Documentation

Laws are passed by the legislative branch and are mandatory under penalty of specified by that law. In the United States, laws are passed by Congress and signed by the President. Examples of computer security and privacy laws in the U.S. include:

1. The 1984 Computer Fraud and Abuse Act;
2. The Privacy Act of 1984;
3. Electronic Communications Privacy Act of (ECPA)1986;
4. Computer Security Act of 1987;
5. The Government Performance and Results Act (GPRA) of 1993;
6. The Paperwork Reduction Act (PRA) of 1995;
7. The Health Information Portability and Accountability Act (HIPAA) of 1996;
8. The Federal Financial Management Improvement Act (FFMIA) of 1996;
9. The Government Information Security Reform Act (GISRA) of 2000;
10. The Federal Information Security Management Act (FISMA), passed as The E-Government Act of 2002; and
11. The Health Information Technology for Economic and Clinical Health Act (HITECH) –commenced a breach notification requirement for organizations to report breaches of PHI to individuals with compromised information.

Please also note that in the United States, the individual states may also have additional laws related to computer security and individual’s privacy.

As laws are passed by legislative bodies (like Congress in the United States) a regulation is a rule passed by the executive branch of a government (in the United States, the executive branch is headed by the president). Regulations, directly mandated by laws, are mandatory and violations of regulations are considered to be a breach of law. To comply with regulations, organizations can use standards and frameworks to comply with laws regulations. Two laws of note include the European Union General Data Protection Regulation, and the California Consumer Privacy Act.

General Data Protection Regulation (GDPR): Most notable of regulations is the European Union General Data Protection Regulation (GDPR) which mandates the protection of European Union Citizen privacy. GDPR Such legal mandates include:

1. Lawfulness, fairness and transparency—Obtain the information legally, leave the individual fully informed of information collected and how its used.
2. Purpose limitation—Information can only be used for its stated purpose.
3. Data minimization—Collect the minimum data required.
4. Accuracy—Store accurate up-to-date information.
5. Storage limitations—Retain data for the necessary time and no longer.
6. Integrity and confidentiality—Keep it secure.

To provide accountability, proof of compliance, and adherences to polices, GDPR further requires organizations that protect the privacy of personally identifiable information and provides for accountability that organizations prove compliance and adherence to their own policies. Lastly GDPR requires organizations to report potential personal privacy breaches within 72 hours of discovery of discovery of the breach.

In the United States, some states have passed laws to protect privacy, which have led to state-based regulations. One such important law is the California Consumer Protection Act.

The California Consumer Privacy Act: A regulation that applies to companies who do business in the U.S.:

• The California Consumer Privacy Act – even though California law only applies in California, the California Consumer Privacy Act passed in 2018 has a profound impact on privacy, because any business that conduct business in California must comply with this state law. Given California’s size, this has a profound impact on any business conduct business nationally in the U.S. or internationally must comply with this regulation.

Standards are developed by national or international organizations to provide a baseline for how to do something. Examples of standards organizations include:

1. The International Standards Organization (ISO).
2. The American National Standards Institute (ANSI).
3. The Institute for Electrical and Electronics Engineering (IEEE).

Individually, NIST special publications may be considered as standards, but the combined documents provide for the NIST Risk Management Framework, discussed below.

Standards bodies are typically composed of industry subject matter experts (SME) who determine the best or standard or method of accomplishing something. Sometimes standards can be confirmed through certifications, discussed later.

International Standards Organization (ISO): With regard to cyber-security, one well known and well-respected set of standards are the ISO 27000 series of standards. Highlights amongst the many ISO 27000-series standards include the following documents:

1. ISO 27001: Addresses information security organizational requirements.
2. ISO 27002: Addresses information security best practices described as either policies, standards, procedures and guidelines, the who, what, how, how-to and recommended practices) for an organization’s information security program.
3. ISO 27005: Addresses information security risk management.

Payment Card Industry Data Security Standards (PCIDSS): One certification sought by organizations who accept, process or sponsor credit cards is the payment card industry data security standard (PCI-DSS). PCI-DSS was created by a consortium of the four major credit card companies (Visa, Mastercard, American Express and Discover) to develop and specify a set of best practices (standards really) to reduce credit card fraud and identity theft. Specifically, PCIDSS is a whole set of practices, that is, an information security code of practice for all organizations who deal with credit cards to protect valuable cardholder information. Such information includes:

1. Name.
2. Social security number.
3. Credit card number.

Organizations will usually choose to attain PCI-DSS certification so that either organizations dealing with credit cards can be recognized as being secure and pay lower fees for credit card transactions.

Individually standards provide guidance on how to implement a single aspect of information security such as disaster recovery, or security controls. Standards altogether combined provide for a framework, that is. For example, the ISO 27000 series of standards constitute a framework.

National Institute for Standards and Technology (NIST) Risk Management Framework (RMF): One U.S. standards-based federal agency is the National Institute for Standards and Technology (NIST). NIST creates standards for cyber-security operations for federal agencies. Like the ISO-series documents, NIST documents individually may be considered standards, but in total these combined standards form a framework known as the NIST Risk Management Framework (RMF). Whereas adherence to the NIST RMF is mandated by FISMA (remember FISMA above?), non-U.S. government organizations are not required to adhere to these standards. Nonetheless, such organizations may choose to adhere to the NIST RMF because of the completeness, comprehensiveness and their free and publicly available publications. Within the NIST RMF, NIST has published dozens of documents to help organizations understand and attain compliance with the NIST RMF. Such Publications include: NIST Federal Information Processing Standards (FIPS) documents and NIST Special Publications (SPs). Charged by law with responsibility for information security standards, NIST develops standards and practices to improve performance and metrics, tests, and various other means to support U.S. agencies' missions. NIST Issues special publications (SPs), federal information processing standards (FIPS), Information Technology Laboratory (ITL) Bulletins, NIST Interagency or Internal Report (NISTIRs) and other guidance. What are these publications?

FIPS Documents: Fips documents are published to support the FISMA, list requirements for U.S. federal agencies for information security compliance. As they are documents that support the FISMA law, U.S. federal agencies are legally obliged to comply with the requirements stated in FIPS documents. Two important FIPS documents are:

1. FIPS 199: Standard for Categorization of Federal Information Systems – in brief, the requirement for federal agencies to identify the level of risk or “categorization” of risk. FIPS 199 defines three impact levels (high, moderate and low) for the three information security objectives (confidentiality, integrity, availability).
2. FIPS 200: Standard for Minimum Security Requirements For Federal Information And Information Systems – Defines 17 (an 18th was added later) security-related areas or “families” that include management, operational and technical controls to mitigate the risk categories identified in FIPS 199.

NIST SPs: NIST Special Publications document a variety of standards to create an overall security framework called the NIST Risk Management Framework (RMF). NISP special publications are not mandated by law, but rather are standards for creating the NIST RMF. Some import NIST RMF documents include:

1. NIST SP 800-18 – Guide for Developing Security Plans for Information Technology Systems.
2. NIST SP 800-30 – Guide for Conducting Risk Assessments.
3. NIST SP 800-37r2 – Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach.
4. NIST SP 800-39 – Managing Information Security Risk: Organization, Mission, and Information System View.
5. NIST SP 800-53r4 – Security and Privacy Controls for Federal Information Systems and Organizations.
6. NIST SP 800-53Ar4 – Guide for Assessing the Security Controls in Federal Information Systems.
7. NIST SP 800-60 – Guide for Mapping Types of Information and Information Systems to Security Categories.
8. NIST SP 800-137 – Information security Continuous Monitoring (CM) for Federal Information Systems and Organizations.

There are literally dozens of other NIST special publications that in total provide guidance to comply with the NIST RMF.

Which Standards or Frameworks Should an Organization Attain? For U.S. federal agencies, FISMA mandates the implementation of the NIST RMF. For other organizations, they can choose to implement a security program based on the ISO 27000 series, the NIST RMF or even both. There are even documents that map the ISO 27001 series framework to the NIST RMF.

Certifications confirm that organizations have attained or met a given law, regulation, standard or framework. Laws have specific legal requirements and mandate practices for organizations to follow. Certifications include HIPAA/HITECH compliance, PCI-DSS compliance, adherence to ISO 27001 requirements, NIST RMF requirements and Service Organization Control (SOC) compliance.

PCI-DSS Compliance: PCI-DSS ensures that merchants and service providers, software developers manufacturers adhere to certain practices to ensure that credit card holder information (CHI) is protected. The PCI Security Standards websites states the requirements for merchants:

Service Organization Control (SOC):

Service Organization Control (SOC) is a certification created by the American Institute of Certified Public Accountants (AICPA) to identify and distinguish certain online service providers who provide certain levels of service. SOC is actually a certification and only Certified Public Accountants can certify organizations for this certification. There are three levels of SOC certification:

1. SOC1: Reports that evaluate a service provider’s controls provide internal financial reporting controls. A SOC 1 report can assure that organizations protect their financial reporting processes. SOC1 reports can have type SOC 1 or type 2 reports explained shortly.
2. SOC2: Assures that service organizations provide operational controls to protect (a) security, (b) availability, (c) process integrity, (d) confidentiality, and (e) privacy. SOC2 reports can have type 1 or type 2 SOC reports.
3. SOC3: Focuses on the Trust Service Principles (TSPs) and informs customers about processes that affect the same five principles as a SOC 2 report, except SOC3 does not publish test results to the public. SOC3 reports are more open and can be distributed to the public.

SOC1 and SOC2 reports can come in the form of a type 1 or type 2 report:

1. Type 1 Reports: The auditor (a CPA firm) reports information given by the service organization management regarding (a) whether the organization's system description accurately their system (described properly); and (b) whether the controls related to the control objectives stated by management suitably achieve those control objectives (deployed properly).
2. Type II Reports: The auditor reports on the information provided by management of the service organization regarding (a) whether description of its system accurately presents whether the system was designed and implemented throughout (described properly); and (b) whether the controls related to the control objectives suitably designed throughout the specified (designed properly); and (c) whether the controls (deployed effectively) throughout the specified period to achieve those control objectives.

SOC Certification: Typically an independent auditor who is certified to provide such certifications will review an organization’s security program (that is their information security code of practice which includes security policies, standards, procedures and guidelines) to ensure the organization’s designed practices will protect the organization’s assets. Furthermore, the auditor will review the organization’s practices to make sure that the actual practices adhere to the code of practice.

Ok, now that we’ve discussed laws, regulations, standards, frameworks and certifications what are audits and what are assessments?

Audits: An audit is an independent review performed by a qualified objective third party to determine whether an organization meets a given law, regulation, standard or firewall. Auditors should not ever be involved in the implementation within the audited organization, because that would represent a conflict of interest.

Assessments: Assessments are similar to audits in that they are performed independently by those who are not involved in the implementation or maintenance of the system being assessed. Assessments, however, do not evaluate a system or an organization’s performance against a given law, regulation, standard or firewall. On the other hand, assessments provide the independent reviewers opinion of an organization’s performance.

Audits and assessments can be performed by individuals employed by the organization or more like individuals or groups not employed by the organization. The important component for all audits and assessments is the aspect of independence, that is, the individual or group performing the audit or assessment cannot have been involved in the implementation or the operations/maintenance of the system being assessed or audited.