Further Reading: Security Compliance and Governance

Books

IT Auditing Using Controls to Protect Information Assets, 3rd Edition Mike Kegerreis, Mike Schiller, and Chris Davis, McGraw-Hill, 2019. Comprehensive coverage of IT audit and compliance processes. Valuable for understanding how auditors evaluate security controls and how penetration testing fits into the audit evidence framework.

The CISO's Next Move: Cybersecurity Insights for the Board and C-Suite Various authors and publications. Multiple books address the governance and board-level communication aspects of cybersecurity. Look for authors who are current or former CISOs at major organizations.

Navigating the Cybersecurity Career Path Helen E. Patton, Wiley, 2021. While career-focused, this book provides excellent insight into how compliance and governance shape security programs and how technical professionals can engage with the GRC function effectively.

Information Security Governance: A Practical Development and Implementation Approach Krag Brotby, Wiley, 2009. Though older, this remains an excellent introduction to the governance structures that surround information security programs, including the role of penetration testing in governance.

PCI DSS: An Integrated Data Security Standard Guide Jim Seaman, Apress, 2020. The most accessible guide to PCI DSS for security practitioners. Covers each requirement with practical implementation guidance and common audit findings.

Regulatory Documents and Standards

PCI DSS v4.0 PCI Security Standards Council, 2022. Available at pcisecuritystandards.org. The current version of the Payment Card Industry Data Security Standard, with all twelve requirements and the supplemental penetration testing guidance.

HIPAA Security Rule (45 CFR Part 164, Subpart C) Available at hhs.gov. The full text of the HIPAA Security Rule, including administrative, physical, and technical safeguards. Understanding the specific sections helps penetration testers map their findings to regulatory requirements.

NIST Cybersecurity Framework 2.0 National Institute of Standards and Technology, 2024. Available at nist.gov/cyberframework. The updated CSF with six core functions (including the new Govern function). The most widely adopted risk management framework in the United States.

CIS Controls v8.1 Center for Internet Security, available at cisecurity.org. The prioritized set of cybersecurity actions, including implementation groups and the mapping to other frameworks. Particularly relevant for Control 18 (Penetration Testing).

NIST SP 800-53 Rev. 5 NIST, 2020. Available at nist.gov. The comprehensive catalog of security and privacy controls for federal information systems. Increasingly adopted by private sector organizations.

ISO/IEC 27001:2022 International Organization for Standardization. Available for purchase at iso.org. The international standard for information security management systems. Understanding the ISMS framework helps penetration testers position their work within client ISO certification programs.

EU NIS2 Directive (Directive (EU) 2022/2555) Available at eur-lex.europa.eu. The full text of the NIS2 Directive, including scope definitions, security requirements, and enforcement provisions.

EU DORA Regulation (Regulation (EU) 2022/2554) Available at eur-lex.europa.eu. The Digital Operational Resilience Act, particularly Chapter IV on digital operational resilience testing and Article 26 on TLPT requirements.

GDPR (Regulation (EU) 2016/679) Available at eur-lex.europa.eu. The General Data Protection Regulation, particularly Article 32 on security of processing. Essential for understanding data protection implications of penetration testing.

Articles and Reports

Verizon Data Breach Investigations Report (DBIR) Published annually by Verizon, available at verizon.com/dbir. The most comprehensive analysis of data breach trends, attack patterns, and industry-specific risks. Essential reading for understanding the threat landscape that compliance frameworks aim to address.

IBM Cost of a Data Breach Report Published annually by IBM Security, available at ibm.com. Provides data on breach costs by industry, geography, and contributing factors. Useful for quantifying the business impact of security failures in pentest reports and compliance discussions.

HIPAA Enforcement Highlights HHS Office for Civil Rights, available at hhs.gov. Summaries of HIPAA enforcement actions, including penalties and contributing factors. Valuable for understanding how regulators evaluate security failures.

Target Corporation Data Breach: A Case Study Multiple academic and industry analyses available. Detailed examinations of the 2013 Target breach from compliance, governance, and technical perspectives.

Online Resources

NIST Computer Security Resource Center (CSRC) csrc.nist.gov. The central repository for NIST cybersecurity publications, including SP 800-series documents, cybersecurity framework resources, and implementation guidance.

PCI SSC Document Library pcisecuritystandards.org/document_library. Complete library of PCI standards, guidance documents, and supplemental information. Includes the penetration testing guidance and information supplements on scoping and segmentation.

ENISA (European Union Agency for Cybersecurity) enisa.europa.eu. Publications on NIS2 implementation, cybersecurity certification, and European cybersecurity policy. Essential for understanding the European regulatory landscape.

CISA (Cybersecurity and Infrastructure Security Agency) cisa.gov. US government cybersecurity resources, including sector-specific guidance, known exploited vulnerabilities catalog, and cross-sector cybersecurity performance goals.

Professional Organizations

  • ISACA (isaca.org): Professional association for IT governance, risk, compliance, and audit professionals. Publishes COBIT framework.
  • ISC2 (isc2.org): Professional organization for cybersecurity professionals. Offers CISSP and related certifications.
  • ISSA (issa.org): Information Systems Security Association with local chapters worldwide.
  • Cloud Security Alliance (cloudsecurityalliance.org): Resources on cloud security compliance, including the Cloud Controls Matrix.
  • FAIR Institute (fairinstitute.org): Promotes quantitative risk analysis using the Factor Analysis of Information Risk model.