Module 1: Compliance Frameworks and Industry Standards 

by
Contents hide
1 INTRODUCTION – Compliance Frameworks and Industry Standards
2 COMPLIANCE AND REGULATIONS FOR CYBERSECURITY
3 SYSTEM AND ORGANIZATION CONTROLS REPORT (SOC) OVERVIEW
4 INDUSTRY STANDARDS
5 CIS CRITICAL SECURITY CONTROLS
6 COMPLIANCE FRAMEWORKS AND INDUSTRY STANDARDS
7 CONCLUSION – Compliance Frameworks and Industry Standards
Spread the love

INTRODUCTION – Compliance Frameworks and Industry Standards

In this part, you will learn about the basics of compliance frameworks and industry standards and their relevance to cybersecurity. The key areas have been resources from organizations such as the NIST, AICPA, and CIS which offer good guidelines on best practices in cybersecurity.

Acquire insight into those industry standards with regard to specific health care and payment card industries to increase your skills in navigating compliance requirements in these areas.

Learning Outcomes:

  • Define the Center for Internet Security (CIS) Critical Security Controls®: Types of controls and implementation groups.
  • Describe several of the PCI DSS’s most distinguishing requirements.
  • State the goals, scope, and audit process of the Payment Card Industry Data Security Standard (PCI DSS).
  • Explain HIPAA’s Privacy Rule and Security Rule. Define The covered entity, business associate, and protected health information (PHI) in the context of HIPAA.
  • In today’s world, organizations located inside and outside the U.S.give compliance with the Health Insurance Portability and Accountability Act.
  • Summarize the importance of continuous monitoring between cybersecurity compliance audits.
  • Define the criteria used for SOC Audit. Discuss Typical Trust Services Principles used for defining the scope of a SOC 2 report.
  • Differentiate Type 1 from Type 2 SOC report.
  • Compare SOC 1, SOC 2, and SOC 3 reports.
  • Explain the reasons, objectives, and advantages of System and Organizational Controls (SOC) reports.
  • Summarize basic aspects of the International Organization for
  • Standardization (ISO) 27001 standard.
  • Describe requirements for privacy and data protection as contained in the General D.

COMPLIANCE AND REGULATIONS FOR CYBERSECURITY

1. Which of the bad guys are described as “They are “in” an organization but are human and make mistakes”?

  • Malicious Insiders
  • Inadvertant Actor (CORRECT)
  • Employees
  • Outsiders

Correct, Such persons typically end up opening an email, an attachment, or the like, inadvertently.

2. Which is NOT one of the security controls?

  • Testing (CORRECT)
  • Technical
  • Physical
  • Operational

Correct, This is not part of the security measures.

3. What year did the European Union start enforcing GDPR?

  • 2018 (CORRECT)
  • 2017
  • 2016
  • 2014

Correct, the GDPR came into effect in May of 2018.

4. Which three (3) of these obligations are part of the 5 key GDPR obligations?

  • Accountability of Compliance (CORRECT)
  • Security of Public Data
  • Consent (CORRECT)
  • Rights of EU Data Subject (CORRECT)

Partially correct, this is one of 3 key GDPR obligations.

SYSTEM AND ORGANIZATION CONTROLS REPORT (SOC) OVERVIEW

1. Which is the foundational principle that everyone will get during a SOC audit?

  • Privacy
  • Availability
  • Security (CORRECT)
  • Confidentiality

Correct, this is the single foundational principle everyone will get.

INDUSTRY STANDARDS

1. The HIPAA security rule requires covered entites to maintain which two (2) reasonable safeguards for protecting e-PHI?

  • Informational
  • Technical (CORRECT)
  • Operational
  • Physical (CORRECT)

Partially correct, this is one of two HIPAA security rule safeguards.

2. HIPAA Administrative safeguards include which two (2) of the following?

  • Security Personnel (CORRECT)
  • Workforce Training and Management (CORRECT)
  • Access Controls
  • Integrity Controls

Partially correct, this is one of the administrative safeguards.

Partially correct, The administrative safeguard is one of them.

3. PCI includes 264 requirements grouped under how many main requirements?

  • 5
  • 10
  • 12 (CORRECT)
  • 20

Correct, PCI includes 12 main requirements.

1. Before online advertising, what type of audience was nearly impossible for small to medium-sized companies to reach?

  • Online advertising (Correct)
  • Word-of-mouth advertising
  • Direct mail advertising                                                                                  
  • Billboard advertising

Correct: Whether a brick-and-mortar store or online retailer, online advertising is now a popular method for most businesses’ advertising purposes.

CIS CRITICAL SECURITY CONTROLS

1. If you are a mature organization, which CIS Controls Implementation Group would you use?

  • Implementation Group 3 (CORRECT)
  • Implementation Group 1
  • Do not need a controls implementation group due to maturity of my organization
  • Implementation Group 2

Correct, Implementation Group 3 is for mature organizations.

COMPLIANCE FRAMEWORKS AND INDUSTRY STANDARDS

1. A security attack is defined as which of the following?

  • An event on a system or network detected by a device.
  • An event that has been reviewed by analysts and deemed worthy of deeper investigation.
  • An event that has been identified by correlation and analytics tools as a malicious activity. (CORRECT)
  • All cybersecurity events.

2. Which order does a typical compliance process follow?

  • Readiness assessment, establish scope, testing/auditing, management reporting, gap remediation
  • Establish scope, readiness assessment, testing/auditing, management reporting, gap remediation
  • Readiness assessment, establish scope, gap remediation, testing/auditing, management reporting
  • Establish scope, readiness assessment, gap remediation, testing/auditing, management reporting (CORRECT)

3. Under GDPR, who determines the purpose and means of processing of personal data?

  • Controller (CORRECT)
  • Analyst
  • Processor
  • Data Subject

4. Under the International Organization for Standardization (ISO), which standard focuses on Privacy?

  • ISO 27003
  • ISO 27018 (CORRECT)
  • ISO 27017
  • ISO 27001

5. Which SOC report is closest to an ISO report?

  • Type 1 (CORRECT)
  • Type 2
  • Type 1 and Type 2
  • Type 3

6. What is an auditor looking for when they test the control for implementation over an entire offering with no gaps?

  • Completeness (CORRECT)
  • Accuracy
  • Timeliness
  • Consistency

7. Who is the governing entity for HIPAA?

  • Cyber Security and Infrastructure Security Agency (CISA)
  • Department of Homeland Security
  • US Department of Health and Human Services Office of Civil Rights (CORRECT)
  • US Legislature

8. One PCI Requirement is using an approved scanning vendor to scan at what frequency?

  • Weekly
  • Monthly
  • Quarterly (CORRECT)
  • Annually

9. In which CIS control category will you find Incident Response and Management?

  • Advanced
  • Basic
  • Organizational (CORRECT)
  • Foundational

CONCLUSION – Compliance Frameworks and Industry Standards

In a nutshell, the emphasis on this module lies in the comprehension of compliance frameworks and industry standards in cybersecurity.

By studying resources of NIST, the American Institute of CPAs, and the Center for Internet Security, as well as industry standards regarding healthcare and payment cards, you now hold critical knowledge that will enable you to successfully travel through cybersecurity compliance and contribute towards the protection of digital systems and data.

Is trained on data till October 2023.

Leave a Comment