Professional Documents
Culture Documents
Cybersecurity Policies
& Issues
EMCS-602
Spring2021
2020-2021
Focus of This Session
Break
FTC AND FILs HIPAA Security Rule
FFIEC
GLBA
Full disclosure
contained in U.S.
compliance laws
Opt-in/opt-out
affecting
information
Data privacy
Public interest
Shareholders When investors believe a company’s financials and risks are properly
managed, they feel they can make informed judgments
Promotes a healthy economy
The public Term reflects idea that an organization has an obligation to the general
interest public beyond their self-interest
National Cyberterrorism threatens not only the company being targeted but also
security the country’s critical infrastructure
Business Security
Inventory Security policies
requirements framework
▪ There are six control objectives within the PCI DSS standard. To be
compliant, you need to include these control objectives in your security
policies and controls. These control objectives are:
• Build and maintain a secure network—Refers to having specific
firewall, system password, and other security network layer controls.
• Protect cardholder data—Specifies how cardholder data is stored and
protected. Also sets rules on the encryption of the data.
• Maintain a vulnerability management program—Specifies how to
maintain secure systems and applications, including the required use of
antivirus software.
▪ There are six control objectives within the PCI DSS standard. To be
compliant, you need to include these control objectives in your security
policies and controls. These control objectives are:
• Implement strong access control measures—Refers to restricting
access to cardholder data on a need-to know basis. It requires physical
controls in place and individual unique IDs when accessing cardholder
data.
• Regularly monitor and test networks—Requires monitoring access to
cardholder. Also requires periodic penetration testing of the network.
• Maintain an information security policy—Requires that security
policies reflect the PCI DSS requirements. Requires these policies are
kept current and an awareness program is implemented.
Your industry
Choosing an
IT security
policy
Your management view of risk
framework
depends on: Bias within your organization
PCI DSS Payment Card • A security framework for any organization that
Security Standards Council accepts, stores, or processes credit cards
CIS Critical Security Controls for • First developed in 2008 by the SANS Institute, now
Effective Cyber Defense managed by the Center for Internet Security
FIGURE 7-4 Baseline standards and procedures provide additional branches of the library tree.
Functional area
Layers of security
Domain
Baseline Standards
• Specific technology requirements for each device
• Review standards from vendors or organizations
Procedures
• Step-by-step configuration instructions
Guidelines
• Acquisitions (e.g., preferred vendors)
• Guidelines on active content and mobile code
• Employees bring whatever device they may have purchased and can connect,
at least to a guest network
Baseline Standards
• Specific technology requirements for perimeter devices
Procedures
• Step-by-step configuration
• Patch management
Guidelines
• DMZ, IDS/IPS, content filtering
Baseline Standards
• VPN gateway options
• VPN client options
• RADIUS server security requirements standard
Procedures
• Step-by-step VPN configuration and debugging
Guidelines
• Description of threats
• Security of remote computing environments, such as working from
home
Stay on message
Contact:
Email address:
-----@kau.edu.sa