SWGDE

Canlı sistemler (Live Forensics), uç nokta analizleri ve siber olay müdahale süreçlerinde uluslararası bilimsel standartlara göre delil tespiti metodolojisi.

The NIST Cybersecurity Framework (NIST CSF) is a set of comprehensive guidelines and best practices for organizations to improve their security posture. This framework combines industry standards and best practices to provide recommendations and standards that enable organizations to better prepare in identifying and protecting against cyberattacks, and guidance on recovering from an incident.
Overall, NIST CSF is designed to help organizations identify and close security gaps in operational technology.

The 6 Core Functions / Siber Olgunluk Sütunları

Tips for Using CSF 2.0

CSF Profiles - Checking existing CSF profiles can help to determine where the gaps are in your organization. NIST also has the CSF reference tool to find particular examples of implementation.

Buy In - Ensure that business leaders are involved in the conversation about the adoption of the CSF. It is vital for security and IT teams to work hand in hand with C-suite executives and boards to create a cybersecurity strategy that maximizes the success of the business. Everyone should be on the same page regarding drivers, objectives, and long-term business goals so security teams can make informed decisions.

Future State - Bear in mind the target profile and the threat landscape. Keeping one eye on the current state of the business and the other on the future, companies can anticipate trends and use the framework to smooth the process of their adaptation to new and evolving threats. The ability to change your approach to cybersecurity in response to threat trends is an important skill.

Technical Enforcement Blueprint

PCI DSS Compliance

PCI DSS (Payment Card Industry Data Security Standard) is a globally recognized framework of security requirements developed to help organizations that process, store, or transmit credit card information maintain a secure environment. Version 4.0 of the standard emphasizes a more flexible, customized approach to achieving and validating security outcomes while continuing to reduce payment data breaches and combat card fraud.

PCI DSS 4.0 covers both technical controls and operational practices, providing a baseline for securing cardholder data environments (CDEs). The standard promotes continuous security, supports evolving technologies, and addresses emerging threats.

The PCI Security Standards Council (PCI SSC) — an independent organization founded by major payment card brands including Visa, MasterCard, American Express, Discover, and JCB — administers and manages the standard. Enforcement and compliance responsibilities remain with each individual payment brand.

PCI DSS 4.0 encourages organizations to integrate security as a continuous process, with a focus on risk-based approaches, including the use of targeted risk analysis to support customized implementation of security controls. The standard provides detailed guidance and resources to help organizations prevent, detect, and respond to security incidents, ultimately supporting the protection of sensitive cardholder information in an ever-changing threat landscape..

What Does PCI DSS 4.0 Cover?

PCI DSS compliance is built on 12 core requirements—each a critical safeguard to protect cardholder data. Meeting these standards within your IT environment demands more than a checklist; it requires a strategic, layered approach to security. Organizations often achieve this through a suite of integrated data protection solutions that work together to defend against evolving threats and ensure continuous compliance.

Does PCI DSS Compliance Apply to You?

Any organization – from the mom-and-pop coffee shop to enterprises that span the globe – that accepts, transmits, processes, or stores payment cards or cardholder data needs to adhere to the PCI DSS. There are differences in the level of PCI compliance that is required, depending on an organization’s transaction volume in a given year.

Finansal teknolojiler, ödeme geçitleri, Stripe/kart ağları entegrasyonları ve e-ticaret siber suçları davalarında teknik kusur ve sorumluluk analizi.

What Are the Different Levels of PCI DSS Compliance?

While ALL organizations that accept, transmit, process, or store cardholder data, are subject to the requirements of PCI DSS, there are four distinct levels of compliance required by individual organizations. These levels are based on transaction volume over a 12-month period:

At the highest compliance level (Level 1), organizations must undergo an external audit conducted by a Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA). This assessment validates the scope of the assessment, reviews documentation, determines whether PCI DSS requirements are being met, and provides guidance for achieving compliance. Upon completion, a Report on Compliance (RoC) is submitted to demonstrate adherence to PCI DSS standards.
Lower compliance level organizations (levels 2 through 4) do not need the external audit but can instead complete a self-assessment questionnaire (SAQ). Level 2 organization also need to complete a RoC.

PCI DSS Compliance Checklist

Maintain a Data Security Policy

Establishing a strong security culture within your organization can enhance PCI DSS 4.0 compliance and overall data security. Organizations should implement regular training programs and ongoing education focused on data security, with particular emphasis on PCI DSS compliance.

What is ISO/IEC 27001?

ISO 27001 is the leading international standard focused on information security. It was published by the International Organization for Standardization (ISO), in partnership with the International Electrotechnical Commission (IEC).

ISO/IEC 27001 is the world’s best-known standard for information security management systems (ISMS). It defines the requirements an ISMS must meet.

Conformity with ISO/IEC 27001 means that an organization or business has put in place a system to manage risks related to the security of data owned or handled by the company, and that the system respects all the best practices and principles enshrined in this International Standard.

The ISO/IEC 27001 standard provides companies of any size and from all sectors of activity with guidance for establishing, implementing, maintaining, and continually improving an information security management system.

Why is ISO/IEC 27001 important?

ISO 27001 can be applicable to businesses of all sizes and ensures that organizations are identifying and managing risks effectively, consistently, and measurably.

With cyber-crime on the rise and new threats constantly emerging, it can seem difficult or even impossible to manage cyber-risks. ISO/IEC 27001 helps organizations become risk-aware and proactively identify and address weaknesses. It helps global businesses establish, organize, implement, monitor, and maintain their information security management systems.

ISO/IEC 27001 promotes a holistic approach to information security: vetting people, policies, and technology. An information security management system implemented according to this standard is a tool for risk management, cyber-resilience, and operational excellence.

Who needs ISO/IEC 27001?

In today’s digital economy, almost every business is exposed to data security risks. And these risks can potentially have very serious consequences for your business, from reputational damage to legal issues. Any business needs to think strategically about its information security needs, and how they relate to company objectives, processes, size, and structure. The ISO/IEC 27001 standard enables organizations to establish an information security management system and apply a risk management process that is adapted to their size and needs, and scale it as necessary as these factors evolve.

While information technology (IT) is the industry with the largest number of ISO/IEC 27001- certified enterprises, the benefits of this standard have convinced companies across all economic sectors, including but not limited to services and manufacturing, as well as the primary sector: private, public and non-profit organizations.

ISO 27001 is a globally recognized data security standard. To become ISO 27001 certified, a company must develop the appropriate Information Security Management System (ISMS) and undergo an independent audit. Companies that adopt the holistic approach described in ISO/IEC 27001 ensure that information security is built into organizational processes, information systems, and management controls. Because of it, such organizations gain efficiency and often emerge as leaders within their industries.

What are the three guiding principles of ISO 27001?

The ISO 27001 standard aims to secure people, processes, and technology via three main guiding principles: confidentiality, integrity, and availability (commonly referred to as the C-I-A triad).

What Are the Control Attributes in ISO 27001:2022?

Control attributes are a new addition to the standard introduced in ISO 27001:2022. These five attributes are intended to help easily classify and group the controls based on what makes sense to their organization and security needs. ISO 27002:2022 (which provides guidance for how to implement controls outlined in ISO 27001) states in section 4.2 Themes and Attributes:

The five attributes are:

-Control type: preventative, detective, corrective
-Operational capabilities: governance, asset management, information protection, human resource security, etc.
-Security domains: governance and ecosystem, protection, defence, resilience
-Cybersecurity concepts: identify, protect, detect, respond, recover
-Information security properties: confidentiality, integrity, availability

How is ISO 27001:2022 structured?

ISO 27001 can very broadly be broken into two components: ‍1. Clauses: ISO 27001 has a list of standards called clauses that define the core processes for building out your ISMS from an organizational and leadership perspective. These 11 clauses are further divided into subsections called “requirements” that break the clauses down into more concrete steps.

Clauses 0 to 3 of the main part of the standard (Introduction, Scope, Normative references, Terms and definitions) serve as an introduction to the ISO 27001 standard. Clauses 4 to 10, which provide the ISO 27001 requirements, are mandatory if the company wants to be compliant with the standard. Clauses 4 to 10 are examined in more detail later in this article.

The 10 clauses of ISO 27001 include:

1-Terms and definitions
2-Process approach impact
3-Plan-Do-Check-Act cycle
4-Context of the organization
5-Leadership
6-Planning
7-Support
8-Operation
9-Performance evaluation 10-Improvement

2. Controls: ISO 27001 has a section called Annex A that lists the physical, logical, and environmental security controls that organizations must put into place in order to be ISO 27001 compliant. Among additions in ISO 27001:2022 are new control groups (categories that ISO uses to segment controls into sections) and new additional controls. Data leakage prevention is among one of the new controls specifically added to ISO 27001 and is required to be in place by 2025.

ISO 27001:2022 has 93 controls grouped into 14 control categories. This is a substantial change from ISO 27001:2013’s 114 controls that were divided into 14 different control categories. Following are the control categories with new controls for ISO 27001:2022 listed as sub-bullets under the appropriate category:

Organizational (37 total controls)

-5.23 Information security for use of cloud services -5.30 ICT readiness for business continuity -5.7 Threat Intelligence
People (8 total controls)
Physical (14 total controls)
-7.4 Physical security monitoring Technological (34 total controls)
-8.1 Data masking -8.9 Configuration management -8.10 Information deletion -8.12 Data leakage prevention -8.16 Monitoring activities -8.23 Web filtering -8.28 Secure coding

What Is Zero Trust?

The National Institute of Standards and Technology (NIST) defines zero trust as an “evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.” This somewhat broad concept came in response to the increasingly vulnerable, more traditional “castle-and-moat” approach to data security. Typically, this old-school strategy requires establishing a perimeter—like a firewall—to defend all users, devices, applications, and other components that make up an organization’s greater corporate network. In other words, by nature, a perimeter-based security model assumes all users, devices, and network resources within the perimeter are trustworthy and secure.

The rise of hybrid network environments, scattered resources and assets, and third-party software tools, however, made this approach to security convoluted at best and ineffective at worst. As organizations have become more modernized, cyber threats have grown complex enough to outgun security measures of the past. Software with unpatched vulnerabilities, phishing and other forms of social engineering, insider attacks, supply chain attacks, and other threats are all capable of evading perimeter-based security measures, meaning entire networks and the sensitive data they hold can be at risk.

In response, zero trust is a data-centric approach to cybersecurity that was developed specifically to defend against modern cyber threats by taking a "never trust, always verify" approach to authentication. As opposed to inherently trusting everything within a network as a perimeter-based security model typically would, zero trust always assumes the internal network is vulnerable to malicious threat actors, if not already compromised. Instead of a single perimeter protecting the entire network, this more cautious approach essentially establishes micro-perimeters around individual network resources, assets, and the data itself..

Zero Trust Architecture

With the above in mind, however, zero trust is a concept and framework as opposed to a single product, set of products, or something that can be flipped on or off like a light switch. Applying zero trust concepts in a real-world setting can and should include deploying relevant security products, but it also requires considering the human component of data protection including following zero trust principles and best practices, fostering full organizational buy-in, continuous training, and more.

When an organization applies zero trust concepts to its greater security strategy and deploys the relevant tools, it’s often referred to as “zero trust architecture” or simply "perimeterless security." Regardless of which term a given organization chooses to adopt, however, both tend to refer to the same processes: requiring continuous authentication, authorization, and validation for all users and devices—both inside and outside the organizational network—to access individual network resources and the associated data.

In practice, this sort of continuous authentication, authorization, and validation follows the principle of least privilege (PoLP), which the NIST defines as “a system should restrict the access privileges of users (or processes acting on behalf of users) to the minimum necessary to accomplish assigned tasks.” For example, while a corporate VPN would typically be configured to grant a user access to large parts, if not an entire corporate network upon authentication of a user’s IP, zero trust architecture would only allow access to specific areas of the network needed to perform a job function.

Benefits of Zero Trust

Implementing Zero Trust Architecture

Where to Start Organizations beginning their zero trust journey should start by conducting a comprehensive assessment of their current security posture, workflows, and critical assets to understand what needs protection and where vulnerabilities exist. This discovery phase involves mapping all users, devices, applications, and data repositories while identifying high-value assets that require the strongest protection. Rather than attempting a complete overhaul overnight, successful zero trust implementations typically follow a phased approach that begins with protecting the most critical resources first.

The most effective starting point is often to focus on the development, refinement, and enforcement of data protection policies. These policies, which are ideally based on contextual data, are ultimately what drive an organization's access controls and manage the continuous authentication required for zero trust. Organizations should start with policies that apply to their most sensitive systems and data before expanding these protections across the broader network infrastructure.

Zero Trust Best Practices

Zero Trust Security Framework Use Cases

Compliance Support

If your organization must adhere to industry compliance standards such as the GDPR, PCI DSS, or HIPAA, for example, the closed connection tenant of zero trust helps prevent widespread exposure and exploitation of sensitive data. Organizations can establish controls to segment regulated data from non-regulated data, providing more visibility for audit purposes and helping to limit and mitigate data breaches.

General Risk Reduction

Zero trust's “never trust, always verify” approach to data protection prevents applications and services from communicating until verified by predefined trust principles such as authentication and authorization specifications. By providing insight into how a network's various assets and resources communicate, zero trust delivers granular visibility and reduces the risk of erroneous user access. This strategy can also provide continuous confirmation of the validity of all communicating assets to reduce the risk of over-provisioned software and services.

Improve Cloud Environment Access Control

If you’ve moved workloads to the cloud, or are operating in a hybrid environment, the fear of losing control and visibility is not unfounded. With zero trust architecture in place, however, you can apply security policies to validate identities of users and workloads.
This helps to keep your security measures tied to the assets most in need of protection, and your organization's security posture won't rely on potentially vulnerable network elements such as IP addresses, protocols, or ports. Zero trust architecture protects the network's workloads themselves, meaning security persists even through changes to the environment.

Data Breach Risk Reduction

As cybersecurity pros increasingly express, a data breach is much less a question of "if" and much more a matter of "when." Zero trust’s foundation of least-privilege access assumes any entity could be hostile, meaning organizations can gain more peace-of-mind knowing all transactions, users, and their devices are authenticated before “trust” is granted. Furthermore, this validation is under continuous assessment to account for changes in the users’ devices, locations, data requests, and unusual activity.
Should an attacker still breach your network or cloud environment, with zero trust principles and practices applied, network segmentation severely hampers their ability to move laterally within the network to access more sensitive data.

T.C. Cumhurbaşkanlığı DDO Bilgi ve İletişim Güvenliği Rehberi

Kamu kurumları, kritik altyapı sağlayıcıları (enerji, lojistik, sağlık) ve yerli teknoloji üreticilerinin ulusal güvenlik kriterlerine uyumluluk audit süreçleri. Daha fazla bilgi için

DDO sayfasını ziyaret edin.

BDDK & KVKK Teknik Tedbirler

Dijital arama ve el koyma süreçlerinde kişisel verilerin korunması sınırlarının, veri maskeleme kurallarının ve "ölçülülük" ilkesinin hukuki-teknik denetimi.

BDDK sayfasını ziyaret edin.