Navigating Cybersecurity Frameworks and Requirements
Stay current with evolving regulations, guidelines, requirements and frameworks.
Common Frameworks
OWASP Continuous Penetration Testing Framework
Open Source Security Testing Methodology (OSSTMM)
PCI Penetration Testing Guide
NIST 800-115
Information Systems Security Assessment Framework (ISSAF)
Penetration Testing
Penetration test (pentest) is a simulated cyber attack on a computer system, network, cloud or application to identify vulnerabilities that could be exploited by real attackers.
Vulnerability Scans
A vulnerability scan is an automated process that scans computer systems, networks, or applications for known vulnerabilities, such as missing patches or misconfigurations, without exploiting them.
Security Audit
Unlike pentests, which exploit vulnerabilities to assess the effectiveness of security controls, a security audit typically involves a more passive review and analysis of security measures.
NIST - National Institude of Standards and Technology
Cybersecurity framework for any sized business
The NIST Cybersecurity Framework helps businesses of all sizes better understand, manage, and reduce their cybersecurity risk and protect their networks and data. NIST is mandatory for government agencies and companies that do business with the US government. Other business should comply with NIST for liability reasons but it is not mandatory.
- Regular assessment and review of information security policies, procedures, and practices are crucial, with a frequency tailored to the level of risk but conducted at least annually.
- Pretest analysis requires comprehensive understanding of systems and components, identifying all potential vulnerabilities before exploitation.
- Rigorous testing is then employed to determine the exploitability of identified vulnerabilities.
Additional controls in NIST SP 800-53: CA-8(1) mandates independent penetration testing teams, ensuring unbiased assessments. CA-8(2) requires red team exercises to simulate real-world attacks, providing comprehensive security assessments beyond penetration tests.
PCI DSS - Payment Card Industry Data Security Standard
Mandatory for any entity that handles, stores, or transmits cardholder data
Cardholder data encompasses debit, credit, and prepaid card information utilized by customers, regardless of business size or transaction volume. The PCI DSS Requirement 11.3 mandates penetration testing at least annually or whenever significant changes are made to the environment.
HIPPA - Health Insurance Portability and Accountability Act
Protecting Health and Medical PII
While the HIPAA security rule doesn't explicitly address vulnerability scans or penetration tests, compliance necessitates Health and Human Services to mandate a technical vulnerability assessment for all IT assets, encompassing web and network components.
Covered entities are defined in the HIPAA rules as:
- Health plans
- Health care clearinghouses
- Health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.