Certified Ethical Hacker Domain 6: Information Security Policies, Laws and Acts
In this article, we’ll discuss the differences in information security policies and what goes into designing good ones. We give examples of each, discussing industry-wide accepted security standards and laws that different countries have put in place over time to combat the ever-increasing threat of cyber-crime.
CEH candidates will be required to have a basic understanding of this domain; it is the least weighty of the seven CEH domains, with only 1.9% of the total exam weight and only two test items.
Overview of Information Security Policies
In the information security industry today, organizations will often lay down their security plan, as discussed by the top management. Accepted plans will then be passed to middle management, team leaders and eventually to the executives. These security plans will often be contained in documents referred to as policies, which will be of different types and applications. The exam will review candidates’ abilities to properly identify these policies depending on given scenarios.
Types of Information Security Policies
Information security policies are high-level documents defining the vision of the organization’s security goals, scope, responsibilities and needs. They can generally be categorized into three main types:
- Organizational (master) policy: This can also be considered a general outline (overall strategy) of the entire organization’s security program
- System-specific policy: This can be considered as the accepted rules for specific systems or computers in the organization. Accepted rules can be on hardware, software or even hardening requirements
- Issue-specific policy: This type of policy concerns itself with functional aspects that may require more attention within the organization
Policies may fall into any of the categories above. The ability of the candidate to demonstrate the ability to effectively categorize policies is a plus during preparation for the exam. Candidates need also to have a general understanding of these high-level policies and know what standards, security baselines and security procedures each entail.
Examples of Security Policies
The CEH exam also examines the basic policies that are required while building a security program within the organization. It should be noted that this list of policies is not exhaustive: the examples are covered as the most common policies (but there are much more online if you are interested in Googling).
- Acceptable Use Policy (AUP)
- Access Control Policy (ACP)
- Change Management Policy
- Information Security Policy
- Incident Response Policy
Privacy Policies at the Workplace
Candidates will be tested on their ability to assess the areas of security that are important in an organization and how these influence the security policies to be implemented.
During such an assessment, several factors will be of key importance. For instance, the company structure, size and budget. Workplace security policies must be regularly revised, and factors such as legal compliance updates, business changes and incidents or imminent threats are just a few that candidates will be required to understand
Overview of the Common Laws and Standards
Payment Card Industry Data Security Standard (PCI-DSS)
The PCI-DSS standard is an information security standard for use in organizations that handle branded credit cards for the major card schemes. A “card scheme” is simply a network that is linked to payment cards, such as credit and debit cards. A financial institution may become a member of a scheme, allowing it to issue or obtain cards operating on the network of the card scheme.
Candidates need to have a very basic understanding of how three-party and four-party schemes work. The most important thing to know, though, is that PCI DSS covers payment processing and fines can be incurred by not complying.
This standard specifies all the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. Candidates will be required to have a very general/basic understanding of the requirements for assessment and treatment of the risks associated with information security. Candidates should also note that the requirements set out in ISO/IEC 27001:2013 are very generic, and thus will apply to all organizations regardless of size, type or nature.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA is a 1996 legislation in the United States that provides provisions for data security and privacy that is intended to safeguard medical information. This legislation has risen to prominence over the years as a result of numerous data breaches (cyber-attacks that have also included ransomware) which have affected health providers and insurers. Candidates will be required to have a very general overview/understanding of this legislation. There are five sections of this legislation; however, the section that will matter is Title II: HIPAA Administrative Simplification. This is the section people refer to when they speak of HIPAA compliance.
Candidates must be able to identify information that is protected by HIPAA (what is considered protected health information), who is covered, administrative requirements and the penalties that can be faced in case of violation.
Sarbanes-Oxley Act (SOX)
Due to fraud at Enron, WorldCom and Tyco, the Sarbanes-Oxley Act went into effect back in 2002. The aim of this act was to protect stakeholders and the general public from accounting errors and fraudulent activities within organizations. This act was designed to improve the accuracy and accountability of corporate disclosures.
SOX is very much still relevant today. It applies to accounting firms and third parties which provide financial services to some organizations. It also applies to all publicly-held American and international organizations that have registered equity and/or debt services with the U.S. Securities and Exchange Commission (SEC). Candidates will be required to have a general understanding of the SOX act.
Federal Information Security Management Act (FISMA)
FISMA, passed in 2002, is a United States federal law which is part of the larger E-Government Act. It allows federal agencies to develop, document and implement an information security and protection program. The main aim of this act was and remains to reduce any security risks to federal information and/or data while at the same time managing the spending on information security. Candidates should also be aware of FISMA best practices, benefits of FISMA compliance and the penalties associated with non-compliance.
Information security continues to evolve, with new and unforeseen attacks emerging almost on a daily basis. All these seems to indicate that more laws and restrictions are going to emerge in the future, with even more nations enforcing seeming dictatorial laws. Candidates must familiarize themselves with the changing aspects of cyber-laws and future trends. However, candidates should also know to study smart and not take in too much in this domain, due to the number of items to be tested. Study smart and good luck!
- CEH Exam Blueprint v3.0, EC-Council
- HIPAA (Health Insurance Portability and Accountability Act), TechTarget