<a href="https://colab.research.google.com/github/haikalbaik/GRC-Notes/blob/main/GRC_Notes.ipynb" target="_parent"><img src="https://colab.research.google.com/assets/colab-badge.svg" alt="Open In Colab"/></a>

# Cybersecurity Frameworks

### NIST Cyebrsecurity Frameworks
- IDENTIFY
- PROTECT
- DETECT
- RESPOND
- RECOVER

### 18 CIS Controls

The 18 CIS (Center for Internet Security) Critical Security Controls are a set of prioritized cybersecurity practices and safeguards designed to help organizations protect their systems, data, and networks from common cyber threats. These controls provide a structured approach to cybersecurity risk management and serve as a valuable framework for organizations of all sizes and industries. Below is an explanation of each of the 18 CIS Critical Security Controls:

1. **Inventory and Control of Hardware Assets:**
   - Understand and maintain an up-to-date inventory of all hardware devices (e.g., computers, servers, mobile devices) connected to your network.
   - Implement processes to control and manage the use of these devices, ensuring unauthorized devices cannot access the network.

2. **Inventory and Control of Software Assets:**
   - Maintain an inventory of all software installed on your systems, including applications and utilities.
   - Implement controls to prevent unauthorized software installations and ensure the software is up to date with security patches.

3. **Continuous Vulnerability Management:**
   - Regularly scan for vulnerabilities in your systems and applications.
   - Prioritize and remediate vulnerabilities based on their severity and potential impact on your organization's security.

4. **Controlled Use of Administrative Privileges:**
   - Restrict and monitor administrative privileges to prevent unauthorized access to critical systems.
   - Implement strong password policies and multi-factor authentication for privileged accounts.

5. **Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers:**
   - Establish and enforce secure configuration settings for all devices connected to your network.
   - This includes disabling unnecessary services and features that could be exploited by attackers.

6. **Maintenance, Monitoring, and Analysis of Audit Logs:**
   - Enable and regularly review audit logs to detect and respond to security incidents.
   - Configure systems to generate and retain logs with relevant security information.

7. **Email and Web Browser Protections:**
   - Implement email filtering and web browsing controls to prevent phishing attacks, malware downloads, and malicious websites.
   - Train users to recognize and report suspicious emails and websites.

8. **Malware Defenses:**
   - Deploy antivirus and anti-malware solutions on all devices to detect and block malicious software.
   - Regularly update malware definitions and perform system scans.

9. **Limitation and Control of Network Ports, Protocols, and Services:**
   - Identify and restrict unnecessary network ports, protocols, and services to reduce attack surface.
   - Disable or remove any services that are not required for business operations.

10. **Data Recovery Capability:**
    - Implement data backup and recovery processes to ensure the availability of critical data in case of a cyber incident.
    - Test data recovery procedures regularly to verify their effectiveness.

11. **Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches:**
    - Configure network devices securely to protect against unauthorized access and ensure proper traffic filtering.
    - Monitor and log network device activity to detect and respond to anomalies.

12. **Boundary Defense:**
    - Implement network boundary defenses, such as firewalls and intrusion detection systems, to monitor and control incoming and outgoing network traffic.
    - Identify and block malicious or unauthorized network traffic.

13. **Data Protection:**
    - Implement encryption and access controls to protect sensitive data, both in transit and at rest.
    - Establish policies and procedures to classify and handle data based on its sensitivity.

14. **Controlled Access Based on the Need to Know:**
    - Restrict access to data and systems to authorized users based on their role and the principle of least privilege.
    - Implement strong authentication and access control measures.

15. **Wireless Access Control:**
    - Secure wireless networks by implementing strong encryption and authentication protocols.
    - Monitor and control wireless access points to prevent unauthorized connections.

16. **Account Monitoring and Control:**
    - Continuously monitor user and system accounts for unusual or suspicious activity.
    - Implement account lockout and password policies to mitigate brute force attacks.

17. **Implement a Security Awareness and Training Program:**
    - Train employees and users to recognize and respond to security threats.
    - Promote a culture of cybersecurity awareness within the organization.

18. **Incident Response and Management:**
    - Develop and maintain an incident response plan to handle security incidents effectively.
    - Regularly test and update the plan and provide training to incident response teams.

These 18 CIS Critical Security Controls provide organizations with a comprehensive roadmap for improving their cybersecurity posture and reducing the risk of cyber threats and data breaches. By implementing these controls and continuously monitoring and updating them, organizations can enhance their overall security resilience.

### ISO27001

### SOC2
Governed by AICPA. General Advantages:
- Easier Due Diligence
- One Audit Report serving many
- Corporate Governance

SOC Key Terminology:
- Attestation
- Independence
- Trust Service Categories & Corresponding Criteria
- Controls
- Service Auditor Test
- Exceptions
- Sample Testing
- Completeness & Accuracy
- Vendor Vs Subservice Organizations
- CUEC & CSOC

SOC Report Types
- SOC 1 [Type1][Type2] - Generic controls & finance reporting
- SOC 2 [Type1][Type2] - More focus on security
- SOC 3 - Marketing Materials
- SOC 2+ - Bring in another framework

**Type 1 shows report at particular point in time**

**Type 2 shows report over a period of time**

Trust Service Categories
- Security
- Availability
- Confidentiality
- Processing Integrity
- Privacy
# Regulations and Compliance Standards

### HIPAA

Key Points about HIPAA

1. **Protected Health Information (PHI):**
   - PHI includes any individually identifiable health information, such as medical records, billing information, and patient demographics.
   - It covers information in electronic, paper, or oral formats, ensuring comprehensive protection.

2. **Privacy Rule:**
   - HIPAA's Privacy Rule sets standards for the use and disclosure of PHI by covered entities (healthcare providers, insurers, and healthcare clearinghouses).
   - Patients have the right to access their PHI, request amendments, and receive an accounting of disclosures.

3. **Security Rule:**
   - The Security Rule mandates that covered entities implement safeguards to protect electronic PHI (ePHI).
   - It requires risk assessments, security policies, and the use of encryption and access controls to secure ePHI.

4. **Breach Notification Rule:**
   - Covered entities must report breaches of unsecured PHI to affected individuals, the U.S. Department of Health and Human Services (HHS), and, in some cases, the media.
   - The rule aims to promote transparency and prompt action in the event of a breach.

5. **Minimum Necessary Standard:**
   - Covered entities must limit the use and disclosure of PHI to the minimum necessary to accomplish the intended purpose.
   - This helps protect patient privacy and confidentiality.

6. **Business Associates:**
   - Business associates (e.g., contractors, vendors) must also comply with HIPAA if they handle PHI on behalf of covered entities.
   - Business associate agreements are essential to ensure compliance.

7. **Patient Rights:**
   - HIPAA grants patients rights over their health information, including the right to access, amend, and request restrictions on their PHI.
   - Patients can also file complaints if they believe their rights have been violated.

8. **Penalties for Non-Compliance:**
   - Non-compliance with HIPAA can result in significant penalties, including fines and criminal charges.
   - Civil penalties can range from $100 to $50,000 per violation, with a maximum annual cap of $1.5 million.

9. **State Laws and HIPAA:**
   - State laws can provide additional protections for health information, but they must not weaken HIPAA's minimum standards.
   - Where state laws are more stringent, they take precedence.

10. **HIPAA and Research:**
    - Researchers working with PHI must adhere to HIPAA regulations.
    - Special considerations exist for de-identifying PHI or obtaining patient consent for research purposes.

11. **HIPAA and Telehealth:**
    - HIPAA regulations were relaxed temporarily during the COVID-19 pandemic to facilitate telehealth services.
    - However, telehealth providers still need to secure patient information appropriately.

12. **HIPAA and Personal Health Apps:**
    - Many personal health apps fall outside of HIPAA's scope because they are not covered entities or business associates.
    - Users should be cautious about sharing sensitive health information on such platforms.

### Sarbane-Oaxley

The Sarbanes-Oxley Act (SOX) has significant implications for the field of Information Technology (IT) because it mandates certain IT-related controls and practices to ensure the accuracy and reliability of financial reporting. Here's how SOX relates to IT:

1. **Internal Controls Over Financial Reporting (ICFR):**
   - SOX Section 404 requires companies to establish and maintain effective ICFR. IT systems play a critical role in financial reporting, making IT controls a fundamental component of compliance.
   - IT departments are responsible for implementing controls related to data accuracy, security, and the integrity of financial systems and records.

2. **Data Security and Access Controls:**
   - SOX emphasizes the need for data security and access controls to protect sensitive financial information.
   - IT teams must implement measures such as user authentication, authorization, encryption, and audit trails to safeguard financial data from unauthorized access or tampering.

3. **Data Retention and Preservation:**
   - SOX mandates the retention of financial records for specific periods.
   - IT professionals are responsible for establishing and maintaining data retention policies and ensuring that data can be preserved and retrieved when needed for audits or investigations.

4. **Electronic Records and Signatures:**
   - SOX recognizes electronic records and signatures as legally valid, which has led to increased reliance on electronic systems for financial documentation.
   - IT teams are responsible for implementing technologies that ensure the authenticity and integrity of electronic records and signatures.

5. **Change Management and Documentation:**
   - IT change management processes are crucial to SOX compliance. Changes to IT systems, including software updates and configurations, must be documented and controlled to prevent unintended consequences on financial systems.
   - IT documentation practices are essential to trace any changes that may impact financial reporting.

6. **Auditing and Monitoring:**
   - SOX requires ongoing auditing and monitoring of financial systems and controls to identify and address weaknesses or discrepancies.
   - IT plays a significant role in establishing monitoring mechanisms, generating audit logs, and conducting periodic reviews.

7. **IT Governance and Oversight:**
   - SOX emphasizes the importance of corporate governance, including oversight by boards of directors and audit committees.
   - IT governance practices, including IT strategy alignment with business objectives and risk management, are essential components of ensuring effective control environments.

8. **Third-Party Service Providers:**
   - Many companies rely on third-party IT service providers or cloud services for critical IT functions.
   - SOX requires companies to assess the controls and security practices of these providers to ensure they do not compromise financial data.

9. **Whistleblower Hotlines:**
   - SOX mandates the establishment of whistleblower hotlines to report financial misconduct.
   - IT departments may be responsible for maintaining and securing these reporting systems.

10. **Training and Awareness:**
    - SOX compliance often requires training and awareness programs for employees, including IT staff, to ensure they understand their responsibilities in maintaining compliance.

Sarbanes-Oxley Act has a direct impact on IT because it necessitates strong controls, security measures, and governance practices within the IT environment. IT professionals must work collaboratively with financial and compliance teams to ensure that IT systems and practices align with SOX requirements to maintain accurate financial reporting and prevent fraud.

### PCI DSS

An overview of the Payment Card Industry Data Security Standard (PCI DSS), covering the what, why, when, who, where, and how aspects:

**What is PCI DSS?**
- **What:** PCI DSS stands for Payment Card Industry Data Security Standard. It is a set of security standards designed to ensure the secure handling of payment card data, such as credit card and debit card information.

**Why is PCI DSS Important?**
- **Why:** PCI DSS is essential for protecting cardholder data from breaches and fraud. Compliance helps maintain trust among customers, reduces the risk of data breaches, and avoids costly penalties.

**When was PCI DSS Established?**
- **When:** The PCI DSS was established in 2004 by major credit card companies, including Visa, MasterCard, and American Express, in response to increasing data breaches and credit card fraud.

**Who Must Comply with PCI DSS?**
- **Who:** Any organization that processes, stores, or transmits payment card data must comply with PCI DSS. This includes merchants, service providers, and financial institutions.

**Where Does PCI DSS Apply?**
- **Where:** PCI DSS compliance is a global requirement. It applies to organizations worldwide that handle payment card data, regardless of their location or the location of their customers.

**How Does PCI DSS Work?**
- **How:** PCI DSS outlines a set of security requirements organized into 12 high-level control objectives, each with specific sub-requirements. Here's how it works:
    - **Assessment:** Organizations must regularly assess their compliance with PCI DSS standards.
    - **Data Encryption:** Sensitive cardholder data must be encrypted during transmission and while stored.
    - **Access Control:** Access to cardholder data should be restricted to authorized personnel only.
    - **Network Security:** Organizations must maintain a secure network infrastructure.
    - **Vulnerability Management:** Regularly scan and update systems to address vulnerabilities.
    - **Security Policies:** Develop and implement security policies, procedures, and awareness programs.
    - **Monitoring and Logging:** Monitor systems and maintain detailed logs for security events.
    - **Incident Response:** Develop and test an incident response plan.
    - **Regular Testing:** Conduct regular security testing and penetration testing.
    - **Physical Security:** Secure physical access to cardholder data and processing systems.
    - **Third-Party Compliance:** Ensure that third-party service providers also comply with PCI DSS.
    - **Security Awareness:** Provide security training and awareness programs for staff.
    
    Organizations can achieve compliance by following these requirements and conducting regular assessments to identify and address security vulnerabilities.

In summary, PCI DSS is a globally recognized standard for securing payment card data. Compliance is mandatory for any organization that handles such data, and it involves adhering to specific security measures and conducting regular assessments to protect against data breaches and fraud, ultimately ensuring the security of financial transactions.

### GDPR

An overview of the General Data Protection Regulation (GDPR), covering the what, why, when, who, where, and how aspects:

**What is GDPR?**
- **What:** GDPR stands for General Data Protection Regulation. It is a comprehensive data protection and privacy regulation enacted by the European Union (EU) to protect the personal data of EU residents.

**Why is GDPR Important?**
- **Why:** GDPR is important to safeguard individuals' privacy rights and personal data. It gives individuals more control over their data and imposes obligations on organizations to handle data responsibly, enhancing trust and data security.

**When was GDPR Established?**
- **When:** GDPR was adopted on April 14, 2016, and became enforceable on May 25, 2018, replacing the Data Protection Directive 95/46/EC.

**Who Must Comply with GDPR?**
- **Who:** GDPR applies to organizations that process the personal data of EU residents, regardless of where the organization is located. This includes businesses, government entities, and non-profits.

**Where Does GDPR Apply?**
- **Where:** GDPR has extraterritorial reach, meaning it applies globally to any organization processing the personal data of EU residents. Compliance is necessary if an organization targets EU customers or monitors their behavior.

**How Does GDPR Work?**
- **How:** GDPR is implemented through a series of principles and requirements:
    - **Consent:** Organizations must obtain explicit consent from individuals to process their data.
    - **Data Minimization:** Collect and process only the data necessary for the stated purpose.
    - **Data Portability:** Individuals have the right to access and transfer their data.
    - **Data Security:** Implement measures to protect personal data from breaches.
    - **Data Protection Impact Assessments (DPIAs):** Assess and mitigate risks associated with data processing activities.
    - **Data Protection Officers (DPOs):** Appoint a DPO for certain organizations.
    - **Breach Notification:** Report data breaches to authorities and affected individuals within specific timeframes.
    - **Right to Be Forgotten:** Individuals can request the deletion of their data.
    - **Accountability and Governance:** Organizations must demonstrate compliance through documentation, policies, and processes.
    - **Cross-Border Data Transfers:** Ensure data transfers outside the EU comply with GDPR provisions.
    - **Penalties:** Non-compliance can result in significant fines, up to €20 million or 4% of annual global turnover, whichever is higher.

    GDPR compliance requires organizations to assess their data processing activities, implement appropriate safeguards, and establish procedures for data subjects to exercise their rights.

In summary, GDPR is a far-reaching privacy regulation designed to protect the personal data of EU residents. Compliance involves stringent data protection measures, transparency, and accountability for organizations processing personal data, regardless of their location. Failure to comply can lead to substantial fines and reputational damage.

### FISMA
An overview of the Federal Information Security Modernization Act (FISMA), covering the what, why, when, who, where, and how aspects:

**What is FISMA?**
- **What:** FISMA stands for the Federal Information Security Modernization Act. It is a United States federal law enacted in 2002 that sets forth requirements for information security within federal government agencies.

**Why is FISMA Important?**
- **Why:** FISMA is important to improve the security and protection of federal government information systems and data. It aims to safeguard sensitive information from cyber threats, ensuring the confidentiality, integrity, and availability of government data.

**When was FISMA Established?**
- **When:** FISMA was signed into law on December 17, 2002, as part of the E-Government Act of 2002.

**Who Must Comply with FISMA?**
- **Who:** FISMA applies to federal government agencies and their contractors that handle federal information systems and data. Compliance is mandatory for these entities.

**Where Does FISMA Apply?**
- **Where:** FISMA applies to the entire federal government, including civilian agencies, the Department of Defense, and other government organizations. Compliance is required for information systems used in the United States and abroad.

**How Does FISMA Work?**
- **How:** FISMA outlines a framework for securing federal information systems and data:
    - **Risk Management Framework (RMF):** FISMA mandates the use of RMF, a systematic process for identifying, assessing, and mitigating cybersecurity risks.
    - **Security Controls:** FISMA requires the implementation of security controls to protect information systems. These controls are categorized as low, moderate, or high impact, depending on the system's sensitivity.
    - **Continuous Monitoring:** Agencies must continuously monitor their systems to identify and address security vulnerabilities and threats.
    - **Incident Response:** FISMA requires agencies to establish incident response plans to address security incidents promptly.
    - **Reporting:** Agencies are required to report security incidents and compliance status to the Department of Homeland Security (DHS) and the Office of Management and Budget (OMB).
    - **Compliance Audits:** Regular audits and assessments are conducted to evaluate agencies' compliance with FISMA requirements.
    - **NIST Standards:** FISMA aligns with National Institute of Standards and Technology (NIST) cybersecurity standards and guidelines.
    - **Penalties:** Non-compliance can result in budgetary, legal, and operational consequences for agencies.

    FISMA ensures that federal agencies adopt a risk-based approach to cybersecurity, with a focus on continuous monitoring, compliance reporting, and adherence to NIST cybersecurity standards.

In summary, FISMA is a U.S. federal law that establishes a comprehensive framework for securing federal information systems and data. It mandates risk management, security controls, continuous monitoring, and reporting to protect government information from cyber threats. Compliance is vital for federal agencies and contractors to maintain the security and integrity of government data.