Security: Difference between revisions

From Freephile Wiki
Browse history interactively
← Older edit
VisualWikitext
update links
 
(5 intermediate revisions by the same user not shown)
Line 11: Line 11:




== free software that secures your communication ==
==free software that secures your communication==


[https://www.torproject.org/ The Onion Router] (TOR) project https://www.torproject.org/ is the best known provider of security for your personal communications.
[https://www.torproject.org/ The Onion Router] (TOR) project https://www.torproject.org/ is the best known provider of security for your personal communications. TOR acts as an anonymizing layer between you and ALL Internet traffic.


There are others too... like [https://jami.net Jami]  
For secure "messaging" there is [https://jami.net Jami]. Jami is a complete communication platform made by [https://savoirfairelinux.com/en Savoir Faire Linux]. Jami is available for all operating systems and devices. Jami offers


https://signal.org/ offers tools that integrate with your iPhone or Android phone and desktop.
* Instant messaging
* Audio and video calls
* Swarms (group chats)
* Video-conferences and Rendezvous points with no third-party hosting
* Audio and video message recording
* Screen sharing and media streaming
* Built-in plugin platform for new features and experiences
* Jami can also function as a SIP client


== Resources ==
Another popular platform for secure messaging is the '''Signal''' app. https://signal.org/
# [https://github.com/lfit/itpol Linux Foundation IT Policy]
 
# https://wiki.mozilla.org/Security
== Security Frameworks ==
# https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices
 
 
14 Security Frameworks You Should Know <ref>https://secureframe.com/blog/security-frameworks</ref>
{| class="wikitable"
!Framework
!Purpose
!Best Suited For
!Certification
!Certification Method
!Audit Duration
!Audit Frequency
|-
!SOC 2
|Manage customer data
|Companies and their third-party partners
|N/A
|Authorized CPA firms
|6-month period
|Every year
|-
!ISO 27001
|Build and maintain an information security management system (ISMS)
|Any company handling sensitive data
|Yes
|Accredited third-party
|1 week-1 month
|Every year
|-
!NIST Cybersecurity Framework
|Comprehensive and personalized security weakness identification
|Anyone
|N/A
|Self
|N/A
|N/A
|-
!HIPAA
|Protect patient health information
|The healthcare sector
|Yes
|The Department of Health and Human Services (third-party)
|12 weeks
|6 per year
|-
!PCI DSS
|Keep card owner information safe
|Any company handling credit card information
|Yes
|PCI Qualified Security Assessor (third-party)
|18 weeks
|Every year
|-
!GDPR
|Protect the data of people in the EU
|All businesses that collect the data of EU citizens
|Yes
|Third-party
|About 30 days
|Depends on preference
|-
!HITRUST CSF
|Enhance security for healthcare organizations and technology vendors
|The healthcare sector / Anyone
|Yes
|Third-party
|3-4 months
|Every year
|-
!COBIT
|Alignment of IT with business goals, security, risk management, and        information governance
|Publicly traded companies
|Yes
|ISACA (third-party)
|N/A
|N/A
|-
!NERC-CIP
|Keep North America’s bulk electric systems operational
|The utility and power sector
|Yes
|Third-party
|Up to 3 years
|Every 5 years
|-
!FISMA
|Protect the federal government’s assets
|The federal government and third parties operating on its behalf
|Yes
|The FISMA Center
|12 weeks
|Every year
|-
!NIST Special Publication 800-53
|Compliance with the Federal Information Processing Standards' (FIPS)        200 requirements and general security advice
|Government agencies
|N/A
|Self
|N/A
|N/A
|-
!NIST Special Publication 800-171
|Management of controlled unclassified information (CUI) to protect        federal information systems
|Contractors and subcontractors of federal agencies
|N/A
|Self
|N/A
|N/A
|-
!IAB CCPA
|Protecting California consumers’ data
|California businesses and advertising tech companies
|N/A
|Self
|N/A
|N/A
|-
!CIS Controls
|General protection against cyber threats
|Anyone
|Yes
|Third-party
|}
 
==Resources==
 
#[https://github.com/lfit/itpol Linux Foundation IT Policy]
#https://wiki.mozilla.org/Security
#https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices
#https://secureframe.com/blog/security-frameworks
# [https://www.brighttalk.com/webcast/6793/591276 How Ubuntu enables your compliance with FedRAMP, FISMA, FIPS, and DISA-STIG] This 50 minute video from Canonical can provide insight as to how an Enterprise MediaWiki solution can address the concerns related to these frameworks.
{{References}}


[[Category:Security]]
[[Category:Security]]
[[Category:Frameworks]]

Latest revision as of 15:59, 13 September 2023


Security
Lets Encrypt
Lets Encrypt
Image shows: Lets Encrypt
Summary
Title: Security
Description: Using SSL and TLS Deployment Best Practices, QualityBox gets an A+ rating for security.
More
Notes: Certificates provided by the Let's Encrypt project
Test: Test on SSL Labs.com
Example: See File:Certificate grade.png





free software that secures your communication[edit]

The Onion Router (TOR) project https://www.torproject.org/ is the best known provider of security for your personal communications. TOR acts as an anonymizing layer between you and ALL Internet traffic.

For secure "messaging" there is Jami. Jami is a complete communication platform made by Savoir Faire Linux. Jami is available for all operating systems and devices. Jami offers

  • Instant messaging
  • Audio and video calls
  • Swarms (group chats)
  • Video-conferences and Rendezvous points with no third-party hosting
  • Audio and video message recording
  • Screen sharing and media streaming
  • Built-in plugin platform for new features and experiences
  • Jami can also function as a SIP client

Another popular platform for secure messaging is the Signal app. https://signal.org/

Security Frameworks[edit]

14 Security Frameworks You Should Know [1]

Framework Purpose Best Suited For Certification Certification Method Audit Duration Audit Frequency
SOC 2 Manage customer data Companies and their third-party partners N/A Authorized CPA firms 6-month period Every year
ISO 27001 Build and maintain an information security management system (ISMS) Any company handling sensitive data Yes Accredited third-party 1 week-1 month Every year
NIST Cybersecurity Framework Comprehensive and personalized security weakness identification Anyone N/A Self N/A N/A
HIPAA Protect patient health information The healthcare sector Yes The Department of Health and Human Services (third-party) 12 weeks 6 per year
PCI DSS Keep card owner information safe Any company handling credit card information Yes PCI Qualified Security Assessor (third-party) 18 weeks Every year
GDPR Protect the data of people in the EU All businesses that collect the data of EU citizens Yes Third-party About 30 days Depends on preference
HITRUST CSF Enhance security for healthcare organizations and technology vendors The healthcare sector / Anyone Yes Third-party 3-4 months Every year
COBIT Alignment of IT with business goals, security, risk management, and information governance Publicly traded companies Yes ISACA (third-party) N/A N/A
NERC-CIP Keep North America’s bulk electric systems operational The utility and power sector Yes Third-party Up to 3 years Every 5 years
FISMA Protect the federal government’s assets The federal government and third parties operating on its behalf Yes The FISMA Center 12 weeks Every year
NIST Special Publication 800-53 Compliance with the Federal Information Processing Standards' (FIPS) 200 requirements and general security advice Government agencies N/A Self N/A N/A
NIST Special Publication 800-171 Management of controlled unclassified information (CUI) to protect federal information systems Contractors and subcontractors of federal agencies N/A Self N/A N/A
IAB CCPA Protecting California consumers’ data California businesses and advertising tech companies N/A Self N/A N/A
CIS Controls General protection against cyber threats Anyone Yes Third-party

Resources[edit]

  1. Linux Foundation IT Policy
  2. https://wiki.mozilla.org/Security
  3. https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices
  4. https://secureframe.com/blog/security-frameworks
  5. How Ubuntu enables your compliance with FedRAMP, FISMA, FIPS, and DISA-STIG This 50 minute video from Canonical can provide insight as to how an Enterprise MediaWiki solution can address the concerns related to these frameworks.

References[edit]

  1. https://secureframe.com/blog/security-frameworks

Secure Sockets Layer = secure (encrypted) underpinning for HTTP

Transport Layer Security

Session Initiation Protocol is a protocol used in VoIP communications allowing users to make voice and video calls, mostly for free. A SIP client is a program that you install on your computer or mobile device.

Systems and Organization Controls (SOC) 2 is a set of compliance criteria developed by the American Institute of Certified Public Accountants (AICPA).

ISO/IEC 27001 is an international standard to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, revised in 2013, and again most recently in 2022. There are also numerous recognized national variants of the standard. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) – the aim of which is to help organizations make the information assets they hold more secure. Organizations that meet the standard's requirements can choose to be certified by an accredited certification body following successful completion of an audit. The effectiveness of the ISO/IEC 27001 certification process and the overall standard has been addressed in a large-scale study conducted in 2020.

NIST Cybersecurity Framework is a set of guidelines for mitigating organizational cybersecurity risks, published by NIST based on existing standards, guidelines, and practices. The framework "provides a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes", in addition to guidance on the protection of privacy and civil liberties in a cybersecurity context. It has been translated to many languages, and is used by several governments and a wide range of businesses and organizations.

The Health Insurance Portability and Accountability Act is a 1996 federal statute that created standards for protecting patient health information. All healthcare organizations must follow cybersecurity practices and run risk assessments to comply with HIPAA.

The Payment Card Industry Data Security Standard was created in 2006 to ensure that all companies that accept, process, store, or transmit credit card information operate securely. The framework is primarily intended to keep cardholder information safe. All companies handling this information must comply with PCI DSS, regardless of size. The framework is administered and enforced by the Payment Card Industry Security Standards Council.

The General Data Protection Regulation (Regulation (EU) 2016/679, abbreviated GDPR) is a European Union regulation on Information privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also governs the transfer of personal data outside the EU and EEA. The GDPR's goals are to enhance individuals' control and rights over their personal information and to simplify the regulations for international business. It supersedes the Data Protection Directive 95/46/EC and, among other things, simplifies the terminology.

(the US) National Institute of Standards and Technology

Retrieved from "https://wiki.freephile.org/wiki/index.php?title=Security&oldid=10306"
Powered by QualityBox
Powered by Semantic MediaWiki