Cyber Security

Definition

Standards as definitions are agreed-upon, documented rules or specifications developed by recognized bodies to ensure consistency, quality, safety, and interoperability in products, services, and processes. 

Applying that on cybersecurity, it can be defined as following:

Security standards define minimum required controls and best practices to protect systems, data, and operations. They ensure a consistent security baseline across an enterprise and allow audit, certification, and compliance tracking. 

The following sections will mention the detailed standards for cybersecurity as per area:

1-App Security

• OWASP: Improve web/mobile app security During SDLC: design, coding, testing

• CNCF: Cloud Native Computing Foundation – governs cloud-native ecosystems, Promote secure, scalable microservices 

2-Data Focus

• GDPR: A legal framework that sets standards for collecting, processing, storing & transferring personal data of EU citizens, giving them more control over their data. 

3-Compliant focus

• ISO: International standard for Information Security Management Systems (ISMS) ,To build and certify a risk-based security program across people, process, tech, Implement controls from ISO 27002, perform risk assessments, audits, get certified  

• NIST (National Institute of Standards and Technology): U.S. government-backed standards (e.g., NIST CSF, 800-53, 800-171) , Public/private orgs wanting risk-based, modular security 

• ISACA: Global org for IT governance, author of COBIT, Risk IT, CSX, se COBIT for governance, CSX for cyber resilience, map to ISO/NIST/PCI 

4-Threat detection/Simulation

• MITRE: U.S. nonprofit R&D org managing cybersecurity knowledge bases (e.g., ATT&CK, CVE) , To classify threats, adversary behaviors, and share vulnerability intelligence, Use MITRE ATT&CK for TTPs, CVE for known vulnerabilities, integrate with SIEM/EDR 

• STRIDE: By microsoft

5-Cloud and SaaS Security

• CSA: Cloud Security Alliance – defines cloud security best practices, Secures cloud environments & services, Use in cloud design, vendor selection, and third-party risk assessments

• CNCF: Cloud Native Computing Foundation, A Linux Foundation project that governs and supports cloud-native open-source technologies like Kubernetes, Prometheus, and Envoy. o standardize, secure, and scale modern applications using containers, microservices, and declarative APIs. It drives interoperability and vendor-neutral innovation.  

6-Software Process

• DevSecOps

7- CIS in depth

Center of internet security, latest version of the framework is v8, released in May 21.

CIS Controls (v8) has 18 Practice Domains

1. Inventory & Control of Enterprise Assets

2. Inventory & Control of Software Assets

3. Data Protection

4. Secure Configuration of Assets

5. Account Management

6. Access Control Management

7. Continuous Vulnerability Management

8. Audit Log Management

9. Email & Web Browser Protections

10. Malware Defenses

11. Data Recovery Capabilities

12. Network Infrastructure Management

13. Security Awareness & Skills Training

14. Security Operations Center (SOC) & Monitoring

15. Incident Response Management

16. Application Software Security

17. Penetration Testing

18. Service Provider Management

8- NIST in depth

National Institute of Standards and Technology, A U.S. government agency (since 1901) under the Department of Commerce.

It develops standards, guidelines, and best practices for: cybersecurity, measurements, and industrial quality.

NIST Cybersecurity Framework (CSF v2.0) — 5 Core Functions & Categories

1. Identify

• Asset Management

• Governance

• Risk Assessment

• Supply Chain Risk Management

2. Protect

• Identity Management & Access Control

• Awareness & Training

• Data Security

• Protective Technology

3. Detect

• Anomalies & Events

• Continuous Security Monitoring

• Detection Processes

4. Respond

• Response Planning

• Communications

• Analysis

• Mitigation

• Improvements

5. Recover

• Recovery Planning

• Improvements

• Communications

9- GDPR : DiD is the technical implementation of GDPR

What is?

General Data Protection Regulation, The European Union’s data protection and privacy law.

It has been applied and Effective by 25 May 2018.
The objective of this standard is to protect the personal data & privacy of EU citizens.

Applies to any organization, anywhere, that processes data of EU residents.

GDPR Core principles:

1. Lawfulness, fairness & transparency: Why

• • • • Show a clear consent banner + privacy policy dialog before collecting data. Include just-in-time notices when collecting sensitive info. 

      • Implement opt-out mechanisms for tracking

        • • Unsubscribe

          • Do not save cookies

2. Purpose limitation: Secure

• • • • Architect your database so each data field is linked to a specific purpose flag. Deny use of data outside its intended scope. 

3. Data minimization: Minimalization

• • • • Design forms & APIs to collect only required fields. Validate on backend that extra fields cannot be submitted.

4. Accuracy

• • • • Implement self-service profile management so users can update/correct their own data. Validate inputs properly. 

5. Storage limitation

• • • • Automate deletion/anonymization routines after a defined retention period. Use CRON jobs or scheduled tasks to purge data. 

6. Integrity & confidentiality

• • • • Use TLS for data in transit, AES-256 for data at rest, role-based access control (RBAC), audit logs & monitoring. 

7. Accountability

• • • • Log all consent decisions, data access events & retention/deletion actions. Store evidence of compliance in an audit-friendly way. 

In short:

• Defense in depth = technical enforcement of GDPR.

• Each GDPR principle ties back to at least one layer of defense.

• This ensures privacy by design + security by default

GDPR Implementation Guidelines:

• Highlight required data that will be used in the solution

• Get Customer approval

• Encrypt user data in transit and at rest

• Encrypt communication channel

• Log all user actions

• Do not over-expose user data within FE or API 

• Have a concrete retention policy

• Notify before saving any data on the cache