ISO/IEC27032-Cyber Security
Cyber compliance refers to the process of ensuring that an organization adheres to industry regulations, standards, and laws related to information security and data privacy. Many different types of organizations may need to comply with various cyber security regulations and standards
achieving operational excellence in cybersecurity is essential to protect organizations from cyber threats and ensure business continuity. It requires a holistic approach that encompasses people, processes, and technology, and requires ongoing investment and commitment from the organization. By focusing on risk management, incident management, governance and compliance, technology solutions, and employee training and awareness, organizations can develop a culture of security and achieve operational excellence in cybersecurity.
Any organization working with data, which is the majority of them, or that has an internet-exposed edge must take cybersecurity seriously. Accessing data and moving it from one place to another puts organizations at risk and makes them vulnerable to potential cyberattacks.
At its core, cybersecurity compliance means adhering to standards and regulatory requirements set forth by some agency, law or authority group. Organizations must achieve compliance by establishing risk-based controls that protect the confidentiality, integrity and availability (CIA) of information. The information must be protected, whether stored, processed, integrated or transferred.
Cybersecurity compliance is a major challenge for organizations because industry standards and requirements can overlap, leading to confusion and more work.
No organization is completely immune from experiencing a cyberattack, meaning that complying with cybersecurity standards and regulations is paramount. It can be a determining factor in an organization’s ability to reach success, have smooth operations and maintain security practices.
Small or medium-sized businesses (SMBs) can be a major target because they’re considered low-hanging fruit. And in the United States, the Cybersecurity and Infrastructure Security Agency (CISA) has identified 16 critical infrastructure sectors (CIS) that are the most important to protect because a breach could have a debilitating effect on national security, the economy, public health and safety, or more.
Cyber Security Assessments and the Cyber Security Risk Definition – Risk has many interpretations, and is often used to describe dangers or threats to a particular person, environment, or business.
The following is just one definition: Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability and the resulting impact of that adverse event on the organization1 Understanding risk includes understanding of the different elements and how they fit together. For example, considerations from a business perspective may include:
What are the different types of threats to the organization? What are the organization’s assets that need protecting from the threats? How vulnerable is the organization to different threats? What is the likelihood that a threat will be realized? What would be the impact if a threat was realized? How can the organization reduce the likelihood of a threat being realized, or reduce the impact if it does occur?
PCI DSS – Risk Assessment :
2.2 PCI DSS Requirement 12.1.2 PCI DSS Requirements Testing Procedures 12.1 Establish, publish, maintain, and disseminate a security policy that accomplishes the following: 12.1 Examine the information security policy and verify that the policy is published and disseminated to all relevant personnel (including vendors and business partners). 12.1.1 Addresses all PCI DSS requirements. 12.1.1 Verify that the policy addresses all PCI DSS requirements. 12.1.2.a Verify that an annual risk assessment process is documented that identifies threats, vulnerabilities, and results in a formal risk assessment. 12.1.2 Includes an annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment. (Examples of risk assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP 800-30.) 12.1.2.b Review risk assessment documentation to verify that the risk assessment process is performed at least annually. 12.1.3 Includes a review at least annually and updates when the environment changes. 12.1.3 Verify that the information security policy is reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment. Figure 1.0 – PCI DSS Requirement 12.1.2 1 NIST SP800-30 The intent of this document is to provide supplemental information. Information provided here does not replace 4 or supersede requirements in any PCI SSC Standard. Information Supplement • PCI DSS Risk Assessment Guidelines • November 2012 PCI DSS Requirement 12.1.2 requires organizations to establish an annual process that identifies threats and vulnerabilities, and results in a formal risk assessment. A risk assessment enables an organization to identify threats and the associated vulnerabilities which have the potential to negatively impact their business. Resources can then be effectively allocated to implement controls that reduce the likelihood and/or the potential impact of the threats being realized. Performing risk assessments at least annually allows organizations to keep up to date with business changes and provides a mechanism to evaluate those changes against the evolving threat landscape, emerging trends, and new technologies. Examples of changes include the introduction of a new product line or service offering that is different from existing products or services, introduction of a new software application in the CDE, change of a network topology impacting the CDE, etc. 2.3 Risk Management Strategy Because the PCI DSS risk assessment takes into account only a subset of the organization’s overall risks, organizations should maximize the benefits of a risk assessment by incorporating the PCI DSS risk assessment into their overall organization-wide risk management program. The risk assessment process should include people, processes, and technologies that are involved in the storage, processing, or transmission of CHD including those that may not be directly involved in processing CHD but still have the potential to impact the security of the CDE— for example, perimeter building security at the facility where the CDE is located. Consideration should also be given to business processes outsourced and/or managed by third-party service providers or merchants. To ensure adequate coverage, an organization-wide risk management program would need to ensure that risks across all areas of the organization are considered, that there is a coordinated strategy for addressing identified risks, and that the risk mitigation efforts are aligned across all business processes. 2.4 PCI DSS Requirements PCI DSS provides a baseline of technical and operational controls that work together to provide a defense-in-depth approach to the protection of cardholder data. PCI DSS comprises of a minimum set of requirements for protecting cardholder data and may be enhanced by additional controls and practices to further mitigate risks. Risk assessments provide valuable information to help organizations determine whether additional controls are necessary to protect their sensitive data and other assets. In order to achieve compliance with the PCI DSS, an organization must meet all applicable PCI DSS requirements. Note: The result of a risk assessment must not be used by organizations as a means of avoiding or bypassing applicable PCI DSS requirements (or related compensating controls). The intent of this document is to provide supplemental information. Information provided here does not replace 5 or supersede requirements in any PCI SSC Standard. Information Supplement • PCI DSS Risk Assessment Guidelines • November 2012 2.5 Benefits of Conducting a PCI DSS Risk Assessment Conducting a PCI DSS risk assessment helps an organization to identify and understand the potential risks to their CDE. By understanding these risks, an organization can prioritize riskmitigation efforts to address the most critical risks first. Organizations can also implement threatreducing controls more effectively, for example, by choosing a technology or solution that best addresses identified risks. Risk assessments can help identify the presence of cardholder data that is not fundamental to business operations and that can be removed from an organization’s environment, reducing both the risk to the environment and potentially the scope of their CDE. In addition, risk assessments can identify areas containing data that need protection versus areas that are more open and do not need access to sensitive data. Information obtained through a risk assessment can be used to determine how to segment environments to isolate sensitive networks (CDE) from non-sensitive networks and, thus, save unnecessary investment in security controls where they are not needed. Isolation of these less sensitive networks helps to define the CDE and contributes to an effective scoping methodology. Performing risk assessments at regular intervals provides an organization with the insight into changing environments and assists it to identify where mitigation controls need to be adjusted or added before new threats can be realized. This practice may provide the opportunity to identify whether future investment in resources may be warranted. Ideally, a continuous risk assessment process would be implemented to enable ongoing discovery of emerging threats and vulnerabilities that could negatively impact the cardholder data environment (CDE), allowing an organization to mitigate such threats and vulnerabilities in a proactive and timely manner. 2.6 Risk Assessment and the Prioritized Approach For organizations working towards their initial PCI DSS compliance validation, the PCI DSS Prioritized Approach provides a roadmap of compliance activities based on risks associated with storing, processing, and/or transmitting cardholder data. It helps organizations prioritize efforts to achieve compliance, establish milestones, and lower the risk of CHD breaches early in the compliance process. As part of Milestone 1, the organization needs to implement a formalized risk assessment process to identify threats and vulnerabilities that could negatively impact the security of their cardholder data. Organizations working towards compliance may find that the initial risk assessment requires additional time and resources, as it may be the first time the environment has been reviewed and evaluated from a risk-based perspective. Furthermore, if a risk assessment process is not already established, organizations will need to define and document their risk assessment methodology, identify individuals who will need to be involved, assign roles and responsibilities, and allocate resources. The intent of this document is to provide supplemental information. Information provided here does not replace 6 or supersede requirements in any PCI SSC Standard. Information Supplement • PCI DSS Risk Assessment Guidelines • November 2012 For organizations maintaining compliance, it is important to understand that the annual PCI DSS validation is only a snapshot of compliance at a given time, as noted on the Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ). To ensure compliance is maintained, a risk assessment may be undertaken after any significant changes to the CDE including, but not limited to, any changes in technologies, business processes, personnel, and/or third-party relationships that could impact the security of CHD.