Difference between revisions of "Security"
Jump to navigation
Jump to search
(9 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
− | + | {{Feature | |
+ | |image=Cib-lets-encrypt (CoreUI Icons v1.0.0).svg | ||
+ | |imgdesc=Lets Encrypt | ||
+ | |title= | ||
+ | }} | ||
+ | {{#set:feature title = {{PAGENAME}} }} | ||
+ | {{#set:feature description = Using SSL and TLS Deployment Best Practices, QualityBox gets an A+ rating for security. }} | ||
+ | {{#set:feature notes = Certificates provided by the [[Certbot|Let's Encrypt project]] }} | ||
+ | {{#set:feature tests = [https://www.ssllabs.com/ssltest/analyze.html?d={{SERVERNAME}} Test on SSL Labs.com] }} | ||
+ | {{#set:feature examples = See [[:File:Certificate grade.png]] }} | ||
− | == Resources == | + | |
− | # [https://github.com/lfit/itpol Linux Foundation IT Policy] | + | ==free software that secures your communication== |
− | # https://wiki.mozilla.org/Security | + | |
+ | [https://www.torproject.org/ The Onion Router] (TOR) project https://www.torproject.org/ is the best known provider of security for your personal communications. TOR acts as an anonymizing layer between you and ALL Internet traffic. | ||
+ | |||
+ | For secure "messaging" there is [https://jami.net Jami]. Jami is a complete communication platform made by [https://savoirfairelinux.com/en Savoir Faire Linux]. Jami is available for all operating systems and devices. Jami offers | ||
+ | |||
+ | * Instant messaging | ||
+ | * Audio and video calls | ||
+ | * Swarms (group chats) | ||
+ | * Video-conferences and Rendezvous points with no third-party hosting | ||
+ | * Audio and video message recording | ||
+ | * Screen sharing and media streaming | ||
+ | * Built-in plugin platform for new features and experiences | ||
+ | * Jami can also function as a SIP client | ||
+ | |||
+ | Another popular platform for secure messaging is the '''Signal''' app. https://signal.org/ | ||
+ | |||
+ | == Security Frameworks == | ||
+ | |||
+ | |||
+ | 14 Security Frameworks You Should Know <ref>https://secureframe.com/blog/security-frameworks</ref> | ||
+ | {| class="wikitable" | ||
+ | !Framework | ||
+ | !Purpose | ||
+ | !Best Suited For | ||
+ | !Certification | ||
+ | !Certification Method | ||
+ | !Audit Duration | ||
+ | !Audit Frequency | ||
+ | |- | ||
+ | !SOC 2 | ||
+ | |Manage customer data | ||
+ | |Companies and their third-party partners | ||
+ | |N/A | ||
+ | |Authorized CPA firms | ||
+ | |6-month period | ||
+ | |Every year | ||
+ | |- | ||
+ | !ISO 27001 | ||
+ | |Build and maintain an information security management system (ISMS) | ||
+ | |Any company handling sensitive data | ||
+ | |Yes | ||
+ | |Accredited third-party | ||
+ | |1 week-1 month | ||
+ | |Every year | ||
+ | |- | ||
+ | !NIST Cybersecurity Framework | ||
+ | |Comprehensive and personalized security weakness identification | ||
+ | |Anyone | ||
+ | |N/A | ||
+ | |Self | ||
+ | |N/A | ||
+ | |N/A | ||
+ | |- | ||
+ | !HIPAA | ||
+ | |Protect patient health information | ||
+ | |The healthcare sector | ||
+ | |Yes | ||
+ | |The Department of Health and Human Services (third-party) | ||
+ | |12 weeks | ||
+ | |6 per year | ||
+ | |- | ||
+ | !PCI DSS | ||
+ | |Keep card owner information safe | ||
+ | |Any company handling credit card information | ||
+ | |Yes | ||
+ | |PCI Qualified Security Assessor (third-party) | ||
+ | |18 weeks | ||
+ | |Every year | ||
+ | |- | ||
+ | !GDPR | ||
+ | |Protect the data of people in the EU | ||
+ | |All businesses that collect the data of EU citizens | ||
+ | |Yes | ||
+ | |Third-party | ||
+ | |About 30 days | ||
+ | |Depends on preference | ||
+ | |- | ||
+ | !HITRUST CSF | ||
+ | |Enhance security for healthcare organizations and technology vendors | ||
+ | |The healthcare sector / Anyone | ||
+ | |Yes | ||
+ | |Third-party | ||
+ | |3-4 months | ||
+ | |Every year | ||
+ | |- | ||
+ | !COBIT | ||
+ | |Alignment of IT with business goals, security, risk management, and information governance | ||
+ | |Publicly traded companies | ||
+ | |Yes | ||
+ | |ISACA (third-party) | ||
+ | |N/A | ||
+ | |N/A | ||
+ | |- | ||
+ | !NERC-CIP | ||
+ | |Keep North America’s bulk electric systems operational | ||
+ | |The utility and power sector | ||
+ | |Yes | ||
+ | |Third-party | ||
+ | |Up to 3 years | ||
+ | |Every 5 years | ||
+ | |- | ||
+ | !FISMA | ||
+ | |Protect the federal government’s assets | ||
+ | |The federal government and third parties operating on its behalf | ||
+ | |Yes | ||
+ | |The FISMA Center | ||
+ | |12 weeks | ||
+ | |Every year | ||
+ | |- | ||
+ | !NIST Special Publication 800-53 | ||
+ | |Compliance with the Federal Information Processing Standards' (FIPS) 200 requirements and general security advice | ||
+ | |Government agencies | ||
+ | |N/A | ||
+ | |Self | ||
+ | |N/A | ||
+ | |N/A | ||
+ | |- | ||
+ | !NIST Special Publication 800-171 | ||
+ | |Management of controlled unclassified information (CUI) to protect federal information systems | ||
+ | |Contractors and subcontractors of federal agencies | ||
+ | |N/A | ||
+ | |Self | ||
+ | |N/A | ||
+ | |N/A | ||
+ | |- | ||
+ | !IAB CCPA | ||
+ | |Protecting California consumers’ data | ||
+ | |California businesses and advertising tech companies | ||
+ | |N/A | ||
+ | |Self | ||
+ | |N/A | ||
+ | |N/A | ||
+ | |- | ||
+ | !CIS Controls | ||
+ | |General protection against cyber threats | ||
+ | |Anyone | ||
+ | |Yes | ||
+ | |Third-party | ||
+ | |} | ||
+ | |||
+ | ==Resources== | ||
+ | |||
+ | #[https://github.com/lfit/itpol Linux Foundation IT Policy] | ||
+ | #https://wiki.mozilla.org/Security | ||
+ | #https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices | ||
+ | #https://secureframe.com/blog/security-frameworks | ||
+ | # [https://www.brighttalk.com/webcast/6793/591276 How Ubuntu enables your compliance with FedRAMP, FISMA, FIPS, and DISA-STIG] This 50 minute video from Canonical can provide insight as to how an Enterprise MediaWiki solution can address the concerns related to these frameworks. | ||
+ | {{References}} | ||
[[Category:Security]] | [[Category:Security]] | ||
+ | [[Category:Frameworks]] |
Latest revision as of 14:59, 13 September 2023
Security | |
---|---|
Image shows: | Lets Encrypt |
Summary | |
Title: | Security |
Description: | Using SSL and TLS Deployment Best Practices, QualityBox gets an A+ rating for security. |
More | |
Notes: | Certificates provided by the Let's Encrypt project |
Test: | Test on SSL Labs.com |
Example: | See File:Certificate grade.png |
Contents
free software that secures your communication[edit | edit source]
The Onion Router (TOR) project https://www.torproject.org/ is the best known provider of security for your personal communications. TOR acts as an anonymizing layer between you and ALL Internet traffic.
For secure "messaging" there is Jami. Jami is a complete communication platform made by Savoir Faire Linux. Jami is available for all operating systems and devices. Jami offers
- Instant messaging
- Audio and video calls
- Swarms (group chats)
- Video-conferences and Rendezvous points with no third-party hosting
- Audio and video message recording
- Screen sharing and media streaming
- Built-in plugin platform for new features and experiences
- Jami can also function as a SIP client
Another popular platform for secure messaging is the Signal app. https://signal.org/
Security Frameworks[edit | edit source]
14 Security Frameworks You Should Know [1]
Framework | Purpose | Best Suited For | Certification | Certification Method | Audit Duration | Audit Frequency |
---|---|---|---|---|---|---|
SOC 2 | Manage customer data | Companies and their third-party partners | N/A | Authorized CPA firms | 6-month period | Every year |
ISO 27001 | Build and maintain an information security management system (ISMS) | Any company handling sensitive data | Yes | Accredited third-party | 1 week-1 month | Every year |
NIST Cybersecurity Framework | Comprehensive and personalized security weakness identification | Anyone | N/A | Self | N/A | N/A |
HIPAA | Protect patient health information | The healthcare sector | Yes | The Department of Health and Human Services (third-party) | 12 weeks | 6 per year |
PCI DSS | Keep card owner information safe | Any company handling credit card information | Yes | PCI Qualified Security Assessor (third-party) | 18 weeks | Every year |
GDPR | Protect the data of people in the EU | All businesses that collect the data of EU citizens | Yes | Third-party | About 30 days | Depends on preference |
HITRUST CSF | Enhance security for healthcare organizations and technology vendors | The healthcare sector / Anyone | Yes | Third-party | 3-4 months | Every year |
COBIT | Alignment of IT with business goals, security, risk management, and information governance | Publicly traded companies | Yes | ISACA (third-party) | N/A | N/A |
NERC-CIP | Keep North America’s bulk electric systems operational | The utility and power sector | Yes | Third-party | Up to 3 years | Every 5 years |
FISMA | Protect the federal government’s assets | The federal government and third parties operating on its behalf | Yes | The FISMA Center | 12 weeks | Every year |
NIST Special Publication 800-53 | Compliance with the Federal Information Processing Standards' (FIPS) 200 requirements and general security advice | Government agencies | N/A | Self | N/A | N/A |
NIST Special Publication 800-171 | Management of controlled unclassified information (CUI) to protect federal information systems | Contractors and subcontractors of federal agencies | N/A | Self | N/A | N/A |
IAB CCPA | Protecting California consumers’ data | California businesses and advertising tech companies | N/A | Self | N/A | N/A |
CIS Controls | General protection against cyber threats | Anyone | Yes | Third-party |
Resources[edit | edit source]
- Linux Foundation IT Policy
- https://wiki.mozilla.org/Security
- https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices
- https://secureframe.com/blog/security-frameworks
- How Ubuntu enables your compliance with FedRAMP, FISMA, FIPS, and DISA-STIG This 50 minute video from Canonical can provide insight as to how an Enterprise MediaWiki solution can address the concerns related to these frameworks.