Vulnerability Management | Patch Management |
|---|---|---|---|---|
PCI | Payment Card Industry | PCI DSS Requirement 11.2.2 | PCI DSS Requirement 6.2 | |
Description | The PCI Security Council maintains, develops, and promotes the Payment Card Industry Security Standards. The council provides the guidance needed for implementation of the standards such as assessment and scanning qualifications, self-assessment questionnaires, training and education, and product certification programs. | |||
HIPAA | Health Insurance Portability and Accountability Act | Risk Analysis Requirement 45CFR§164.308 (a)(1)(ii)(A) | Risk Management Requirement 45CFR§164.308 (a)(1)(ii)(B) | |
Description | HIPAA (Health Insurance Portability and Accountability Act of 1996) is United States legislation that provides data privacy and security provisions for safeguarding medical information. | |||
SOX | Sarbanes-Oxley Act | https://www.congress.gov/bill/107th-congress/house-bill/3763 | Section 404 | |
Description | The Sarbanes-Oxley Act of 2002 is legislation passed by the U.S. Congress to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise, as well as improve the accuracy of corporate disclosures. | |||
GLBA | Gramm-Leach-Bliley Act | Title V, Subtitle A, Sections 501 (a) & (b) | ||
Description | The Gramm-Leach-Bliley Act, also known as the Financial Modernization Act of 1999, is a federal law enacted in the United States to control the ways that financial institutions deal with the private information of individuals. | |||
NIST* | National Institute of Standards and Technology | RA-5 | SI-2 | |
Description | NIST is the National Institute of Standards and Technology, a unit of the U.S. Commerce Department. Formerly known as the National Bureau of Standards, NIST promotes and maintains measurement standards. | |||
ISO* | ISO | https://www.iso.org/obp/ui/#iso:std:iso-iec:27002:ed-2:v1:en | Section 12.6.1 | Sections 12.5.1 and 12.6.1 |
Description | ISO is a worldwide federation of national standards bodies from some 100 countries, with one standards body representing each member country. | |||
ASD | Australian Signals Directorate | Top 4 - (2) & (3) | ||
Description | The Australian Signals Directorate is an intelligence agency in the Australian Government Department of Defense. | |||
MAS | Monetary Authority of Singapore | Chapters 9.4 & 10.1 | Chapter 9.5 | |
Description | The Monetary Authority of Singapore is the central bank of Singapore. Their mission is to promote sustained non-inflationary economic growth, and a sound and progressive financial center. | |||
SWIFT | SWIFT | https://www.swift.com/myswift/customer-security-programme-csp/security-controls | Control 2.7A | Control 2.2 |
Description | SWIFT is a global member-owned cooperative and the world’s leading provider of secure financial messaging services | |||
Act 10173 | Republic of the Philippines, Data Privacy Act of 2012 | 28.d and 28. f | 28.d | |
Description | The goal of the Philippines Data Privacy Act is to combat the ever-growing threat posed by the theft of personal information by nation-states, terrorist organizations, and independent criminal actors. | |||
NYDFS | New York State Department of Financial Services | http://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf | Sections 500.05 and 500.09 | Section 500.09 |
Description | The New York State Department of Financial Services is a department of the New York State government responsible for regulating financial services including those subject to insurance, banking, and financial services. | |||
NERC | North American Electric Reliability Corporation | CIP-010 | CIP-007-5 | |
Description | The North American Electric Reliability Corporation (NERC) is a not-for-profit international regulatory authority whose mission is to assure the reliability and security of the bulk power system in North America. NERC develops and enforces Reliability Standards; annually assesses seasonal and long‐term reliability; monitors the bulk power system through system awareness; and educates, trains, and certifies industry personnel. | |||
FERC | Federal Energy Regulatory Commission | FERC references NERC, ISO, and security for ICS implementations. They do not provide unique guidance. | ||
Description | The Federal Energy Regulatory Commission (FERC) is a United States federal agency that regulates the transmission and wholesale sale of electricity, natural gas, and oil transported between states in the wholesale market. | |||
HITECH | Health Information Technology for Economic and Clinical Health | https://www.healthit.gov/policy-researchers-implementers/health-it-legislation-and-regulations | Technical Safeguards - §164.312 (HIPAA) | |
Description | The HITECH Act established the Office of the National Coordinator (ONC) into law and provides the U.S. Department of Health and Human Services with authority to establish programs to improve health care quality, safety, and efficiency through the promotion of health IT, including electronic health records and private and secure electronic health information exchange. | |||
GDPR | European Union Data Protection Regulation | GPDR Risk Assessment infers the requirements for vulnerability and patch management to protect data. | ||
Description | The EU General Data Protection Regulation (GDPR) supersedes the Data Protection Directive 95/46/EC and is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy, and to reshape the way organizations across the region approach data privacy. | |||
DFARS | Defense Federal Acquisition Regulation | DFARS is a regulatory vehicle for procurement and will reference NIST 800-53 and NIST 800-171 in order to be compliant. | ||
Description | DFARS provides Department of Defense (DoD) specific acquisition regulations that government acquisition officials and those contractors doing business with DoD, must follow in the procurement process for goods and services. | |||
ATT&CK™ | Adversarial Tactics, Techniques, and Common Knowledge | ATT&CK phases from persistence, privileged escalation, defense evasion, credential access, discovery, lateral movement, execution, collection, exfiltration, and command control can be mapped to vulnerabilities, exploits, and remediation strategies. | ||
Description | MITRE’s Adversarial Tactics, Techniques, and Common Knowledge is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s life cycle and the platforms they are known to target. | |||