Wilson Mar bio photo

Wilson Mar

Hello. Hire me!

Email me Calendar Skype call 310 320-7878

LinkedIn Twitter Gitter Instagram Youtube

Github Stackoverflow Pinterest

Enterprise data risks and vulnerabilities and how to mitigate them with controls

Español (Spanish)   Français (French)   Deutsch (German)   Italiano   Português   Cyrillic Russian   中文 (简体) Chinese (Simplified)   日本語 Japanese   한국어 Korean


This page contains my notes on resources for Cyber Security, which is a vast field. This single page is just for reference.

Adobe Common Control Framework

Adobe open-sourced its Common Control Framework which encompasses several security frameworks. Adobe’s CCF covers ISO 27001, SOC, FedRAMP, PCI DSS, GLBA, FERPA, and others. Download the pdf. Adobe’s control families is most comprehensive:

  1. Asset management
  2. Business Continuity
  3. Backup Management
  4. Configuration Management
  5. Change Management
  6. Data Management
  7. Identity and Acccess Management
  8. Incident Response
  9. Mobile Device Management
  10. Network Operations
  11. People Resources
  12. Risk Management
  13. System Design Documentation
  14. Security Governance
  15. Service Lifecycle
  16. Systems Monitoring
  17. Site Operations
  18. Training and Awareness
  19. Third Party Management
  20. Vulnerability Management

Amazon’s Compliance


Compliance Programs at
covers security requirements in Canada, Asia Pacific, and Europe.

Amazon Compliance at

Center for Internet Security (CIS)

The Center for Internet Security (CIS) is a community of users, vendors and subject matter experts working together through consensus collaboration to deliver a framework that provides a starting point for organizations interested in implementing …

  1. Download the CIS Controls poster (CIS-Controls-V7-Poster.pdf) from:



  2. Download CIS Benchmark pdf files for each product (Amazon Linux, MongoDB, etc.) from:


    PROTIP: View the “Distribution Independent Linux Benchmark” first because Benchmarks specific to a Linux distribution repeat much of its contents.

  3. Download and review “Measures and Metrics” pdf and excel:


CIS Security Benchmarks for Linux

These are common asset items to be protected, as addressed by CIS Benchmarks across several Linux distributions:

  1. Initial setup 1.1. Filesystem Configuration 1.2. Configure Software Updates 1.3. Filesystem Integrity Checking 1.4. Secure Boot Settings 1.5. Additional Processing Hardening 1.6. Mandatory Access Control 1.7. Warning Banners

  2. Services 2.1. inetd Services 2.2. Special Purpose Services 2.3. Service Clients

  3. Network Configuration 3.1. Network Parameters (Host Only) 3.2. Network Parametres (Host and Router) 3.3. IPv6 3.4. TCP Wrappers 3.5. Uncommon Network Protocols 3.6. Firewall Configuration

  4. Logging and Auditing 4.1. Configure System Accounting (auditd) 4.2. Configure Logging

  5. Access, Authentication, and Authorization 5.1. Configure cron 5.2. SSH Server Configuration 5.3. Configure PAM 5.4. User Accounts and Environment

  6. System Maintenance 6.1. System File Permissions 6.2. User and Group Settings

Under each sub-item above are specific recommendations with Bash script commands to implement them out and commands to audit whether they have been implemented. That code is incorporated in the “CIS-CAT Lite (CIS Configuration Assessment Tool)” below.

Items in the Benchmark described as (Scored) indicates when compliance with the given recommendation impacts the assessed target’s benchmark score. Failure to comply with “Scored” recommendations will decrease the final benchmark score. Compliance with “Scored” recommendations will increase the final benchmark score. Compliance on “(Unscored)” items make no difference to the total score.

Compliance scores go to 100.

“CIS Controls Measures and Metrics for Version 7” Excel spreadsheet (file CIS-Controls-Version-7-cc.xlsx) contains 170 sub-controls applicable to these 20 controls (“best practices”) described by the CIS Controls Companion Guide:

file CIS-Controls-Version-7-cc.pdf from https://learn.cisecurity.org/20-controls-download


  1. Inventory and Control of Hardware Assets
  2. Inventory and Control of Software Assets
  3. Continuous Vulnerability Management
  4. Controlled Use of Administrative Privileges
  5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
  6. Maintenance, Monitoring and Analysis of Audit Logs


  7. Email and Web Browser Protections
  8. Malware Defenses
  9. Limitation and Control of Network Ports, Protocols and Services
  10. Data Recovery Capabilities
  11. Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
  12. Boundary Defense
  13. Data Protection
  14. Controlled Access Based on the Need to Know
  15. Wireless Access Control
  16. Account Monitoring and Control


  17. Implement a Security Awareness and Training Program
  18. Application Software Security
  19. Incident Response and Management
  20. Penetration Tests and Red Team Exercises

The AWS (Amazon Web Services) Well Architected Framework books cover many of the above, but at a rather high-level.

Below is an approach that can be used for Gap Analysis of what needs to be done to protect hardware, software, and data assets.

CIS Sub-Controls alphabetically by Sensor

A. Active Device Discovery System

  • 1.1 Utilize an Active Discovery Tool

B. Anti-Spam Gateway

  • 7.8 Implement DMARC and Enable Receiver-Side Verification
  • 7.9 Block Unnecessary File Types
  • 7.10 Sandbox All Email Attachments

C. Application Aware Firewall

  • 9.5 Implement Application Firewalls

D. Asset Inventory System

  • 1.4 Maintain Detailed Asset Inventory
  • 1.5 Maintain Asset Inventory Information
  • 1.6 Address Unauthorized Assets

E. Backup / Recovery System

  • 10.1 Ensure Regular Automated Back Ups
  • 10.2 Perform Complete System Backups
  • 10.3 Test Data on Backup Media
  • 10.4 Ensure Protection of Backups
  • 10.5 Ensure Backups Have At least One Non-Continuously Addressable Destination

F. Data Inventory / Classification System

  • 13.1 Maintain an Inventory Sensitive Information
  • 13.2 Remove Sensitive Data or Systems Not Regularly Accessed by Organization
  • 14.5 Utilize an Active Discovery Tool to Identify Sensitive Data

G. Dedicated Administration Systems

  • 4.6 Use of Dedicated Machines For All Administrative Tasks
  • 11.6 Use Dedicated Machines For All Network Administrative Tasks
  • 11.7 Manage Network Infrastructure Through a Dedicated Network

H. DNS Domain Filtering System

  • 7.6 Log all URL requests
  • 7.7 Use of DNS Filtering Services
  • 8.7 Enable DNS Query Logging

I. Endpoint Protection System

  • 8.1 Utilize Centrally Managed Anti-malware Software
  • 8.2 Ensure Anti-Malware Software and Signatures are Updated
  • 8.4 Configure Anti-Malware Scanning of Removable Devices
  • 8.6 Centralize Anti-malware Logging
  • 13.7 Manage USB Devices
  • 13.8 Manage System’s External Removable Media’s Read/write Configurations
  • 13.9 Encrypt Data on USB Storage Devices

J. Host Based Data Loss Prevention (DLP) System

  • 14.7 Enforce Access Control to Data through Automated Tools
  • 14.8 Encrypt Sensitive Information at Rest

K. Host Based Firewall

  • 9.4 Apply Host-based Firewalls or Port Filtering

L. Identity & Access Management System

  • 16.1 Maintain an Inventory of Authentication Systems
  • 16.2 Configure Centralized Point of Authentication
  • 16.4 Encrypt or Hash all Authentication Credentials
  • 16.5 Encrypt Transmittal of Username and Authentication Credentials
  • 16.6 Maintain an Inventory of Accounts
  • 16.7 Establish Process for Revoking Access
  • 16.8 Disable Any Unassociated Accounts
  • 16.9 Disable Dormant Accounts
  • 16.10 Ensure All Accounts Have An Expiration Date
  • 16.11 Lock Workstation Sessions After Inactivity

M. Incident Management Plans

  • 19.1 Document Incident Response Procedures
  • 19.2 Assign Job Titles and Duties for Incident Response
  • 19.3 Designate Management Personnel to Support Incident Handling
  • 19.4 Devise Organization-wide Standards for Reporting Incidents
  • 19.5 Maintain Contact Information For Reporting Security Incidents
  • 19.6 Publish Information Regarding Reporting Computer Anomalies and Incidents
  • 19.7 Conduct Periodic Incident Scenario Sessions for Personnel
  • 19.8 Create Incident Scoring and Prioritization Schema

N. Log Management System / SIEM

  • 1.3 Use DHCP Logging to Update Asset Inventory
  • 4.8 Log and Alert on Changes to Administrative Group Membership
  • 4.9 Log and Alert on Unsuccessful Administrative Account Login
  • 6.2 Activate audit logging
  • 6.3 Enable Detailed Logging
  • 6.4 Ensure adequate storage for logs
  • 6.5 Central Log Management
  • 6.6 Deploy SIEM or Log Analytic tool
  • 6.7 Regularly Review Logs
  • 6.8 Regularly Tune SIEM
  • 8.8 Enable Command-line Audit Logging
  • 14.9 Enforce Detail Logging for Access or Changes to Sensitive Data
  • 16.12 Monitor Attempts to Access Deactivated Accounts
  • 16.13 Alert on Account Login Behavior Deviation

O. Multi-Factor Authentication System

  • 4.5 Use Multifactor Authentication For All Administrative Access
  • 11.5 Manage Network Devices Using Multi-Factor Authentication and Encrypted Sessions
  • 12.11 Require All Remote Login to Use Multi-factor Authentication
  • 16.3 Require Multi-factor Authentication

P. Network Based Data Loss Prevention (DLP) System

  • 13.3 Monitor and Block Unauthorized Network Traffic
  • 13.5 Monitor and Detect Any Unauthorized Use of Encryption

Q. Network Based Intrusion Detection System (NIDS)

  • 12.6 Deploy Network-based IDS Sensor

R. Network Based Intrusion Prevention System (IPS)

  • 12.7 Deploy Network-Based Intrusion Prevention Systems

S. Network Device Management System

  • 11.1 Maintain Standard Security Configurations for Network Devices
  • 11.2 Document Traffic Configuration Rules
  • 11.3 Use Automated Tools to Verify Standard Device Configurations and Detect Changes
  • 11.4 Install the Latest Stable Version of Any Security-related Updates on All Network Devices
  • 12.8 Deploy NetFlow Collection on Networking Boundary Devices
  • 15.1 Maintain an Inventory of Authorized Wireless Access Points
  • 15.7 Leverage the Advanced Encryption Standard (AES) to Encrypt Wireless Data
  • 15.8 Use Wireless Authentication Protocols that Require Mutual, Multi-Factor Authentication
  • 15.10 Create Separate Wireless Network for Personal and Untrusted Devices

T. Network Firewall / Access Control System

  • 2.10 Physically or Logically Segregate High Risk Applications
  • 12.1 Maintain an Inventory of Network Boundaries
  • 12.3 Deny Communications with Known Malicious IP Addresses
  • 12.4 Deny Communication over Unauthorized Ports
  • 12.9 Deploy Application Layer Filtering Proxy Server
  • 12.10 Decrypt Network Traffic at Proxy
  • 13.4 Only Allow Access to Authorized Cloud Storage or Email Providers
  • 14.1 Segment the Network Based on Sensitivity
  • 14.2 Enable Firewall Filtering Between VLANs
  • 14.3 Disable Workstation to Workstation Communication

U. Network Level Authentication (NLA)

  • 1.7 Deploy Port Level Access Control

V. Network Packet Capture System

  • 12.5 Configure Monitoring Systems to Record Network Packets

W. Network Time Protocol (NTP) Systems

  • 6.1 Utilize Three Synchronized Time Sources

X. Network URL Filtering System

  • 7.4 Maintain and Enforce Network-Based URL Filters
  • 7.5 Subscribe to URL-Categorization service

Y. Passive Device Discovery System

  • 1.2 Use a Passive Asset Discovery Tool

Z. Patch Management System

  • 3.4 Deploy Automated Operating System Patch Management Tools
  • 3.5 Deploy Automated Software Patch Management Tools

AA. Penetration Testing Plans

  • 20.1 Establish a Penetration Testing Program
  • 20.2 Conduct Regular External and Internal Penetration Tests
  • 20.3 Perform Periodic Red Team Exercises
  • 20.4 Include Tests for Presence of Unprotected System Information and Artifacts
  • 20.5 Create Test Bed for Elements Not Typically Tested in Production
  • 20.6 Use Vulnerability Scanning and Penetration Testing Tools in Concert
  • 20.7 Ensure Results from Penetration Test are Documented Using Open, Machine-readable Standards
  • 20.8 Control and Monitor Accounts Associated with Penetration Testing

AB. Privileged Account Management System

  • 4.1 Maintain Inventory of Administrative Accounts
  • 4.2 Change Default Passwords
  • 4.3 Ensure the Use of Dedicated Administrative Accounts
  • 4.4 Use Unique Passwords

AC. Public Key Infrastructure (PKI)

  • 1.8 Utilize Client Certificates to Authenticate Hardware Assets

AD. SCAP Based Vulnerability Management System

  • 3.1 Run Automated Vulnerability Scanning Tools
  • 3.2 Perform Authenticated Vulnerability Scanning
  • 3.3 Protect Dedicated Assessment Accounts
  • 3.6 Compare Back-to-back Vulnerability Scans
  • 3.7 Utilize a Risk-rating Process
  • 5.5 Implement Automated Configuration Monitoring Systems
  • 9.1 Associate Active Ports, Services and Protocols to Asset Inventory
  • 9.2 Ensure Only Approved Ports, Protocols and Services Are Running
  • 9.3 Perform Regular Automated Port Scans

AE. Secure Coding Standards

  • 18.1 Establish Secure Coding Practices
  • 18.2 Ensure Explicit Error Checking is Performed for All In-house Developed Software
  • 18.3 Verify That Acquired Software is Still Supported
  • 18.4 Only Use Up-to-date And Trusted Third-Party Components
  • 18.5 Use Only Standardized and Extensively Reviewed Encryption Algorithms
  • 18.9 Separate Production and Non-Production Systems

AF. Software Application Inventory

  • 2.1 Maintain Inventory of Authorized Software
  • 2.2 Ensure Software is Supported by Vendor
  • 2.3 Utilize Software Inventory Tools
  • 2.4 Track Software Inventory Information
  • 2.5 Integrate Software and Hardware Asset Inventories
  • 2.6 Address unapproved software

AG. Software Vulnerability Scanning Tool

  • 18.7 Apply Static and Dynamic Code Analysis Tools
  • 18.8 Establish a Process to Accept and Address Reports of Software Vulnerabilities

AH. Software Whitelisting System

  • 2.7 Utilize Application Whitelisting
  • 2.8 Implement Application Whitelisting of Libraries
  • 2.9 Implement Application Whitelisting of Scripts
  • 4.7 Limit Access to Script Tools
  • 7.1 Ensure Use of Only Fully Supported Browsers and Email Clients
  • 7.2 Disable Unnecessary or Unauthorized Browser or Email Client Plugins

AI. System Configuration Baselines & Images

  • 5.1 Establish Secure Configurations
  • 5.2 Maintain Secure Images
  • 5.3 Securely Store Master Images

AJ. System Configuration Enforcement System

  • 5.4 Deploy System Configuration Management Tools
  • 7.3 Limit Use of Scripting Languages in Web Browsers and Email Clients
  • 8.3 Enable Operating System Anti-Exploitation Features/ Deploy Anti-Exploit Technologies
  • 8.5 Configure Devices Not To Auto-run Content
  • 12.2 Scan for Unauthorized Connections across Trusted Network Boundaries
  • 12.12 Manage All Devices Remotely Logging into Internal Network
  • 14.4 Encrypt All Sensitive Information in Transit
  • 14.6 Protect Information through Access Control Lists
  • 15.2 Detect Wireless Access Points Connected to the Wired Network
  • 15.4 Disable Wireless Access on Devices if Not Required
  • 15.5 Limit Wireless Access on Client Devices
  • 15.6 Disable Peer-to-peer Wireless Network Capabilities on Wireless Clients
  • 15.9 Disable Wireless Peripheral Access of Devices
  • 18.11 Use Standard Hardening Configuration Templates for Databases

AK. Training / Awareness Education Plans

  • 17.1 Perform a Skills Gap Analysis
  • 17.2 Deliver Training to Fill the Skills Gap
  • 17.3 Implement a Security Awareness Program
  • 17.4 Update Awareness Content Frequently
  • 17.5 Train Workforce on Secure Authentication
  • 17.6 Train Workforce on Identifying Social Engineering Attacks
  • 17.7 Train Workforce on Sensitive Data Handling
  • 17.8 Train Workforce on Causes of Unintentional Data Exposure
  • 17.9 Train Workforce Members on Identifying and Reporting Incidents
  • 18.6 Ensure Software Development Personnel are Trained in Secure Coding

AL. Web Application Firewall (WAF)

  • 18.10 Deploy Web Application Firewalls (WAFs)

AM. Whole Disk Encryption System

  • 13.6 Encrypt the Hard Drive of All Mobile Devices.

AN. Wireless Intrusion Detection System (WIDS)

  • 15.3 Use a Wireless Intrusion Detection System

CIS states the status of the above Control Measures as the percentage among all the organization’s assets. But CIS doesn’t weight some parts of the organization more over others.

CIS borrows from Statistics for the area under the curve at integer levels of Standard Deviation (called a Sigma). CIS scores are named “Sigma Level One” to “Sigma Level Six”, with One at 69% or Less 31% or Less 6.7% or Less 0.62% or Less 0.023% or Less 0.00034% or Less

PROTIP: Also identify and count the base of consideration whether controls are applicable. A control may not be applicable to every item or organizational role assessed. Such are a separate set of calculation not addressed by CIS but need to be considered nonetheless to measure progress toward assessment completion.

The above form the basis for Security Implementation Plans provided by services vendors such as GuidePoint. Such plans sequence work so that technical and organizational dependencies among tasks are achieved in the appropriate order.

CIS Lite

  1. Make a full backup of your machine before starting this procedure.
  2. Request an email to download the free “CIS-CAT Lite (CIS Configuration Assessment Tool)” at https://learn.cisecurity.org/cis-cat-lite (file CIS-CAT Lite v3.0.56.zip).

    “CIS-CAT Lite provides a fast, detailed assessment of your system’s conformance with CIS Benchmarks for Windows 10, Mac OS, Ubuntu, and Google Chrome. Simply run the tool,receive a compliance score (1 - 100) and quickly view remediation steps for non-compliant settings.”

  3. Expand downloaded file “CIS-CAT Lite v3.0.56.zip” to folder cis-cat-lite.

  4. Read the CIS-CAT Users Guide.pdf (104 pages).
  5. Install a JVM because the CISCAT.jar is Java-based.
  6. Move the folder under “temp” or other folder of your choice. Change to that directory.
  7. On a Mac, open a Terminal and run CIS-CAT.sh

    chmod CIS-CAT.sh

    Alternately, run CIS-CAT.BAT on Windows machines.

  8. Click “Accept” to the pop-up GUI.
  9. Click “Benchmark” to select from the pull-down.

    There is also the LiteCIS-CAT Pro (for paid members) which covers CLI as well and provides more Benchmark items to scan (for a price).

  10. Select “CIS_Apple_OSX_10.12_Benchmark” even if you have a more recent version.

    View the misc folder benchmarks.txt to see this list:

    • /benchmarks/CIS_Apple_OSX_10.12_Benchmark_v1.0.0.xml
    • /benchmarks/CIS_Google_Chrome_Benchmark_v1.3.0-xccdf.xml
    • /benchmarks/CIS_Microsoft_Windows_10_Enterprise_Release_1803_Benchmark_v1.5.0-xccdf.xml
    • /benchmarks/CIS_Ubuntu_Linux_18.04_LTS_Benchmark_v1.0.0-xccdf.xml
  11. Click “Next”.
  12. Selet Profile Level 1.
  13. Notice that the report goes to your user home folder, not your present Working Directory containing the program.
  14. Click “Next” then “Start Assessment”, and watch the progress scroll by.
  15. Click “View Reports”.
  16. Exit the program.
  17. Click on the Benchmark link associated with a number in the “Fail” column.
  18. Assess each Fail.

Some people prefer to hold off on automatic updates until hearing if early adopters experienced problems. The risk is fending off “zero day” security issues.

2.2.2 Ensure time set is within appropriate limits

The default NTP server is time.apple.com.

sudo ntpdate -sv time.apple.com

However, the ntpdate tool was removed in macOS Mojave 10.14 because the ntpd daemon since Mavericks (10.9) and Yosemite (10.10) is no longer responsible for adjusting the time. and instead a new program pacemaker has been introduced — so how can I know things are working or need adjustment to keep time?

sudo sntp -sS pool.ntp.org

See https://apple.stackexchange.com/questions/117864/how-can-i-tell-if-my-mac-is-keeping-the-clock-updated-properly

2.4.3 Disable Screen Sharing

CIT Fails thinking that Screen Sharing is enabled. But in System Preferences, Sharing, only Printer sharing is selected.

3.1.1 Retain system.log for 90 or more days

Edit /etc/asl.conf to change from

> system.log mode=0640 format=bsd rotate=seq compress file_max=5M all_max=50M


> system.log mode=0640 format=bsd rotate=utc compress file_max=5M ttl=90

Add for 3.1.2 Retain appfirewall.log for 90 or more days

> appfirewall.log mode=0640 format=bsd rotate=utc compress file_max=5M ttl=90

3.1.3 Retain authd.log for 90 or more days

sudo vim /etc/asl/com.apple.authd

Replace or edit the current setting

* file /var/log/authd.log mode=0640 compress format=bsd rotate=seq file_max=5M all_max=20M

with a compliant setting:

* file /var/log/authd.log mode=0640 format=bsd rotate=utc compress file_max=5M ttl=90

3.2 Enable security auditing


sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist

RESPONSE: /System/Library/LaunchDaemons/com.apple.auditd.plist: service already loaded

3.5 Retain install.log for 365 or more days

subl /etc/asl/com.apple.install


* file /var/log/install.log format='$((Time)(JZ)) $Host $(Sender)[$(PID)]: $Message'


* file /var/log/install.log mode=0640 format=bsd rotate=utc compress file_max=5M ttl=365

5.1.1 Secure Home Folders

Run one of the following commands in Terminal, substituting user name:

sudo chmod -R og-rwx /Users/username
sudo chmod -R og-rw /Users/username

RESPONSE: chmod: Unable to change file mode on /Users/wilsonmar/projects/WM/bin/jad.readme.txt: Operation not permitted


There is also a Docker CAT: https://www.cisecurity.org/benchmark/docker/

https://github.com/docker/docker-bench-security The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.


Not to be confused with https://github.com/dev-sec/cis-docker-benchmark


cybersecurity-NIST-Functions-382x390-19166 800-53

FedRAMP/FISMA compliance

In the US federal government, the Federal Information Security Management Act of 2002 (FISMA) is a law implented according to National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 [pdf].

In 2011 a “cloud first” policy was defined in the Federal Risk and Authorization Program (FedRAMP) [pdf] where federal agencies make use of cloud service providers (CSPs) given authority to operate (ATO) after receiving system authorization from an independent security assessment conducted by a 3PAO (third-party Assessor).

A System Security Plan (SSP) is required by the OMB Security Authorization of Information Systems in Cloud Computing [pdf].

Coalfire came up with this count of controls: cyber-fisma-fedramp-counts-683x586-55388

FedRAMP added 144 control to 728 in FISMA, for a total of 872 controls.


Security Technical Implementation Guides (STIGs) [Wiki] defines (over 425) “lock down” configuration settings to minimize vulnerabilities to malicious attack of DOD IA (Information Assurance) and IA-enabled devices/systems, both Windows and Apache Unix. Cloud Computing Security Requirements Guide (CC SRG) are also defined by DISA (Defense Information Systems Agency) which provides a Viewer to scan for them.

SCAP (ecurity Content Automation Protocol) [Wikipedia] checklists enable automated vulnerability management, measurement, and policy compliance evaluation of systems deployed in an organization. See the 2015 viewer video.

See https://www.open-scap.org/ for tools.

Source of vulnerabilities

Top 50 Products By Total Number Of “Distinct” Vulnerabilities - for all time include product versions now obsolete.

Other standards


The Functions and Categories within the NIST Cybersecurity (Program) Framework (CSF) maps NIST 800-53 to CIS Controls:


NIST Information Technology Laboratory emails out bulletins about vulnerabilities

QUESTION: How does CIS relate to ITIL?

Criminal Justice Information Services (CJIS) Security Policy compliance for any US state or local agency that wants to access the FBI’s CJIS database.

As of May 25, 2018, a European privacy law — GDPR (General Data Protection Regulation — imposes new rules on companies, government agencies, non-profits, and other organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data tied to EU residents. But the GDPR applies no matter where you are located.

UK Government G-Cloud. The UK Government G-Cloud is a cloud computing certification for services used by government entities in the United Kingdom.

Health Insurance Portability and Accountability Act (HIPAA) is a US federal law that regulates patient Protected Health Information (PHI). A Business Associate Agreement (BAA) stipulates adherence to security and privacy provisions in HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH) Act.

International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) 27018 code of practice covers the processing of personal information by cloud service providers.

MTCS (Multi-Tier Cloud Security) Singapore 584:2013 Certification covers Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).

Service Organization Controls (SOC) 1, 2, and 3 report is a framework by independent third-party auditors covering controls for data security, availability, processing integrity, and confidentiality as applicable to in-scope trust principles for each service.

National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is a voluntary Framework that consists of standards, guidelines, and best practices to manage cybersecurity-related risks. Through a validated assessment performed by the Health Information Trust Alliance (HITRUST), a leading security and privacy standards development and accreditation organization, Office 365 is certified to the objectives specified in the NIST CSF.

Credential Rotation Lifecycle

Different periods for rotating different key types. Here is the “regular basis” recommended:

Key TypeRotation Period
Tokens ADFS – 24 hours
Domain Passwords 70 days
Connection strings 70 days
Shared Access Signatures 60 days
Self-Signed Certificate 2 Years
Symmetric Keys 2 Years
Asymmetric Keys 2 years
Storage Account Keys 2 years

Professional certifications

Certified Information Systems Security Professional (CISSP) is the most sought-after certification in cybersecurity.


  • Certified in Risk and Information Systems Control (CRISC)
  • Certified Information Security Manager (CISM)
  • Certified in the Governance of Enterprise IT (CGEIT)
  • Cybersecurity Nexus – CSX Certificates and CSX-P Certification

Security Engineer

Here are “Essential Job Functions” from various job descriptions:

  • Apply established and ad hoc processes and techniques to identify, validate, prioritize, and track security risks.
  • Identify uncontrolled risks and recommend control improvements.
  • Proactively identify security requirement deficiencies.
  • Engage business and technology personnel to elicit security requirements.
  • Architect and design security control systems to address requirements.
  • Operate and monitor established security controls.
  • Identify control deficiencies and make appropriate recommendations.
  • Ensure that controls are operating effectively; resolve operating discrepancies.
  • Review, triage, and prioritize control output.
  • Take appropriate action to resolve security discrepancies.
  • Identify, evaluate, and recommend new security technologies, techniques, and tools.
  • Define, review, and promote information security policies, standards, guidelines, and procedures.

  • As compliance subject matter expert, enforce and monitor compliance with internal and external regulations, policies, and standards.
  • Establish and promote strategies to ensure that compliance is effectively monitored and enforced.
  • Lead/Co-lead internal process improvement initiatives. Provide feedback on processes by offering suggestions.

  • Mentor and supervise junior staff in project-level tasks.
  • Assist with adherence to technology policies and comply with all security controls.

Education/Experience Requirements:

  • Experience must include direct experience in several of the key areas listed: securing networks and systems architecture, design and implementation, secure software assurance, intrusion detection, defense and incident response, security configuration management, access controls design and implementation and security policy and standards development.
  • In-depth knowledge of one or more communications protocols.
  • Experience with more than one Cyber Security tools, including: Configuration Assessment, Log Aggregation, Integrity Verification, Web Application Security Testing, Network Access Control System, Network Intrusion prevention systems, and Endpoint Security Solutions.

  • Strong written and verbal technical communication skills.
  • Demonstrated ability to develop effective working relationships that improved the quality of work products.
  • Should be well organized, thorough, and able to handle competing priorities.
  • Ability to maintain focus and develop proficiency in new skills rapidly.
  • Ability to work in a fast paced environment.
  • In-depth knowledge of more than one Information Security principle and discipline.