Regulations and Standards to know for the exam
NIST RMF: Supply
chain risks
ISO 27001: Organization meets the security standards
ISO 27002: Classifies security controls
ISO 27017 & 27018: Cloud security
ISO 27701: Personal data & privacy
ISO 31000 / 31K: Risk assessments
GDPR: European Union / International Standards
· Data owners, data controllers, data processors, & data protection officer
· Data owner: responsible for determining how the data may be used
· Data controller: responsible for the protection of privacy & website user rights
· Data Protection Officer: Independent advocate for care & use of customer information, & responsible for ensuring the organization is complying with relevant laws
PCI DSS:
· Credit cards
· Assign a unique ID to each person with computer access
· Regularly test security systems and processes
SSAE SOC reports:
· SOC 2 Type I: Assess system design on a specific date
· SOC 2 Type 2: Identifies the effectiveness of security controls over a date range
ISO 27001: Organization meets the security standards
ISO 27002: Classifies security controls
ISO 27017 & 27018: Cloud security
ISO 27701: Personal data & privacy
ISO 31000 / 31K: Risk assessments
GDPR: European Union / International Standards
· Data owners, data controllers, data processors, & data protection officer
· Data owner: responsible for determining how the data may be used
· Data controller: responsible for the protection of privacy & website user rights
· Data Protection Officer: Independent advocate for care & use of customer information, & responsible for ensuring the organization is complying with relevant laws
PCI DSS:
· Credit cards
· Assign a unique ID to each person with computer access
· Regularly test security systems and processes
SSAE SOC reports:
· SOC 2 Type I: Assess system design on a specific date
· SOC 2 Type 2: Identifies the effectiveness of security controls over a date range