Let\u2019s look at some of the regulations and standards.<\/p>\n\n\n\n
General Data Protection Regulation (GDPR)<\/em><\/strong><\/p>\n\n\n\n GDPR is the European Union (EU) directive that replaces the previously existing regulation known as the Data Protection Directive. The key focus of GDPR is to regulate how organizations should protect the data of the EU citizens. GDPR also focuses on the data movement outside the EU.<\/p>\n\n\n\n There are seven principles of GDPR:<\/p>\n\n\n\n Lawfulness, fairness and transparency<\/p>\n\n\n\n Purpose limitation<\/p>\n\n\n\n Data minimization<\/p>\n\n\n\n Accuracy<\/p>\n\n\n\n Storage limitation<\/p>\n\n\n\n Integrity and confidentiality (security)<\/p>\n\n\n\n Accountability<\/p>\n\n\n\n National, Territory, or State Laws<\/em><\/strong><\/p>\n\n\n\n Depending on the country you live in, there can be national, territory, or even state laws for security.<\/p>\n\n\n\n For example, the United States has several laws that are applicable at the national level.<\/p>\n\n\n\n Some of the key ones are:<\/p>\n\n\n\n US Privacy Act of 1974<\/strong>: applicable to government agencies for the data they hold.<\/p>\n\n\n\n GRAMM-LEACH-BILLEY ACT (GLBA<\/strong>): focuses on protecting financial non-public information.<\/p>\n\n\n\n Health Insurance Portability and Accountability Act (HIPAA<\/strong>): focuses on protecting healthcare information.<\/p>\n\n\n\n Children\u2019s Online Privacy Protection Act (COPPA<\/strong>): focuses on protecting the personal information of children below the age of 12.<\/p>\n\n\n\n Federal Information Security Management Act (FISMMA<\/strong>): provides the mandates to the federal agencies to protect data.<\/p>\n\n\n\n While the above-listed laws are at the national level in the United States, the other nations also have similar laws in place. For example, here are some national laws from the United Kingdom (UK):<\/p>\n\n\n\n The Computer Misuse Act of 1990<\/p>\n\n\n\n The Data Protection Act 1998<\/p>\n\n\n\n Regulation of Investigatory Powers Act 2000<\/p>\n\n\n\n Fraud Act 2006<\/p>\n\n\n\n Forgery and Counterfeiting Act 1981<\/p>\n\n\n\n Copyright, Design, and Patents Act 1998<\/p>\n\n\n\n Laws can also be specific to a territory or state. For example, the state of California in the United States has implemented the Notice of Security Breach Act. This act states that if an organization maintains the personal information of the California citizens and is a victim of any security breach, the organization must disclose the incident. There is then action taken on the organization. This act intends to ensure that the organizations invest in their security infrastructure to safeguard California citizens’ personal information.<\/p>\n\n\n\n Payment Card Industry Data Security Standard (PCI-DSS)<\/em><\/strong><\/p>\n\n\n\n PCI-DSS is a regulatory framework for organizations that deal with credit or debit card payments on the Internet. This is specific to the credit card industry.<\/p>\n\n\n\n Key Frameworks<\/strong><\/p>\n\n\n\n A framework, or a security framework, defines a set of processes and procedures to help an organization implement security controls, which are meant to reduce the security risks. A framework can be specific to an industry or generalized to meet more generic requirements. For example, PCI-DSS is a regulatory framework for an organization that deals with credit or debit card payments on the Internet. On the other hand, ISO 27001 is a more general regulatory framework that can help any organization of any size to define an information security management system (ISMS).<\/p>\n\n\n\n The whole intent of a framework is to use the pre-defined guidelines. When you use a specific framework, you do not need to create the basic structure of policies and processes. However, it is important to note that a framework can always be customized to meet an organization\u2019s needs.<\/p>\n\n\n\n There are several frameworks available in the IT industry, and most of them are designed with the security aspect in mind. Broadly categorizing, there are two types of frameworks: prescriptive and risk–<\/em><\/strong>based.<\/p>\n\n\n\n Center for Internet Security (CIS)<\/em><\/strong><\/p>\n\n\n\n CIS is a non-profit organization that works in the area of Internet security. It has developed various benchmarks and guidelines for securing devices, platforms, and applications. There are CIS controls, which contain the following 20 security measures:<\/p>\n\n\n\n Inventory of Authorized and Unauthorized Devices<\/p>\n\n\n\n Inventory of Authorized and Unauthorized Software<\/p>\n\n\n\n Secure Configurations for Hardware and Software on Mobile, Laptops, Workstations, and Servers<\/p>\n\n\n\n Continuous Vulnerability Assessment and Remediation<\/p>\n\n\n\n Controlled Use of Administrative Privileges<\/p>\n\n\n\n Maintenance, Monitoring, and Analysis of Audit Logs<\/p>\n\n\n\n Email and Web Browser Protection<\/p>\n\n\n\n Malware Defenses<\/p>\n\n\n\n Limitation and Control of Network Ports, Protocols, and Services<\/p>\n\n\n\n Data Recovery Capability<\/p>\n\n\n\n Secure Configurations for Network Devices such as Firewalls, Routers, and Switches<\/p>\n\n\n\n Boundary Defense<\/p>\n\n\n\n Data Protection<\/p>\n\n\n\n Controlled Access Based on the Need to Know<\/p>\n\n\n\n Wireless Access Control<\/p>\n\n\n\n Account Monitoring and Control<\/p>\n\n\n\n Security Skills Assessment and Appropriate Training to Fill Gaps<\/p>\n\n\n\n Application Software Security<\/p>\n\n\n\n Incident Response and Management<\/p>\n\n\n\n Penetration Tests and Red Team Exercises<\/p>\n\n\n\n National Institute of Standards and Technology (NIST) RMF\/CSF<\/em><\/strong><\/p>\n\n\n\n RMF <\/strong>stands for Risk Management Framework that can help organizations assess and manage risks.<\/p>\n\n\n\n CSF <\/strong>stands for Cyber Security Framework that has several steps that need to be implemented. These steps and their tasks include:<\/p>\n\n\n\n 1. Prepare<\/strong>: Organizational communication, development of control baselines, enterprise architecture, and alignment with RMF.<\/p>\n\n\n\n 2. Identify<\/strong>: Asset management, business environment, governance, risk assessment, and risk management strategy.<\/p>\n\n\n\n 3. Protect<\/strong>: Access control, awareness and training, data security, information protection processes and procedures, maintenance, and protective technology.<\/p>\n\n\n\n 4. Detect<\/strong>: Anomalies and events, continuous security monitoring, and detection processes.<\/p>\n\n\n\n 5. Respond<\/strong>: Response planning, communications, analysis, mitigation, and improvements.<\/p>\n\n\n\n 6. Recover<\/strong>: Recovery planning, improvements, and communications.<\/p>\n\n\n\n International Organization for Standardization (ISO) 27001\/27002\/27701\/31000<\/em><\/strong><\/p>\n\n\n\n ISO is an independent organization that develops standards and frameworks that are deployed internationally. ISO has standards across various domains, such as:<\/p>\n\n\n\n Environmental<\/p>\n\n\n\n Food Safety<\/p>\n\n\n\n Health and Safety<\/p>\n\n\n\n IT Security<\/p>\n\n\n\n In the IT Security domain, ISO has various standards. Some of the key ones are:<\/p>\n\n\n\n 27001<\/strong>: provides the requirements for an information security management system. ISO 27001 is a more of a general regulatory framework that can help any organization of any size. It helps an organization to define an information security management system (ISMS).<\/p>\n\n\n\n 27002<\/strong>: focuses on security techniques and codes of practice for information security controls.<\/p>\n\n\n\n 27701<\/strong>: is an extension to 27001 and 27002. It provides various guidelines for privacy information management.<\/p>\n\n\n\n 31000<\/strong>: focuses on risk management. It provides various guidelines for managing risks within the organization.<\/p>\n\n\n\n SSAE SOC 2 Type II\/III<\/em><\/strong><\/p>\n\n\n\n SSAE stands for Statements on Standards for Attestation Engagements. SOC stands for Service Organization Control. There are SOC 1, 2, and 3 reports.<\/p>\n\n\n\n SOC 1<\/strong>: focuses on internal controls over financial reporting.<\/p>\n\n\n\n SOC 2<\/strong>: focuses on various controls, such as security, privacy, availability, and integrity. This report is available to regulators and those who sign the Non-Disclosure Agreement (NDA).<\/p>\n\n\n\n SOC 3<\/strong>: focuses on various controls, such as security, privacy, availability, and integrity. This report is available to the general public.<\/p>\n\n\n\n To find out more about SOC centers, click the button below!<\/p>\n\n\n\n![](\"https:\/\/chin4teck.com\/wp-content\/uploads\/2025\/01\/GDPR.png\")
<\/div><\/div>\n\n\n\n![](\"https:\/\/chin4teck.com\/wp-content\/uploads\/2025\/01\/hipaa-compliant2648.jpg\"\/)
<\/div>![](\"https:\/\/chin4teck.com\/wp-content\/uploads\/2025\/01\/fisma-logo-copy.png\"\/){kind=logo}
<\/div>![](\"https:\/\/chin4teck.com\/wp-content\/uploads\/2025\/01\/th-2.jpeg\"\/)
<\/div><\/div><\/div><\/div>![](\"https:\/\/chin4teck.com\/wp-content\/uploads\/2025\/01\/PNG_PCI-e1672262570225.png\")
<\/div><\/div>\n\n\n\n![](\"https:\/\/chin4teck.com\/wp-content\/uploads\/2025\/01\/636be0f8003170a194adf09d_PCI-DSS-1.png\")
<\/div><\/div>\n\n\n\n![](\"https:\/\/chin4teck.com\/wp-content\/uploads\/2025\/01\/cis-letter-logo-design-on-white-background-cis-creative-initials-letter-logo-concept-cis-letter-design-vector.jpg\"){kind=logo}
<\/div><\/div>\n\n\n\n![](\"https:\/\/chin4teck.com\/wp-content\/uploads\/2025\/01\/f_nist-logo-brand-black.png\"){kind=logo}
<\/div><\/div>\n\n\n\n![](\"https:\/\/chin4teck.com\/wp-content\/uploads\/2025\/01\/th-1.jpeg\")
<\/div><\/div>\n\n\n\n![](\"https:\/\/chin4teck.com\/wp-content\/uploads\/2025\/01\/soc-letter-logo-design-on-black-background-soc-creative-initials-letter-logo-concept-soc-letter-design-vector.jpg\"){kind=logo}
<\/div><\/div>\n\n\n\n
![](\"https:\/\/chin4teck.com\/wp-content\/uploads\/2025\/01\/csa-logo-7.jpg\"){kind=logo}
<\/div><\/div>\n\n\n\n![](\"https:\/\/chin4teck.com\/wp-content\/uploads\/2025\/01\/Server-room-or-server-computer.jpg\")
<\/div><\/div>\n\n\n\n![](\"https:\/\/chin4teck.com\/wp-content\/uploads\/2025\/01\/apple-ios-logo-png-ios-bug-can-force-apple-iphones-to-call-911-repeatedly-1649.png\"\/){kind=logo}
<\/div>![](\"https:\/\/chin4teck.com\/wp-content\/uploads\/2025\/01\/th-7.jpeg\"\/)
<\/div>![](\"https:\/\/chin4teck.com\/wp-content\/uploads\/2025\/01\/th-6.jpeg\"\/)
<\/div>![\"\"\/](\"https:\/\/chin4teck.com\/wp-content\/uploads\/2025\/01\/Ubuntu.png\")
<\/div>![\"\"\/](\"https:\/\/chin4teck.com\/wp-content\/uploads\/2025\/01\/481906-Fedora-Linux-open-source-open_source-operating_system-logo-Red_Hat-scaled.jpg\"){kind=logo}
<\/div>![](\"https:\/\/chin4teck.com\/wp-content\/uploads\/2025\/01\/linux-gnu-debian-logo-wallpaper.jpg\"\/){kind=logo}
<\/div>![](\"https:\/\/chin4teck.com\/wp-content\/uploads\/2025\/01\/android_logo_PNG12.png\"\/){kind=logo}
<\/div>