π Cybersecurity Laws, Regulations & Standards Cheat Sheet
1οΈβ£ Cybersecurity Laws & Regulations
These laws govern data privacy, security, and compliance across industries.
| Law/Regulation | Region | Industry | Key Requirements |
|---|---|---|---|
| HIPAA (1996) | πΊπΈ US | Healthcare | Protects patient health information (PHI), requires encryption & security controls. |
| FERPA (1974) | πΊπΈ US | Education | Grants students/parents rights to access & modify education records. |
| GLBA (1999) | πΊπΈ US | Finance | Requires financial institutions to protect customer data and disclose privacy policies. |
| GDPR (2016) | π EU | All Sectors | Strict data protection laws; includes Right to Be Forgotten, breach notification rules. |
| CCPA (2018) | πΊπΈ California | Consumer Privacy | Gives consumers right to know, opt-out, delete personal data from businesses. |
| Key Disclosure Laws | π¬π§ UK, π¦πΊ AU | Law Enforcement | Allows governments to compel decryption key disclosure in investigations. |
π¨ Takeaway
- GDPR affects companies worldwide if handling EU citizen data.
- CCPA impacts businesses with consumers in California.
- HIPAA, FERPA, and GLBA apply to specific industries.
2οΈβ£ Cybersecurity Standards & Compliance Frameworks
These frameworks guide cybersecurity best practices.
| Framework | Purpose | Key Focus Areas |
|---|---|---|
| PCI DSS | Payment Security | Protects credit card transactions, mandates encryption & access controls. |
| CIS Top 18 | General Security | 18 best practices for IT security & risk management. |
| NIST CSF | Risk Management | Five functions: Identify, Protect, Detect, Respond, Recover. |
| MITRE ATT&CK | Threat Intelligence | Catalogs adversary attack techniques for cyber defense. |
| MITRE D3FEND | Defensive Security | Counter-framework to ATT&CK; maps defensive measures. |
| Cyber Kill Chain | Attack Lifecycle | 7 phases from Reconnaissance β Actions on Objectives. |
| ISA/IEC 62443 | Industrial Security | Protects Industrial Control Systems (ICS) & Operational Technology (OT). |
| FedRAMP | Cloud Security | Standardized security for US government cloud services. |
π Takeaway
- NIST CSF & CIS Top 18 β Best for general cybersecurity risk management.
- PCI DSS & FedRAMP β Industry-specific for payment security & cloud compliance.
- MITRE ATT&CK & Cyber Kill Chain β Help with cyber threat detection & response.
3οΈβ£ Cybersecurity Strategies & Best Practices
- Zero Trust Security β No implicit trust, always verify users & devices.
- Defense in Depth β Multiple security layers (firewalls, MFA, encryption).
- Threat Intelligence & Threat Modeling β Understand attack methods & mitigate threats.
- Table-Top Exercises β Simulate cyber incidents to test response readiness.
- Backup & Disaster Recovery β Follow the 3-2-1 Rule:
- 3 copies of data
- 2 different storage types
- 1 offsite backup
- Logging & Chaos Testing β Proactively monitor systems & stress-test defenses.
π₯ Final Quick Summary
βοΈ Laws like HIPAA, GDPR, and CCPA regulate data security & privacy.
βοΈ Standards like NIST CSF, PCI DSS, and CIS Top 18 guide cybersecurity best practices.
βοΈ Frameworks like MITRE ATT&CK & Cyber Kill Chain help understand cyber threats.
βοΈ Security Strategies (Zero Trust, Defense in Depth) enhance protection.