SOC Experts

Cybersecurity Career Launcher

Assignment Day - 16
Name – Deepak C K
Assignment – 1

ISO 27001
It is the leading international standard focused on information security, published
by the International Organization for Standardization (ISO), in partnership with
the International Electrotechnical Commission (IEC). Both are leading
international organizations that develop international standards.

ISO-27001 is part of a set of standards developed to handle information security:

the ISO/IEC 27000 series.

14 Domains of ISO 27001

There are 14 “domains” listed in Annex A of ISO 27001, organized in

sections A.5 to A.18. The sections cover the following:

1. A.5. Information security policies: The controls in this section

describe how to handle information security policies.

2. A.6. Organization of information security : The controls in this

section provide the basic framework for the implementation and operation of
information security by defining its internal organization (e.g., roles,
responsibilities, etc.), and through the organizational aspects of information
security, like project management, use of mobile devices, and teleworking.

3. A.7. Human resource security: The controls in this section ensure that
people who are under the organization’s control are hired, trained, and managed
in a secure way; also, the principles of disciplinary action and terminating the
agreements are addressed.
SOC Experts
Cybersecurity Career Launcher

4. A.8. Asset management: The controls in this section ensure that

information security assets (e.g., information, processing devices, storage
devices, etc.) are identified, that responsibilities for their security are designated,
and that people know how to handle them according to predefined classification
levels.

5. A.9. Access control: The controls in this section limit access to

information and information assets according to real business needs. The controls
are for both physical and logical access.

6. A.10. Cryptography: The controls in this section provide the basis for
proper use of encryption solutions to protect the confidentiality, authenticity,
and/or integrity of information.

7. A.11. Physical and environmental security: The controls in this

section prevent unauthorized access to physical areas, and protect equipment and
facilities from being compromised by human or natural intervention.

8. A.12. Operations security: The controls in this section ensure that the
IT systems, including operating systems and software, are secure and protected
against data loss. Additionally, controls in this section require the means to record
events and generate evidence, periodic verification of vulnerabilities, and make
precautions to prevent audit activities from affecting operations.

9. A.13. Communications security: The controls in this section protect

the network infrastructure and services, as well as the information that travels
through them.

10. A.14. System acquisition, development and maintenance: The

controls in this section ensure that information security is taken into account when
purchasing new information systems or upgrading the existing ones.

11. A.15. Supplier relationships: The controls in this section ensure that
outsourced activities performed by suppliers and partners also use appropriate
information security controls, and they describe how to monitor third-party
security performance.

12. A.16. Information security incident management: The controls in

this section provide a framework to ensure the proper communication and
handling of security events and incidents, so that they can be resolved in a timely
manner; they also define how to preserve evidence, as well as how to learn from
incidents to prevent their recurrence.
SOC Experts
Cybersecurity Career Launcher

13. A.17. Information security aspects of business continuity

management: The controls in this section ensure the continuity of information
security management during disruptions, and the availability of information
systems.

14. A.18. Compliance: The controls in this section provide a framework to

prevent legal, statutory, regulatory, and contractual breaches, and audit whether
information security is implemented and is effective according to the defined
policies, procedures, and requirements of the ISO 27001 standard.
SOC Experts
Cybersecurity Career Launcher

CONTROLS OF ISO 27001

The ISO 27001 controls (also known as safeguards) are the practices to be
implemented to reduce risks to acceptable levels. Controls can be technical,
organizational, legal, physical, human, etc.
There are 114 ISO 27001 information security controls listed in the current 2013
revision of the standard (compared to 133 from the previous 2005 revision of the
standard). Here is a breakdown of what type of controls are included:

 Controls related to organizational issues: 24

 Controls related to human resources: 6
 IT-related controls: 61
 Controls related to physical security: 15
 Controls related to legal issues: 8

IMPLEMENT ISO 27001 CONTROLS

• Technical controls are primarily implemented in information systems,

using software, hardware, and firmware components added to the system. Eg.
backup, antivirus software, etc.

• Organizational controls are implemented by defining rules to be followed,

and expected behavior from users, equipment, software, and systems. Eg. Access
Control Policy, BYOD Policy, etc.

• Legal controls are implemented by ensuring that rules and expected

behaviors follow and enforce the laws, regulations, contracts, and other similar
legal instruments that the organization must comply with. Eg. NDA (non-
disclosure agreement), SLA (service level agreement), etc.

• Physical controls are primarily implemented by using equipment or

devices that have a physical interaction with people and objects. Eg. CCTV,
cameras, alarm systems, locks, etc.

• Human resource controls are implemented by providing knowledge,

education, skills, or experience to persons to enable them to perform their
activities in a secure way. Eg. security awareness training, ISO 27001 internal
auditor training, etc.
SOC Experts
Cybersecurity Career Launcher

GDPR - General Data Protection Regulation

The General Data Protection Regulation (GDPR) is a legal framework that sets
guidelines for the collection and processing of personal information from
individuals who live in the European Union (EU). Since the Regulation applies
regardless of where websites are based, it must be heeded by all sites that attract
European visitors, even if they don't specifically market goods or services to EU
residents.
GDPR requirements apply to each member state of the European Union, aiming to
create more consistent protection of consumer and personal data across EU
nations. Some of the key privacy and data protection requirements of the GDPR
include:

• Requiring the consent of subjects for data processing

• Anonymizing collected data to protect privacy
• Providing data breach notifications
• Safely handling the transfer of data across borders
• Requiring certain companies to appoint a data protection officer to oversee
GDPR compliance
• Simply put, the GDPR mandates a baseline set of standards for companies
that handle EU citizens’ data to better safeguard the processing and movement of
citizens’ personal data.
SOC Experts
Cybersecurity Career Launcher

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) sets the
standard for sensitive patient data protection. Companies that deal with protected
health information (PHI) must have physical, network, and process security
measures in place and follow them to ensure HIPAA Compliance. Covered entities
(anyone providing treatment, payment, and operations in healthcare) and
business associates (anyone who has access to patient information and provides
support in treatment, payment, or operations) must meet HIPAA Compliance.
Other entities, such as subcontractors and any other related business associates
must also be in compliance.
The HHS requires physical and technical safeguards for organizations hosting
sensitive patient data. These physical safeguards include…
• Limited facility access and control with authorized access in place

• Policies about use and access to workstations and electronic media

• Restrictions for transferring, removing, disposing, and re-using electronic

media and ePHI
• Along the same lines, the technical safeguards of HIPAA require access
control allowing only for authorized personnel to access ePHI. Access control
includes…

• Using unique user IDS, emergency access procedures, automatic log off,
and encryption and decryption

• Audit reports or tracking logs that record activity on hardware and software

Other technical policies for HIPAA compliance need to cover integrity controls, or
measures put in place to confirm that ePHI is not altered or destroyed. IT disaster
recovery and offsite backup are key components that ensure that electronic media
errors and failures are quickly remedied so that patient health information is
recovered accurately and intact. One final technical safeguard is network, or
transmission security that ensures HIPAA compliant hosts protect against
unauthorized access to ePHI. This safeguard addresses all methods of data
transmission, including email, internet, or private networks, such as a private
cloud.

To help ensure HIPAA compliance, the U.S. government passed a supplemental

act, The Health Information Technology for Economic and Clinical Health (HITECH)
Act, which raises penalties for health organizations that violate HIPAA Privacy and
Security Rules. The HITECH Act was put into place due to the development of
health technology and the increased use, storage, and transmission of electronic
health information.
SOC Experts
Cybersecurity Career Launcher

PCI DSS

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD

The Payment Card Industry Data Security Standard (PCI DSS) is required by the
contract for those handling cardholder data, whether you are a start-up or a global
enterprise. Your business must always be compliant, and your compliance must
be validated annually. It is generally mandated by credit card companies and
discussed in credit card network agreements.

Payment card industry (PCI) compliance is mandated by credit card companies to

help ensure the security of credit card transactions in the payments industry.
Payment card industry compliance refers to the technical and operational
standards that businesses follow to secure and protect credit card data provided
by cardholders and transmitted through card processing transactions. PCI
standards for compliance are developed and managed by the PCI Security
Standards Council.

The 12 requirements of PCI DSS are:

1. Install and maintain a firewall configuration to protect cardholder data.

2. Do not use vendor-supplied defaults for system passwords and other
security parameters.
3. Protect stored cardholder data.

4. Encrypt transmission of cardholder data across open, public networks.

5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data by business need to know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security for all personnel.
SOC Experts
Cybersecurity Career Launcher

CCPA

The California Consumer Privacy Act (CCPA) is a state statute intended to

enhance privacy rights and consumer protection for residents of California, United
States.
The intentions of the Act are to provide California residents with the right
to:

1. Know what personal data is being collected about them.

2. Know whether their personal data is sold or disclosed and to whom.
3. Say no to the sale of personal data.
4. Access their personal data.
5. Request a business to delete any personal information about a consumer
collected from that consumer.
6. Not be discriminated against for exercising their privacy rights.

The following sanctions and remedies can be imposed:

1. Companies, activists, associations, and others can be authorized to exercise

opt-out rights on behalf of California residents.
2. Companies that become victims of data theft or other data security
breaches can be ordered in civil class action lawsuits to pay statutory damages
between $100 to $750 per California resident and incident, or actual damages,
whichever is greater, and any other relief a court deems proper, subject to an
option of the California Attorney General's Office to prosecute the company instead
of allowing civil suits to be brought against it.
3. A fine up to $7,500 for each intentional violation and $2,500 for each
unintentional violation.
4. Privacy notices must be accessible and have alternative format access
clearly called out.
5. Liability may also apply in respect of businesses in overseas countries who
ship items into California.
SOC Experts
Cybersecurity Career Launcher

Security GRC Analyst

The Security Governance, Risk and Compliance (GRC) Analyst will focus on
facilitating the review, development, implementation, and documentation of EIS
security policies, procedures, processes, programs and practices to guide the
organization towards continuous compliance with ISO27001, DFARS/NIST 800-
171, and GDPR framework guidelines. The analyst will work with the overall
Enterprise Information Security team and internal business units to understand
our security, disaster recovery, and continuity posture for both third parties and
NetApp IT. Duties include collecting supporting evidences, identifying gaps in
expectations /capabilities, and drafts externally facing responses.
Duties and Responsibility

• Identifies security and continuity risks with the third-party relationships and
escalates as appropriate to business and risk stakeholders.
• Develops process documentation for completing third party reviews and
assessments.
• Leverages third party scanning software to assist in review of third parties
• Defines and delivers appropriate EIS GRC metrics, analytics, and scorecards.
• Collaborate with the internal business units to provide evidence and /or
information for internal and external audits.

Infosec analyst

Information security analysts install software, such as firewalls, to protect

computer networks. Information security analysts plan and carry out security
measures to protect an organization's computer networks and systems. Their
responsibilities are continually expanding as the number of cyberattacks
increases.

Duties and Responsibility

• Access and authentication

• Data security (Encryption/ AWS/ Azure KMS)
• Secure SDLC
• Cloud Infrastructure Operations
• Vulnerability Management
• Network Security
• Incident Response
• In- Depth knowledge on OWASP Top 10 for both Web/ API/ Mobile and SANS
Top 25 vulnerabilities