Difference between revisions of "Security"

From Freephile Wiki
Jump to navigation Jump to search
VisualWikitext
(update links)
(add security frameworks)
Line 11: Line 11:
  
  
== free software that secures your communication ==
+
==free software that secures your communication==
  
 
[https://www.torproject.org/ The Onion Router] (TOR) project https://www.torproject.org/ is the best known provider of security for your personal communications.
 
[https://www.torproject.org/ The Onion Router] (TOR) project https://www.torproject.org/ is the best known provider of security for your personal communications.
Line 19: Line 19:
 
https://signal.org/ offers tools that integrate with your iPhone or Android phone and desktop.
 
https://signal.org/ offers tools that integrate with your iPhone or Android phone and desktop.
  
== Resources ==
+
<br />
# [https://github.com/lfit/itpol Linux Foundation IT Policy]
+
 
# https://wiki.mozilla.org/Security
+
== Security Frameworks ==
# https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices
+
 
 +
 
 +
14 Security Frameworks You Should Know
 +
{| class="wikitable"
 +
!Framework
 +
|Purpose
 +
|Best Suited For
 +
|Certification
 +
|Certification Method
 +
|Audit Duration
 +
|Audit Frequency
 +
|-
 +
!SOC 2
 +
|Manage customer data
 +
|Companies and their third-party partners
 +
|N/A
 +
|Authorized CPA firms
 +
|6-month period
 +
|Every year
 +
|-
 +
!ISO 27001
 +
|Build and maintain an information security management system (ISMS)
 +
|Any company handling sensitive data
 +
|Yes
 +
|Accredited third-party
 +
|1 week-1 month
 +
|Every year
 +
|-
 +
!NIST Cybersecurity Framework
 +
|Comprehensive and personalized security weakness identification
 +
|Anyone
 +
|N/A
 +
|Self
 +
|N/A
 +
|N/A
 +
|-
 +
!HIPAA
 +
|Protect patient health information
 +
|The healthcare sector
 +
|Yes
 +
|The Department of Health and Human Services (third-party)
 +
|12 weeks
 +
|6 per year
 +
|-
 +
!PCI DSS
 +
|Keep card owner information safe
 +
|Any company handling credit card information
 +
|Yes
 +
|PCI Qualified Security Assessor (third-party)
 +
|18 weeks
 +
|Every year
 +
|-
 +
!GDPR
 +
|Protect the data of people in the EU
 +
|All businesses that collect the data of EU citizens
 +
|Yes
 +
|Third-party
 +
|About 30 days
 +
|Depends on preference
 +
|-
 +
!HITRUST CSF
 +
|Enhance security for healthcare organizations and technology vendors
 +
|The healthcare sector / Anyone
 +
|Yes
 +
|Third-party
 +
|3-4 months
 +
|Every year
 +
|-
 +
!COBIT
 +
|Alignment of IT with business goals, security, risk management, and        information governance
 +
|Publicly traded companies
 +
|Yes
 +
|ISACA (third-party)
 +
|N/A
 +
|N/A
 +
|-
 +
!NERC-CIP
 +
|Keep North America’s bulk electric systems operational
 +
|The utility and power sector
 +
|Yes
 +
|Third-party
 +
|Up to 3 years
 +
|Every 5 years
 +
|-
 +
!FISMA
 +
|Protect the federal government’s assets
 +
|The federal government and third parties operating on its behalf
 +
|Yes
 +
|The FISMA Center
 +
|12 weeks
 +
|Every year
 +
|-
 +
!NIST Special Publication 800-53
 +
|Compliance with the Federal Information Processing Standards' (FIPS)        200 requirements and general security advice
 +
|Government agencies
 +
|N/A
 +
|Self
 +
|N/A
 +
|N/A
 +
|-
 +
!NIST Special Publication 800-171
 +
|Management of controlled unclassified information (CUI) to protect        federal information systems
 +
|Contractors and subcontractors of federal agencies
 +
|N/A
 +
|Self
 +
|N/A
 +
|N/A
 +
|-
 +
!IAB CCPA
 +
|Protecting California consumers’ data
 +
|California businesses and advertising tech companies
 +
|N/A
 +
|Self
 +
|N/A
 +
|N/A
 +
|-
 +
!CIS Controls
 +
|General protection against cyber threats
 +
|Anyone
 +
|Yes
 +
|Third-party
 +
|}
 +
 
 +
==Resources==
 +
 
 +
#[https://github.com/lfit/itpol Linux Foundation IT Policy]
 +
#https://wiki.mozilla.org/Security
 +
#https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices
 +
#https://secureframe.com/blog/security-frameworks
  
 
[[Category:Security]]
 
[[Category:Security]]

Revision as of 14:54, 25 August 2023

Security Dialog-information.svg
Lets Encrypt
Image shows: Lets Encrypt
Summary
Title: Security
Description: Using SSL and TLS Deployment Best Practices, QualityBox gets an A+ rating for security.
More
Notes: Certificates provided by the Let's Encrypt project
Test: Test on SSL Labs.com
Example: See File:Certificate grade.png





free software that secures your communication[edit | edit source]

The Onion Router (TOR) project https://www.torproject.org/ is the best known provider of security for your personal communications.

There are others too... like Jami

https://signal.org/ offers tools that integrate with your iPhone or Android phone and desktop.


Security Frameworks[edit | edit source]

14 Security Frameworks You Should Know

Framework Purpose Best Suited For Certification Certification Method Audit Duration Audit Frequency
SOC 2 Manage customer data Companies and their third-party partners N/A Authorized CPA firms 6-month period Every year
ISO 27001 Build and maintain an information security management system (ISMS) Any company handling sensitive data Yes Accredited third-party 1 week-1 month Every year
NIST Cybersecurity Framework Comprehensive and personalized security weakness identification Anyone N/A Self N/A N/A
HIPAA Protect patient health information The healthcare sector Yes The Department of Health and Human Services (third-party) 12 weeks 6 per year
PCI DSS Keep card owner information safe Any company handling credit card information Yes PCI Qualified Security Assessor (third-party) 18 weeks Every year
GDPR Protect the data of people in the EU All businesses that collect the data of EU citizens Yes Third-party About 30 days Depends on preference
HITRUST CSF Enhance security for healthcare organizations and technology vendors The healthcare sector / Anyone Yes Third-party 3-4 months Every year
COBIT Alignment of IT with business goals, security, risk management, and information governance Publicly traded companies Yes ISACA (third-party) N/A N/A
NERC-CIP Keep North America’s bulk electric systems operational The utility and power sector Yes Third-party Up to 3 years Every 5 years
FISMA Protect the federal government’s assets The federal government and third parties operating on its behalf Yes The FISMA Center 12 weeks Every year
NIST Special Publication 800-53 Compliance with the Federal Information Processing Standards' (FIPS) 200 requirements and general security advice Government agencies N/A Self N/A N/A
NIST Special Publication 800-171 Management of controlled unclassified information (CUI) to protect federal information systems Contractors and subcontractors of federal agencies N/A Self N/A N/A
IAB CCPA Protecting California consumers’ data California businesses and advertising tech companies N/A Self N/A N/A
CIS Controls General protection against cyber threats Anyone Yes Third-party

Resources[edit | edit source]

  1. Linux Foundation IT Policy
  2. https://wiki.mozilla.org/Security
  3. https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices
  4. https://secureframe.com/blog/security-frameworks

Secure Sockets Layer = secure (encrypted) underpinning for HTTP

Transport Layer Security

Systems and Organization Controls (SOC) 2 is a set of compliance criteria developed by the American Institute of Certified Public Accountants (AICPA).

ISO/IEC 27001 is an international standard to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, revised in 2013, and again most recently in 2022. There are also numerous recognized national variants of the standard. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) – the aim of which is to help organizations make the information assets they hold more secure. Organizations that meet the standard's requirements can choose to be certified by an accredited certification body following successful completion of an audit. The effectiveness of the ISO/IEC 27001 certification process and the overall standard has been addressed in a large-scale study conducted in 2020.

NIST Cybersecurity Framework is a set of guidelines for mitigating organizational cybersecurity risks, published by NIST based on existing standards, guidelines, and practices. The framework "provides a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes", in addition to guidance on the protection of privacy and civil liberties in a cybersecurity context. It has been translated to many languages, and is used by several governments and a wide range of businesses and organizations.

The Health Insurance Portability and Accountability Act is a 1996 federal statute that created standards for protecting patient health information. All healthcare organizations must follow cybersecurity practices and run risk assessments to comply with HIPAA.

The Payment Card Industry Data Security Standard was created in 2006 to ensure that all companies that accept, process, store, or transmit credit card information operate securely. The framework is primarily intended to keep cardholder information safe. All companies handling this information must comply with PCI DSS, regardless of size. The framework is administered and enforced by the Payment Card Industry Security Standards Council.

The General Data Protection Regulation (Regulation (EU) 2016/679, abbreviated GDPR) is a European Union regulation on Information privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also governs the transfer of personal data outside the EU and EEA. The GDPR's goals are to enhance individuals' control and rights over their personal information and to simplify the regulations for international business. It supersedes the Data Protection Directive 95/46/EC and, among other things, simplifies the terminology.

Retrieved from "https://wiki.freephile.org/wiki/index.php?title=Security&oldid=10285"