Policy_Compliance.md

Policy & Compliance

Table of Contents

SOX

• California S.B. 1386 - Wikipedia

---

General

• General
  • IT Law Wiki)
  • The security laws, regulations and guidelines directory - csoonline
  • CSIS Critical Security Controls v7.0
  • The Red Book: A Roadmap for Systems Security Research
  • IT Law Wiki)
  • The security laws, regulations and guidelines directory - csoonline
  • Goodhart's Law - Wikipedia
    • Goodhart's law is an adage named after economist Charles Goodhart, which has been phrased by Marilyn Strathern as: "When a measure becomes a target, it ceases to be a good measure."[1] One way in which this can occur is individuals trying to anticipate the effect of a policy and then taking actions which alter its outcome.
• Compliance
  • Vendor Security
    • Web Application Security Requirements for Google Providers
• Controls
  • Cloud Controls Matrix Working Group
  • CSIS Critical Security Controls v7.0
• Finance
  • FATF blacklist - Wikipedia
    • The FATF blacklist was the common shorthand description for the Financial Action Task Force list of "Non-Cooperative Countries or Territories" (NCCTs) issued since 2000, which it perceived to be non-cooperative in the global fight against money laundering and terrorist financing.
  • Security Assessment Guidelines for Financial Institutions
  • SWIFT Customer Security Programme
  • SWIFT Customer Security Controls Framework
  • Sheltered Harbor FAQ
• Guides
  • Bring-Your-Own-Device
    • NIST Special Publication 800 -46 Revision 2 - Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security
  • Job Skills/Employment
    • NICE Cybersecurity Workforce Framework - NICCS.us-cert.gov
  • PCI Compliance
  • Privacy Controls
    • Security and Privacy Controls forFederal Information Systemsand Organizations - NIST-800-53
  • Medical Devices
    • NIST Cybersecurity Practice Guide, Securing Wireless Infusion Pumps in Healthcare Delivery Organizations
      • SP 1800-8a: Executive Summary
      • SP 1800-8b: Approach, Architecture, and Security Characteristics
      • SP 1800-8c: How-To Guides
  • Risk Assessment
    • Information Security Risk Assessment Guidelines - mass.gov
  • Security Testing
    • SP 800-115: Technical Guide to Information Security Testing and Assessment
      • Technical Guide to Information Security Testing and Assessment - NIST-800-115 - PDF
      • The purpose of this document is to assist organizations in planning and conducting technical information security tests and examinations, analyzing findings, and developing mitigation strategies. The guide provides practical recommendations for designing, implementing, and maintaining technical information security test and examination processes and procedures. These can be used for several purposes, such as finding vulnerabilities in a system or network and verifying compliance with a policy or other requirements. The guide is not intended to present a comprehensive information security testing and examination program but rather an overview of key elements of technical security testing and examination, with an emphasis on specific technical techniques, the benefits and limitations of each, and recommendations for their use.
• HIPAA
  • HIPAA vs Security: Building security into medical purchasing decisions - infosystir
• Insider Threat
  • A Survey of Insider Attack Detection Research - 2008
  • The “Big Picture” of Insider IT Sabotage Across U.S. Critical Infrastructures
  • An Overview of Threat and Risk Assessment
  • The foundation is rotting and the basement is flooding: A deeper look at the implicit trust relationships in your organization
  • Moldovan bank fraud scandal - Wikipedia
  • AT&T employees took bribes to plant malware on the company's network - Catalin Cimpanu(ZDNet)
• ISO
  • ISO/IEC 27000-series
  • ISO/IEC 27001 - Wikipedia
  • ISO/IEC 27000 family - Information security management systems
    • The ISO/IEC 27000 family of standards helps organizations keep information assets secure.
• Legal Policies
  • United States
    • Gramm-Leach-Bliley Act
      • Gramm–Leach–Bliley Act - Wikipedia
      • The Gramm-Leach-Bliley Act (G-L-B) versus Best Practices in Network Security - Thomas Hinkel
      • How To Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act - FTC
      • The Gramm-Leach-Bliley Act - epic.org
    • Health Insurance Portability and Accountability Act(HIPAA)
      • Health Insurance Portability and Accountability Act - Wikipedia
      • What is HIPAA Compliance?- compliancy-group.com
      • Health Information Privacy - HHS.gov
      • HIPAA vs Security: Building security into medical purchasing decisions - infosystir
      • Summary of the HIPAA Security Rule - HHS.gov
    • Sarbanes-Oxley Act
      • Sarbanes–Oxley Act - Wikipedia
      • Public or Private Company: What Sarbanes-Oxley Means for You - smartsheet
      • SOX compliance – an introduction - Impero
    • State-Specific
      • California S.B. 1386 - Wikipedia
• Risk Assessment
  • Performing a Security Risk Assessment - Ron Schmittling
• NIST
  • NIST Special Publication 800-series - General Information
    • Publications in NIST’s Special Publication (SP) 800 series present information of interest to the computer security community. The series comprises guidelines, recommendations, technical specifications, and annual reports of NIST’s cybersecurity activities. SP 800 publications are developed to address and support the security and privacy needs of U.S. Federal Government information and information systems. NIST develops SP 800-series publications in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283. Created in 1990, the series reports on the Information Technology Laboratory’s research, guidelines, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations.
  • BYOD
    • NIST Special Publication 800 -46 Revision 2 - Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security
  • Medical Devices
    • NIST Cybersecurity Practice Guide, Securing Wireless Infusion Pumps in Healthcare Delivery Organizations
      • SP 1800-8a: Executive Summary
      • SP 1800-8b: Approach, Architecture, and Security Characteristics
      • SP 1800-8c: How-To Guides
  • Privacy
    • Security and Privacy Controls forFederal Information Systemsand Organizations - NIST-800-53
  • Security Testing
    • SP 800-115: Technical Guide to Information Security Testing and Assessment
      • Technical Guide to Information Security Testing and Assessment - NIST-800-115 - PDF
        • The purpose of this document is to assist organizations in planning and conducting technical information security tests and examinations, analyzing findings, and developing mitigation strategies. The guide provides practical recommendations for designing, implementing, and maintaining technical information security test and examination processes and procedures. These can be used for several purposes, such as finding vulnerabilities in a system or network and verifying compliance with a policy or other requirements. The guide is not intended to present a comprehensive information security testing and examination program but rather an overview of key elements of technical security testing and examination, with an emphasis on specific technical techniques, the benefits and limitations of each, and recommendations for their use.
  • Workforce
    • NICE Cybersecurity Workforce Framework - NICCS.us-cert.gov
  • Not Nation-Specific
    • Financial
      • FATF blacklist - Wikipedia
        • The FATF blacklist was the common shorthand description for the Financial Action Task Force list of "Non-Cooperative Countries or Territories" (NCCTs) issued since 2000, which it perceived to be non-cooperative in the global fight against money laundering and terrorist financing.
      • Security Assessment Guidelines for Financial Institutions
    • PCI
      • PCI DSS V3.2.1
      • PCI SSC Cloud Computing Guidelines - 4/2018
      • PCI DSS Quick Reference Guide - v3.2
      • Guidance for PCI DSS Scoping and Network Segmentation - 2016
      • For vulnerability scans, what is meant by quarterly? - PCISSC
      • PCI Compliance in AWS - Jordan Wiseman, Andrew Plato
    • PII
      • EU General Data Protection Regulation(GDPR)
      • GDPR - Wikipedia
    • SWIFT
      • SWIFT Customer Security Programme
      • SWIFT Customer Security Controls Framework
• PCI
  • PCI DSS V3.2.1
  • PCI SSC Cloud Computing Guidelines - 4/2018
  • PCI DSS Quick Reference Guide - v3.2
  • Guidance for PCI DSS Scoping and Network Segmentation - 2016
• PII
  • EU General Data Protection Regulation(GDPR)
  • GDPR - Wikipedia
• Misellaneous
  • Goodhart's Law - Wikipedia
    • Goodhart's law is an adage named after economist Charles Goodhart, which has been phrased by Marilyn Strathern as: "When a measure becomes a target, it ceases to be a good measure."[1] One way in which this can occur is individuals trying to anticipate the effect of a policy and then taking actions which alter its outcome.
• Vendor Security
  • Web Application Security Requirements for Google Providers

To Sort: * Documentation for OpenSCAP Base * Penetration Testing Shouldn't be a Waste of Time - Jim Bird * COBIT 2019 Publications & Resources * Moldovan bank fraud scandal - Wikipedia * The Red Book: A Roadmap for Systems Security Research * Sheltered Harbor FAQ * FFIEC Cybersecurity Resource Guide for Financial Institutions(2018) * Documentation for OpenSCAP Base * Cloud Controls Matrix Working Group * Penetration Testing Shouldn't be a Waste of Time - Jim Bird * Please don’t kill your CISO if he doesn’t know how a virus works - M S Sripati * The normalization of deviance in healthcare delivery - John Banja * Understanding Security Regulations in the Financial Services Industry - David Hoelzer

• COMPLY

  • Comply is a SOC2-focused compliance automation tool: Policy Generator: markdown-powered document pipeline for publishing auditor-friendly policy documents; Ticketing Integration: automate compliance throughout the year via your existing ticketing system; SOC2 Templates: open source policy and procedure templates suitable for satisfying a SOC2 audit

• When to Test and How to Test It - Bruce Potter - Derbycon7

  • “I think we need a penetration test” This is one of the most misunderstood phrases in the security community. It can mean anything from “Someone should run a vulnerability scan against a box” to “I’d like nation-state capable actors to tell me everything that wrong with my enterprise” and everything in between. Security testing is a complex subject and it can be hard to understand what the best type of testing is for a given situation. This talk will examine the breadth of software security testing. From early phase unit and abuse testing to late phase penetration testing, this talk will provide details on the different tests that can be performed, what to expect from the testing, and how to select the right tests for your situation. Test coverage, work effort, attack simulation, and reporting results will be discussed. Also, this talk will provide a process for detailed product assessments, i.e.: if you’ve got a specific product you’re trying to break, how do you approach assessing the product in a way that maximizes your chance of breaking in as well as maximizing the coverage you will get from your testing activity.