Lab - Compliance Requirements and Local Restrictions
Objectives
In this lab, you will complete the following objectives:
Research penetration testing services provided by security consultants for compliance frameworks.
Conduct a Search of Penetration Testing Companies.
Background / Scenario
You are hired to perform a compliance-based assessment to verify and audit the security posture of the
organization and to ensure they are in compliance with specific regulations.
Required Resources
PC or mobile device with internet access
Instructions
Part 1: Conduct a Search of Pentesting Companies.
Using your favorite search engine, conduct a search for consulting companies that provide compliance and
regulation penetration testing services.
From your research, identify three consulting companies that provide penetration testing services for
compliance and regulations. Answer the following questions for each company.
Penetration Testing Consulting Company #1
Questions:
What is the name of the company:
...BreachLock Inc...............................................................................................
Web site:
... https://www.breachlock.com/...............................................................................................
For what compliance domains does the company provide penetration testing services? List the domains and
give a brief description of the focus of each.
CREST : Council for Registered Ethical Security Testers. This is an international body that accredits and
certifies cybersecurity professionals and companies. Its certifications are highly regarded in the industry,
indicating quality and competence in services like penetration testing and incident response.
HIPAA: Health Insurance Portability and Accountability Act. HIPAA sets standards for protecting
sensitive patient information from being disclosed without the patient's consent or knowledge.
GDPR: General Data Protection Regulation. It's a European Union law that sets guidelines for the
collection and processing of personal data of individuals within the EU.
ISO 27001: is an international standard for managing information security. It defines the requirements for an
Information Security Management System (ISMS), ensuring the confidentiality, integrity, and availability of
sensitive company information. Organizations conforming to ISO 27001 have implemented a system to
manage and mitigate security risks, adhering to best practices outlined in the standard.
PCI DSS: Payment Card Industry Data Security Standard. This is an internationally recognized standard
that applies to organizations that handle credit card data.
ã 2023 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 4
�Lab - Compliance Requirements and Local Restrictions
NIST: NIST Cybersecurity Framework is a set of guidelines and best practices designed to help
organizations improve their cybersecurity posture. It's flexible and adaptable, allowing organizations to tailor
their cybersecurity strategies based on specific needs, risks, and industry requirements. Widely used by
businesses and government agencies, it helps protect against cyber threats and data breaches.
What knowledge resources regarding compliance frameworks are available on the company web site?
NIST Cybersecurity Framework
Who are the company’s major customers (List at least three)?
Conteneo, Fond, Brainfights Inc
What awards or recognitions has the company received?
TOP INFOSEC INNOVATOR WINNER (CYBER DEFENSE MAGAZIE) 2024.
TOP 150 HOT CYBERSECURITY COMPANIES (CYBERCRIME MAGAZINE) 2021.
WINNER CYBER SECURITY EXCELLENCE AWARDS (2024).etc
Penetration Testing Consulting Company #2
Questions:
What is the name of the company:
CrowdStrike Holdings, Inc.
Web site:
https://www.crowdstrike.com/
What compliance domains does the company provide penetration testing services for? List the domains and
give a brief description of the focus of each.
PCI DSS: Payment Card Industry Data Security Standard. This is an internationally recognized standard
that applies to organizations that handle credit card data.
CSA STAR: Cloud Security Alliance Security, Trust, Assurance, and Risk. CSA STAR helps
organizations and customers evaluate and trust cloud service providers' security measures.
FedRAMP: Federal Risk and Authorization Management Program. It’s a U.S. government program that
standardizes the security assessment, authorization, and continuous monitoring of cloud services used by
federal agencies.
ã 2023 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 4
�Lab - Compliance Requirements and Local Restrictions
ISO/IEC 27001:2022: is the latest version of the international standard for Information Security Management
Systems (ISMS). It sets out the requirements for establishing, implementing, maintaining, and continually
improving an ISMS
What knowledge resources regarding compliance frameworks are available on the company web site?
cloud-security-frameworks and blogs.
Who are the company’s major customers (List at least three)?
Florida State University, Adobe, Solar Group,etc…
What awards or recognitions has the company received?
CrowdStrike Earns AAA Award, 100% Total Accuracy Score in SE Labs Q3 Enterprise Advanced
Security Test.
CrowdStrike Wins SC Award for Best Security Company Second Year in a Row.
etc…
Penetration Testing Consulting Company #3
Questions:
What is the name of the company:
Acunetix Ltd
Web site:
https://www.acunetix.com/
What compliance domains does the company provide penetration testing services for? List the domains and
give a brief description of the focus of each.
ISO 27001: is an international standard for managing information security. It defines the requirements for an
Information Security Management System (ISMS), ensuring the confidentiality, integrity, and availability of
sensitive company information. Organizations conforming to ISO 27001 have implemented a system to
manage and mitigate security risks, adhering to best practices outlined in the standard.
OWASP Top 10 Compliance: Top 10 Web Application Security Risks as outlined by the Open Web
Application Security Project (OWASP). It's about following best practices to protect web applications from
common vulnerabilities.
What knowledge resources regarding compliance frameworks are available on the company web site?
Blogs, Webinars.
Who are the company’s major customers (List at least three)?
Adobe, Coca-Cola, Honda, etc….
What awards or recognitions has the company received?
Acunetix has been recognized as an October 2020 Gartner Peer Insights Customers’ Choice for
Application Security Testing.
Acunetix wins Best Vulnerability Management solution at the Cyber Defense Magazine InfoSec
Awards 2017.
ã 2023 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 4
�Lab - Compliance Requirements and Local Restrictions
etc,,,,
Reflection
Do companies in your country need to follow compliance frameworks that are imposed by other countries? If
so, what are the consequences for failing to meet the requirements of the frameworks and what are the
penalties if there is a data breach?
Yes, all companies need to follow compliance frameworks that are imposed by other countries.
For example: Your company located in Viet Nam but need to comply with the General Data Protection
Regulation (GDPR) if it collect or use data from individuals in the European Union.
Consequences for failing to meet these requirements can include:
Financial penalties: Fines can be substantial, such as the $1.3 billion fine imposed on Meta (Facebook)
for GDPR violations.
Legal action: Companies may face lawsuits and legal proceedings.
Reputational damage: Non-compliance can harm a company's reputation, leading to loss of customer
trust and business opportunities.
Operational disruptions: Companies might be blocked from key services or platforms if they fail to prove
compliance.
ã 2023 - 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 4
