In the face of constant cyber threats, formal security standards have evolved to guide organizations in implementing effective countermeasures. With so many critical systems at risk, Information Assurance and other IT security experts rely on government and industry standards to keep an organization’s cyber security robust. Vendors and systems integrators also develop, test, and install systems and products according to these standards.
ISO/IEC 27001 for Information Security Management
Published in 2005, the ISO/IEC 27001 standard sets forth 12 domains that an information security management program should address. Organizations can apply for ISO certification and be audited for compliance. Major areas covered include:
Security policy and governance
Information asset management
Computer facility security
Communications and network security
User access controls
Security incident management
Business continuity processes and disaster recovery
Standards and regulatory compliance
ISO 15408 for Security Product Evaluation
The ISO 15408 standard addresses computer security certification. It is built on an internationally accepted framework standard called Common Criteria against which computer security systems and products are evaluated. Customers, vendors, and independent testers use the Common Criteria as a shared frame of reference to ensure that products meet customer and industry expectations in a consistent, truthful, and robust manner. ISO-certified testing laboratories perform evaluations that seek to validate product claims and to establish a confidence level in the product’s security features and functionality.
Several documents drive the product validation process. A Protection Profile defines user security specifications for a product class and serves as a guide for vendors producing those products. ISO 15408 provides a list of security functional requirements that vendors can choose to implement and be evaluated against. A product’s implemented requirements are detailed in a published Security Target document as a reference for testing labs and customers.
The evaluation's quality assurance component examines the processes and procedures followed during product development to ensure quality. Typical examples are a formal change control process and standardization of prototypes used in development test. A product is also rated according to the rigor of the evaluation process. Evaluations are assigned one of seven levels on a scale called the Evaluation Assurance Level. Each level consists of a package of security assurance requirements that a product must meet at that rating.
National Institute of Standards and Technology (NIST)
Part of the Department of Commerce, NIST sets standards and specifications for many areas of technology including information security. Various publications provide guidance that is especially useful to government and private sector managers with security responsibility. Areas covered include IT security management, a computer security overview, and security policy best practices. Some guidelines have been developed specifically for federal information systems.
Standard of Good Practice
The Information Security Forum publishes this set of best practices for information security and updates it every two years. The publication addresses real-world business concerns in cyber security along the supply chain and provides guidance on various certifications and compliance requirements. It is an invaluable handbook for CIOs, risk managers, and IT experts in various roles. Recent content covers critical subjects such as cloud computing that are at the forefront of IT initiatives.
Other Cyber Security Standards
The North American Electric Reliability Corporation, or NERC, is a nonprofit that sets enforceable standards for the nation's bulk power grid. NERC also monitors the grid's cyber safety and has publicly warned that cyber attack is a serious threat. Its Critical Infrastructure Protection program is designed to protect the North American electric power infrastructure and sets standards useful to IT professionals involved with mission critical systems.
A standard specific to the military is Department of Defense Directive 8570. The standard applies to personnel who work in a security role with DOD information systems and mandates certification as of 2010. All Information Assurance positions are also now categorized with specific qualification requirements.
The ISO Common Criteria standard is generally used for IT security products that can be sold discretely such as software applications and firewalls. Other ISO standards address security issues such as interoperability or specific international markets. An exception in the security field is cryptography, which is subject to national and industry standards although ISO has begun including certain implementations.
Cyber security standards span all domains, from user behavior to firewall design, and form a common reference among customers, vendors, and developers. As the cyber security field grows in response to critical threats, cyber standards can be expected to evolve more quickly than most. One key to success is the participation of top security experts who work in the real world and can help keep it safer through involvement with standards initiatives.
View Upcoming Cyber Security Classes