Cyber security standards

src: image.slidesharecdn.com

Cyber ​​security standards (also cybersecurity standards ) are techniques that are generally set in published material that seeks to protect the user's or organization's virtual environment. This environment includes the users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to the network. The main purpose is to reduce risks, including the prevention or mitigation of cyber attacks. The published material consists of a collection of tools, policies, security concepts, security protection, guidelines, risk management approaches, actions, training, best practices, assurance and technology.

Video Cyber security standards

Histori

Cybersecurity standards have been around for decades because users and providers have collaborated in many domestic and international forums to influence the abilities, policies and practices required - typically emerging from work at the Stanford Consortium for Research on Security and Information Policy in the 1990s. Also many tasks that have been done by hand are now done by computers; therefore there is a need for information security (IA) and security.

The study of the adoption of the US security framework 2016 reported that 70% of organizations surveyed saw the NIST Cybersecurity Framework as the most popular best practice for computer security, but many noted that this required significant investment.

A chief information security officer is usually charged with selecting, applying and monitoring the efficiency and effectiveness of Cybersecurity standards for their organization.

Maps Cyber security standards

ETSI Cyber ​​â € <â € < Security Technical Committee (TC CYBER)

TC CYBER is responsible for standardizing Cyber ​​Security internationally and to provide relevant expertise centers for other ETSI committees. The growing dependence on networked digital systems has brought about an increase in both the variation and quantity of cyber threats. The various methods governing safe transactions in various Member States of the EU sometimes make it difficult to assess individual risks and to ensure adequate security. Building on ETSI's leading expertise in the field of Information and Communication Technology (ICT) security, it established a new Cyber ​​Security (TC CYBER) committee in 2014 to meet growing standards demands to protect the Internet and communications and business. bring.

TC CYBER is working with relevant stakeholders to develop appropriate standards to enhance privacy and security for organizations and citizens across Europe. The committee looked specifically at the security of infrastructure, devices, services and protocols, as well as security tools and techniques to ensure security. It offers security advice and guidance to users, manufacturers and network operators and infrastructure. The default is available on-line. The main work effort is the production of global cyber security ecosystem of standardization and other activities.

src: www.itgovernancegulf.com

ISO/IEC 27001 and 27002

ISO/IEC 27001 , part of the evolving ISO/IEC 27000 standard, is an information security management system (ISMS) standard, whose last revision was published in October 2013 by the International Organization for Standardization (ISO) and the Electrotechnical Commission International (IEC). Its full name is ISO/IEC 27001: 2013 - Information technology - Security techniques - Information security management system - Requirements .

ISO/IEC 27001 formally establishes a management system intended to bring information security under explicit management control.

ISO/IEC 27002 combines mainly the 1st part of the good standard of security management practice BS 7799. The latest version of BS 7799 is BS 7799-3. Sometimes ISO/IEC 27002 is therefore referred to as ISO 17799 or BS 7799 part 1 and sometimes refers to parts 1 and part 7. BS 7799 part 1 provides a good outline or practice guide for cybersecurity management; while BS 7799 section 2 and ISO/IEC 27001 are normative and therefore provide a framework for certification. ISO/IEC 27002 is a high level guide to cybersecurity. This is very useful as an explanation guide for organizational management to obtain certification of ISO/IEC 27001 standards. Certification has been obtained for three years. Depending on the audit organization, no or some intermediate audits can be performed for three years.

ISO/IEC 27001 (ISMS) replaces BS 7799 part 2, but because it is compatible with it all organizations working on BS 7799 part 2 can easily switch to the ISO/IEC 27001 certification process. There are also transitional audits available to make it easier when the organization is BS 7799 part 2-certified for the organization to become ISO/IEC 27001-certified. ISO/IEC 27002 provides recommendations on best practices on information security management for use by those responsible for initiating, implementing or maintaining an information security management system (ISMS). It states the information security system required to implement the ISO/IEC 27002 control objectives. Without ISO/IEC 27001, the objective of ISO/IEC 27002 control is ineffective. The purpose of ISO/IEC 27002 control is incorporated into ISO 27001 in Appendix A.

ISO/IEC 21827 (SSE-CMM - ISO/IEC 21827) is an International Standard based on System System Security Maturity Maturity Model (SSE-CMM) that can measure the maturity of ISO control objectives.

src: image.slidesharecdn.com

CISQ

CISQ develops standards to automate software size measurements and software structure quality. The CISQ is a special interest group of the Object Management Group that proposes specifications for approval as an international OMG standard. Standard measurement is used for static software program analysis, software testing practice that identifies critical vulnerabilities in code and software system architecture.

The CISQ-developed standard is used to manage Security, Reliability, Performance Efficiency and Maintainability characteristics of software risk. The Automatic Source Code Security Standard is a measure of how easily an app can experience invalid penetration that could result in stolen information, altered records, or other forms of malicious behavior. Security standards are based on the widest and often exploited security weaknesses in software as identified in the General Weaknesses Enforcement, SANS Top 25, and OWASP Top 10. Resource Code Standards Reliability is a measure of availability, fault tolerance, restoration, and data integrity application. Reliability Standards measure the risk of potential application failures and application stability when faced with unexpected conditions. CISQ works on automated sizes of Technical Debt.

src: i.ytimg.com

Good Practice Standards

In the 1990s, the Information Security Forum (ISF) published a comprehensive list of best practices for information security, published as a Good Practice Standards (SoGP). ISF continues to update SoGP every two years (with exceptions 2013-2014); the latest version published in 2018.

Initially Good Practice Standards are private documents that are only available to ISF members, but ISF has made full documents available for sale to the general public.

Among other programs, ISF offers its member organizations a comprehensive benchmarking program based on SoGP. Furthermore, it is important for those responsible for security management to understand and adhere to the NERC CIP compliance requirements.

src: image.slidesharecdn.com

NERC

Corporations of North American Electrical Reliability (NERC) address patching in NERC CIP 007-6 Requirements 2. Generally, it takes the Bulk Power System (BPS) Operator/Owner to identify the source or source used to provide

Entity The associated security patch for Cyber ​​Assets â € <â €

The initial effort to create information security standards for the power industry was created by NERC in 2003 and known as NERC CSS (Cyber ​​Security Standards). After the CSS guidelines, NERC evolved and improved the requirements. NERC's most widely recognized modern security standard is NERC 1300, which is a NERC 1200 modification/update. The latest version of NERC 1300 is called CIP-002-3 through CIP-009-3 (CIP = Critical Infrastructure Protection). These standards are used to secure bulk electrical systems even though NERC has created standards in other areas. Standard bulk electrical systems also provide network security administration while still supporting industry best practice processes. ^[1]

src: i.ytimg.com

NIST

1. The NIST Cybersecurity Framework (NIST CSF) "provides a high-level taxonomy of cybersecurity results and a methodology for assessing and managing those results." It is intended to assist private sector organizations that provide critical infrastructure with guidance on how to protect it, along with relevant safeguards for privacy and civil liberties.
2. The special publication 800-12 provides an overview of computer security and control areas. It also emphasizes the importance of security control and how to implement it. Initially this document is intended for the federal government although most of the practices in this document can be applied to the private sector as well. In particular it was written for people in the federal government who are responsible for dealing with sensitive systems. ^[2]
3. A special publication 800-14 describes the general security principles used. It provides a high-level description of what to include in computer security policies. It illustrates what can be done to improve existing security and how to develop new security practices. Eight principles and fourteen practices are described in this document. ^[3]
4. 800-26 special publications provide advice on how to manage IT security. Superseded by NIST SP 800-53 rev3. This document emphasizes the importance of self-assessment as well as risk assessment. ^[4]
5. Special publications 800-37, updated in 2010 provide a new risk approach: "Guide to Implementing Risk Management Frameworks to Federal Information Systems"
6. The special publication 800-53 rev4, "Security and Privacy Controls for Federal Information Systems and Organizations", published April 2013 to include updates on January 15, 2014, specifically addresses 194 security controls applied to systems to make "more secure ".
7. Special Publications 800-82, Revised 2, "Guidelines for the Security of Industrial Control Systems (ICS)", revised in May 2015, describes how to secure different types of Industrial Control Systems against cyber attacks while considering performance, reliability, and safety requirements specifically for ICS. ^[5]

src: www.incrypts.com

ISO 15408

This standard develops the so-called "General Criteria". This allows many different software and hardware products to be integrated and tested in a secure manner.

src: itsmmentor.com

RFC 2196

RFC 2196 is a memorandum published by the Internet Engineering Task Force to develop security policies and procedures for information systems connected on the Internet. The RFC 2196 provides a general and broad overview of information security including network security, incident response, or security policy. This document is very practical and focused on day-to-day operations.

src: i.ytimg.com

ISA/IEC-62443 (formerly ISA-99 )

ISA/IEC-62443 is a set of standards, technical reports, and related information that define procedures for applying an electronically secure IACS System and Electronic Control (IACS). This guide applies to end users (ie asset owners), system integrators, security practitioners, and control system manufacturers who are responsible for creating, designing, implementing or managing industrial automation and control systems.

These documents were originally referred to as the standard ANSI/ISA-99 or ISA99 , as they were created by the International Society for Automation (ISA) and publicly announced as the American National Standards Institute ( ANSI) document. In 2010, they were numbered back to become the series ANSI/ISA-62443 . This amendment is intended to align the numbering of ISA and ANSI documents with relevant International Electrotechnical Commission (IEC) standards.

All ISA's work products are now numbered using the convention "ISA-62443-x-y" and previous ISA99 nomenclatures are maintained for continuity purposes only. The appropriate IEC document is referenced as "IEC 62443-x-y". Approved IEC and ISA versions are generally identical for all functional purposes.

ISA99 remains the name of ISA's Committee on Control System and Industrial Automation. Since 2002, the committee has developed a series of multi-part standards and technical reports on this subject. This work product is then submitted to ISA approval and issued under ANSI. They are also submitted to the IEC for review and approval as standards and specifications in the IEC 62443 series.

All ISA-62443 standards and technical reports are organized into four general categories called General , Policies and Procedures , System , and Components .

1. The first (top) category includes general or basic information such as concepts, models and terminology. Also includes work products that describe security metrics and the life cycle of security for IACS.
2. The second category of work products targets the Asset Owner. These addresses various aspects of creating and maintaining an effective IACS security program.
3. The third category includes work products that describe the guidelines and system design requirements for the integration of secure control systems. The inner core is the zone and channel design model.
4. The fourth category includes work products that describe the specific product development and technical requirements of the control system product. It is primarily intended for product control vendors, but can be used by integrators and asset owners to assist in the procurement of secure products.

The ISA-62443 documents that are planned and published are as follows:

• Group 1: General
  • ISA-62443-1-1 (IEC/TS 62443-1-1) (formerly referred to as "ISA-99 Part 1") was originally published as an ISSI ANSI/ISA standard -99.00.01-2007, as well as technical specifications of IEC IEC/TS 62443-1-1. It forms the basis for the ISA-62443 series by defining common models and concepts that form the basis for the remaining standards in the series. The ISA99 Committee is currently revising it to keep it in line with other documents in the series, and to clarify the normative content.
  • ISA-TR62443-1-2 (IEC 62443-1-2) is a list of key terms used by the ISA99 committee. This document is a working concept, but its content is available on the ISA99 Wiki committee.
  • ISA-62443-1-3 (IEC 62443-1-3) identifies a set of compliance metrics for IACS security. This document is under development and the committee will release a draft for comments by 2013.
  • ISA-62443-1-4 (IEC/TS 62443-1-4) defines the life cycle of IACS security and use cases. This work product has been proposed as part of the series, but since January 2013 the development has not started yet.
• Group 2: Policies and Procedures
  • ISA-62443-2-1 (IEC 62443-2-1) (formerly referred to as "ANSI/ISA 99.02.01-2009 or ISA-99 Part 2") address how to create an IACS security program. This standard is approved and published by IEC as IEC 62443-2-1. It is now being revised to allow for a closer alignment with the ISO 27000 standard.
  • ISA-62443-2-2 (IEC 62443-2-2) discusses how to operate the IACS security program. This standard is under development.
  • ISA-TR62443-2-3 (IEC/TR 62443-2-3) is a technical report on patch management issues in an IACS environment. This report is under development.
  • ISA-62443-2-4 (IEC 62443-2-4) focuses on certifying IACS supplier security policies and practices. This document was adopted from the WIB organization and is now a work product of the IEC TC65/WG10 committee. The proposed ISA version will be a national publication of the US IEC standard.
• Group 3: System Integrator
  • ISA-TR62443-3-1 ( IEC/TR 62443-3-1 ) is a technical report on technology issues appropriate for IACS security. This report is approved and published as ANSI/ISA-TR99.00.01-2007 and is now being revised.
  • ISA-62443-3-2 (IEC 62443-3-2) discusses how to determine the level of security assurance using zone and channel concepts. This standard is under development.
  • ISA-62443-3-3 (IEC 62443-3-3) defines detailed technical requirements for IACS security. This standard has been published as ANSI/ISA-62443-3-3 (99.03.03) -2013. Previously assigned ISA-99.03.03.
• Group 4: Component Provider
  • ISA-62443-4-1 (IEC 62443-4-1) discusses the requirements for the development of safe IACS products and solutions. This standard is under development.
  • ISA-62443-4-2 (IEC 62443-4-2) serial address detailed technical requirements for the IACS component level. This standard is under development.

More information about the activities and plans of the ISA99 committee is available on the ISA99 Wiki site committee. For more information on the activities of the IEC TC65/WG10 committee, see the IEC TC65 website.

src: www.nist.gov

Conformity Assessment Program IEC 62443

ISA Security Compliance Institute (ISCI) www.isasecure.org operates the first conformity assessment scheme for IECS IECS IECS cybersecurity standards. The program certifies IACS Commercial and Off-the-shelf (COTS) product systems and systems, dealing with securing the IACS supply chain.

Certification Offers Two COTS product certifications are available under the ISASecureÃ,® brand: ISASecure-EDSA (Embedded Device Security Assurance) certifying IACS products for IECS IECS cybersecurity standards IECS and ISASecure-SSA (Security Assurance System) , IACS system certification for IECS cybersecurity IEC 62443-3-3 standard.

The third certification, SDLA (Secure Development Lifecycle Assurance) is available that certifies the IACS development organization with world safety standards IEC 62443-4-1, providing assurance that supplier organizations have instituted cybersecurity into their product development practices.

ISO 17065 and Global Accreditation The conformity assessment scheme ISASecure 62443 is an ISO 17065 program whose lab (certification body or CB) is independently accredited by ANSI/ANAB, JAB and other ISO 17011 global accreditation bodies (AB). The certification laboratory must also fulfill the laboratory accreditation requirements of ISO 17025 to ensure consistent application of certification requirements and recognized tools.

Through Mutual Recognition Arrangements (MRA) with IAF, ILAC and others, ISASecure laboratory accreditation by the ISA 17011 accreditation body ensures that certificates issued by one of ISASecure's laboratories are recognized globally.

Introduction to Test Tools The ISASecure scheme includes a process for identifying test tools to ensure the tool meets the necessary functional requirements and is sufficient to perform all necessary product testing and that test results will be consistent among recognized tools.

Chemical, Oil and Gas Industry The ISCI development process incorporates maintenance policies to ensure that ISASecure certifications remain aligned with IEC 62443 standards when they evolve. While the IEC 62443 standard is designed to horizontally handle the technical virtual security requirements of various parts of the process industry, ISASecure scheme certification requirements have been examined by representatives of the chemical and oil and gas industries and reflect their cyber security needs.

src: i.ytimg.com

IASME

IASME is a UK-based standard for information assurance in small and medium enterprises (SMEs). It provides the criteria and certification for the cyber security readiness of small and medium businesses. It also allows small to medium-sized businesses to provide potential and existing customers and clients with accredited measurement of the company's cybersecurity posture and protection of personal/business data.

IASME was established to enable businesses with a capitalization of 1.2 billion pounds or less (1.5 billion euros, 2 billion US dollars) to achieve accreditation similar to ISO 27001 but by reducing complexity, costs, and administrative costs (specifically focused on SMEs as recognition that it is difficult for small hat businesses to achieve and maintain ISO 27001).

The cost of certification is gradually based on the SME employee population (eg, 10 & fewer, 11 to 25, 26 - 100, 101 - 250 employees); certification may be based on self-assessment with an IASME questionnaire or by a third party professional appraiser. Some insurance companies reduce premiums for cybersecurity related coverage based on IASME certification.

src: i.ytimg.com

AS. Banking Regulator

In October 2016, the Federal Reserve Board, the Office of Currency Financial Supervisors, and the Federal Deposit Insurance Corporation, jointly issued an Advanced Notification on Proposed Rulemaking (ANPR) on cyber risk management standards (for regulated entities). ANPR aims to improve the capability of large and interconnected financial services entities to prevent and recover from cyber attacks, and to exceed existing requirements.

The proposal requires entities with total assets of $ 50 billion or more and their third party service providers take steps to strengthen their incident response programs, improve risk management practices and cyber risk management,

In May 2017, the US Federal Institute of Audit Institution based on the ^[6] , consisting of the following principles: Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of Currency Finance, the Consumer Financial Protection Bureau, and the State Relations Committee, issue a cyber security assessment tool. This tool includes completing an inherent risk profile for an organization that covers five areas:

• Technology and connection types,
• Delivery channel,
• Online and online product and technology services,
• Organizational characteristics, and
• External threats.

src: www.digitaleurope.org

See also

• 201 CMR 17.00 (Massachusetts Standard for Personal Information Protection)
• BS 7799
• Head information security officer
• General Criteria
• Computer security
• Computer Security Policy
• Cyber ​​Essentials (UK Government Standard)
• Information security
• Information warranty
• ISO/IEC 27002
• Baseline IT Protection Catalog
• Corporation of North American Electrical Reliability (NERC)
• National Institute of Standards and Technology (NIST)
• Open the Information Security Maturity Model
• Payment Card Industry Data Standard (PCI DSS)
• Engineering privacy
• Good Practice Standards
• Semantic service-oriented architecture (SSOA)
• ISA-99 Security for Industrial Automation and Control Systems
• System security controls
• Information security indicators

src: www.arcweb.com

Note

src: i.ytimg.com

References

>

^ Department of Homeland Security, Comparison of Cyber ​​Security Standards Developed by the Oil and Gas Segment. (November 5, 2004)

^ Guttman, M., Swanson, M., National Institute of Standards and Technology; Technology Administration; US Department of Commerce, Principles and Practices Generally Accepted to Secure Information Technology Systems (800-14). (September 1996)

^ National Institute of Standards and Technology; Technology Administration; US Department of Commerce, Introduction to Computer Security: NIST Handbook, Special Publication 800-12.

^ Swanson, M., National Institute of Standards and Technology; Technology Administration; US Department of Commerce, Independent Self-Assessment Guide for Security of Information Technology Systems (800-26).

^ Stouffer, K.; Pillitteri, V.; Lightman, S.; Abrams, M.; Hahn, A.; National Institute of Standards and Technology; US Department of Commerce, Guide for Industrial Control Systems (ICS) Security (800-82).

^ North American Electrical Reliability Board (NERC). http://www.nerc.com. Retrieved November 12, 2005.

^ The Federal Institution Financing Institution (FFIEC). https://www.ffiec.gov. Retrieved on April 18, 2018.

External links

• ISA99 info
• Standard NERC (see CIP 002-009)
• Secure Cyberspace-Media
• Presentation by Professor William Sanders, University of Illinois
• Cybers Global Security Policy Conference
• The 10 Minute Guide to the NIST Cybersecurity Framework
• Federal Federal Institutions Examination Council (FFIEC) Web site

Source of the article : Wikipedia