Misplaced Pages

Information security standards: Difference between revisions

Article snapshot taken from Wikipedia with creative commons attribution-sharealike license. Give it a read and then ask your questions in the chat. We can research this topic together.
Browse history interactively← Previous editContent deleted Content addedVisualWikitext
Revision as of 17:42, 29 March 2024 edit2003:e7:8703:515d:5401:8301:452e:208f (talk) External links: Added Link for ISO/SAE 21434 Challenges in the Field← Previous edit Latest revision as of 14:31, 28 November 2024 edit undoBobrayner (talk | contribs)Autopatrolled, Extended confirmed users, Pending changes reviewers, Rollbackers53,706 edits ISO/SAE 21434: expand, plus a link 
(11 intermediate revisions by 9 users not shown)
Line 1: Line 1:
{{Short description|Technology standards and techniques}} {{Short description|Technology standards and techniques}}
'''Information security standards''' or '''cyber security standards'''<ref name=NIST>{{cite web| url=https://nvlpubs.nist.gov/nistpubs/ir/2014/NIST.IR.7628r1.pdf| title=Guidelines for Smart Grid Cyber Security |publisher=] | date=September 2014 |doi=10.6028/NIST.IR.7628r1 |accessdate=28 November 2023}}</ref> are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization.<ref>{{Cite web|url=http://www.itu.int/ITU-T/recommendations/rec.aspx?rec=9136|title = ITU-T Recommendation database}}</ref> This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks. '''Information security standards''' (also '''cyber security standards'''<ref name=NIST>{{cite web| url=https://nvlpubs.nist.gov/nistpubs/ir/2014/NIST.IR.7628r1.pdf| title=Guidelines for Smart Grid Cyber Security |publisher=] | date=September 2014 |doi=10.6028/NIST.IR.7628r1 |accessdate=28 November 2023}}</ref>) are techniques generally outlined in published materials that attempt to protect a user's or organization's cyber environment.<ref>{{Cite web|url=http://www.itu.int/ITU-T/recommendations/rec.aspx?rec=9136|title = ITU-T Recommendation database}}</ref> This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.


The principal objective is to reduce the risks, including preventing or mitigating ]s. These published materials consist of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies. The principal objective is to reduce the risks, including preventing or mitigating ]s. These published materials comprise tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance, and technologies.


==History== ==History==
] standards have existed over several decades as users and providers have collaborated in many domestic and international forums to effect the necessary capabilities, policies, and practices – generally emerging from work at the Stanford Consortium for Research on Information Security and Policy in the 1990s.<ref>{{Cite web|url=http://fsi.stanford.edu/research/consortium_for_research_on_information_security_and_policy|title = FSI - Consortium for Research on Information Security and Policy}}</ref> ] standards have existed over several decades as users and providers have collaborated in many domestic and international forums to effect the necessary capabilities, policies, and practices – generally emerging from work at the Stanford Consortium for Research on Information Security and Policy in the 1990s.<ref>{{Cite web|url=http://fsi.stanford.edu/research/consortium_for_research_on_information_security_and_policy|title = FSI - Consortium for Research on Information Security and Policy}}</ref>


A 2016 US security framework adoption study reported that 70% of the surveyed organizations the ] as the most popular best practice for ] (IT) computer security, but many note that it requires significant investment.<ref>{{Cite web|url=http://www.darkreading.com/attacks-breaches/nist-cybersecurity-framework-adoption-hampered-by-costs-survey-finds/d/d-id/1324901|title=NIST Cybersecurity Framework Adoption Hampered By Costs, Survey Finds|date=30 March 2016|access-date=2016-08-02}}</ref> Cross-border, cyber-exfiltration operations by law enforcement agencies to counter international criminal activities on the ] raise complex jurisdictional questions that remain, to some extent, unanswered.<ref name=":0">{{Cite journal|last=Ghappour|first=Ahmed|date=2017-01-01|title=Tallinn, Hacking, and Customary International Law|url=https://scholarship.law.bu.edu/faculty_scholarship/206|journal=AJIL Unbound|volume=111|pages=224–228|doi=10.1017/aju.2017.59|doi-access=free}}</ref><ref>{{Cite journal|last=Ghappour|first=Ahmed|date=2017-04-01|title=Searching Places Unknown: Law Enforcement Jurisdiction on the Dark Web|url=https://scholarship.law.bu.edu/faculty_scholarship/204|journal=Stanford Law Review|volume=69|issue=4|pages=1075}}</ref> Tensions between domestic law enforcement efforts to conduct cross-border cyber-exfiltration operations and international jurisdiction are likely to continue to provide improved cybersecurity norms.<ref name=":0" /><ref>{{Cite journal|last=Ghappour, Ahmed|date=2017|title=Searching Places Unknown: Law Enforcement Jurisdiction on the Dark Web|url=https://scholarship.law.bu.edu/faculty_scholarship/204|journal=Stanford Law Review|language=en|volume=69|issue=4}}</ref> A 2016 US security framework adoption study reported that 70% of the surveyed organizations use the ] as the most popular best practice for ] (IT) computer security, but many note that it requires significant investment.<ref>{{Cite web|url=http://www.darkreading.com/attacks-breaches/nist-cybersecurity-framework-adoption-hampered-by-costs-survey-finds/d/d-id/1324901|title=NIST Cybersecurity Framework Adoption Hampered By Costs, Survey Finds|date=30 March 2016|access-date=2016-08-02}}</ref> Cross-border, cyber-exfiltration operations by law enforcement agencies to counter international criminal activities on the ] raise complex jurisdictional questions that remain, to some extent, unanswered.<ref name=":0">{{Cite journal|last=Ghappour|first=Ahmed|date=2017-01-01|title=Tallinn, Hacking, and Customary International Law|url=https://scholarship.law.bu.edu/faculty_scholarship/206|journal=AJIL Unbound|volume=111|pages=224–228|doi=10.1017/aju.2017.59|doi-access=free}}</ref><ref>{{Cite journal|last=Ghappour|first=Ahmed|date=2017-04-01|title=Searching Places Unknown: Law Enforcement Jurisdiction on the Dark Web|url=https://scholarship.law.bu.edu/faculty_scholarship/204|journal=Stanford Law Review|volume=69|issue=4|pages=1075}}</ref> Tensions between domestic law enforcement efforts to conduct cross-border cyber-exfiltration operations and international jurisdiction will likely continue to provide improved cybersecurity norms.<ref name=":0" /><ref>{{Cite journal|last=Ghappour, Ahmed|date=2017|title=Searching Places Unknown: Law Enforcement Jurisdiction on the Dark Web|url=https://scholarship.law.bu.edu/faculty_scholarship/204|journal=Stanford Law Review|language=en|volume=69|issue=4}}</ref>


== International Standards == == International Standards ==
Line 18: Line 18:
The ISO/IEC 27001 Standard has been adopted identically as EN ISO/IEC 27001 by CEN and CENELEC.<ref name="European and International Standards on Information Security">{{cite web |title=Information Security Standards |url=https://genorma.com/en/topic/show/135/related-standards/7 |website=Genorma.com |publisher=Genorma, CEN and CENELEC standards}}</ref> The ISO/IEC 27001 Standard has been adopted identically as EN ISO/IEC 27001 by CEN and CENELEC.<ref name="European and International Standards on Information Security">{{cite web |title=Information Security Standards |url=https://genorma.com/en/topic/show/135/related-standards/7 |website=Genorma.com |publisher=Genorma, CEN and CENELEC standards}}</ref>


ISO/IEC 27001 formally specifies a management system intended to bring information security under explicit management control. ISO/IEC 27001 formally specifies a management system to bring information security under explicit management control.


ISO/IEC 27002 incorporates part 1 of the ] good security management practice standard. The latest version of BS 7799 is BS 7799-3. Sometimes ] is therefore referred to as ISO 17799 or BS 7799 part&nbsp;1 and, sometimes it refers to part&nbsp;1 and part&nbsp;7. BS 7799 part&nbsp;1 provides an outline or good practice guide for cybersecurity management; whereas BS 7799 part&nbsp;2 and ISO/IEC 27001 are normative and therefore provide a framework for certification. ISO/IEC 27002 is a high-level guide to cybersecurity. It is most beneficial as explanatory guidance for the management of an organisation to obtain certification to the ISO/IEC 27001 standard. The certification once obtained lasts three years. Depending on the auditing organisation, no or some intermediate audits may be carried out during the three years. ISO/IEC 27002 incorporates part 1 of the ] good security management practice standard. The latest version of BS 7799 is BS 7799-3. Sometimes, ] is referred to as ISO 17799 or BS 7799 part&nbsp;1, and sometimes it refers to part&nbsp;1 and part&nbsp;7. BS 7799 part&nbsp;1 provides an outline or good practice guide for cybersecurity management, whereas BS 7799 part&nbsp;2 and ISO/IEC 27001 are normative and provide a framework for certification. ISO/IEC 27002 is a high-level guide to cybersecurity. It is most beneficial as explanatory guidance for the management of an organisation to obtain certification to the ISO/IEC 27001 standard. The certification, once obtained, lasts three years. No or some intermediate audits may be carried out during the three years, depending on the auditing organisation.


ISO/IEC 27001 (ISMS) replaces BS 7799 part&nbsp;2, but since it is backwards compatible any organization working toward BS 7799 part&nbsp;2 can easily transition to the ISO/IEC 27001 certification process. There is also a transitional audit available to make it easier once an organization is BS 7799 part 2-certified for the organization to become ISO/IEC 27001-certified. ] provides best practice recommendations on information security management for use by those responsible for initiating, implementing or maintaining ]s (ISMS). It states the information security systems required to implement ISO/IEC 27002 control objectives. Without ISO/IEC 27001, ISO/IEC 27002 control objectives are ineffective. ISO/IEC 27002 controls objectives are incorporated into ISO 27001 in Annex&nbsp;A. ISO/IEC 27001 (ISMS) replaces BS 7799 part&nbsp;2, but since it is backward compatible, any organization working toward BS 7799 part&nbsp;2 can easily transition to the ISO/IEC 27001 certification process. A transitional audit is also available to make it easier once an organization is BS 7799 part 2-certified for the organization to become ISO/IEC 27001-certified. ] provides best practice recommendations on information security management for those responsible for initiating, implementing, or maintaining ]s (ISMS). It states the information security systems required to implement ISO/IEC 27002 control objectives. Without ISO/IEC 27001, ISO/IEC 27002 control objectives are ineffective. In Annex&nbsp;A, ISO/IEC 27002 control objectives are incorporated into ISO 27001.


ISO/IEC 21827 (SSE-CMM – ISO/IEC 21827) is an International Standard based on the Systems Security Engineering Capability Maturity Model (SSE-CMM) that can measure the maturity of ISO controls objectives. ISO/IEC 21827 (SSE-CMM – ISO/IEC 21827) is an International Standard based on the Systems Security Engineering Capability Maturity Model (SSE-CMM) that can measure the maturity of ISO control objectives.


===ISO/IEC 15408=== ===ISO/IEC 15408===
Line 30: Line 30:
This standard develops what is called the “].” It allows many different software and hardware products to be integrated and tested in a secure way. This standard develops what is called the “].” It allows many different software and hardware products to be integrated and tested in a secure way.


===IEC 62443 === ===IEC/ISA 62443 ===
{{anchor|62443}} {{anchor|62443}}
{{Main|IEC 62443}} {{Main|IEC/ISA 62443}}
The IEC 62443 cybersecurity standard defines processes, techniques and requirements for ] (IACS). Its documents are the result of the IEC standards creation process where all national committees involved agree upon a common standard. The IEC/ISA 62443 cybersecurity standards define processes, techniques, and requirements for ] (IACS). The documents in this series are developed through a collaborative relationship between the ISA99 committee and IEC TC65 WG10, applying the IEC standards creation process where all national committees involved agree upon a common standard.


] All IEC 62443 standards and technical reports are organized into four general categories called ''General'', ''Policies and Procedures'', ''System'' and ''Component''. All IEC 62443 standards and technical reports are organized into four general categories: ''General'', ''Policies and Procedures'', ''System,'' and ''Component''.


# The first category includes foundational information such as concepts, models and terminology. # The first category includes foundational information such as concepts, models, and terminology.
# The second category of work products targets the Asset Owner. These address various aspects of creating and maintaining an effective IACS security program. # The second category of work products targets the Asset Owner. These address various aspects of creating and maintaining an effective IACS security program.
# The third category includes work products that describe system design guidelines and requirements for the secure integration of control systems. Core in this is the zone and conduit, design model. # The third category includes work products that describe system design guidelines and requirements for the secure integration of control systems. The core of this is the zone, conduit, and design model.
# The fourth category includes work products that describe the specific product development and technical requirements of control system products. # The fourth category includes work products that describe the specific product development and technical requirements of control system products.


Line 45: Line 45:
ISO/SAE 21434 "Road vehicles - Cybersecurity engineering" is a cybersecurity standard jointly developed by ] and ] working groups. It proposes cybersecurity measures for the development lifecycle of road vehicles. The standard was published in August 2021.<ref></ref> ISO/SAE 21434 "Road vehicles - Cybersecurity engineering" is a cybersecurity standard jointly developed by ] and ] working groups. It proposes cybersecurity measures for the development lifecycle of road vehicles. The standard was published in August 2021.<ref></ref>


The standard is related to the ] regulation on cyber security that is currently being developed. In coordination with the EU, the ] is developing a certification for a "Cyber Security Management System" (CSMS), which is to be mandatory for the ]. ISO/SAE 21434 is a technical standard for automotive development that can demonstrate compliance with those regulations. The standard is related to the ] regulation on cyber security that is currently being developed. In coordination with the EU, the ] has created a ] (CSMS) certification mandatory for ]. This is defined in the overarching ]; ] is a technical standard for automotive development which can demonstrate compliance with those regulations.


A derivative of this is in the work of ''] WP29'', which provides regulations for vehicle cybersecurity and software updates. <ref>{{cite web |title=UN Regulations on Cybersecurity and Software Updates to pave the way for mass roll-out of connected vehicles {{!}} UNECE |url=https://unece.org/sustainable-development/press/un-regulations-cybersecurity-and-software-updates-pave-way-mass-roll |website=unece.org}}</ref> A derivative of this is in the work of ''] WP29'', which provides regulations for vehicle cybersecurity and software updates. <ref>{{cite web |title=UN Regulations on Cybersecurity and Software Updates to pave the way for mass roll-out of connected vehicles {{!}} UNECE |url=https://unece.org/sustainable-development/press/un-regulations-cybersecurity-and-software-updates-pave-way-mass-roll |website=unece.org}}</ref>


===ETSI EN 303 645=== ===ETSI EN 303 645===
The ETSI EN 303 645 standard provides a set of baseline requirements for security in consumer ] devices. It contains technical controls and organizational policies for developers and manufacturers of Internet-connected consumer devices. The standard was released in June 2020<ref></ref> and is intended to be complemented by other, more specific standards. As many consumer IoT devices handle ], implementing the standard helps with complying to the ] in the EU.<ref></ref> The ETSI EN 303 645 standard provides a set of baseline requirements for security in consumer ] devices. It contains technical controls and organizational policies for developers and manufacturers of Internet-connected consumer devices. The standard was released in June 2020<ref></ref> and is intended to complement other, more specific standards. As many consumer IoT devices handle ], implementing the standard helps comply with the EU's ] in the EU.<ref></ref>


The Cybersecurity provisions in this European standard are: The Cybersecurity provisions in this European standard are:
Line 67: Line 67:
# Validate input data # Validate input data


Conformance assessment of these baseline requirements is via the standard TS 103 701, which allows self-certification, or certification by another group.<ref>{{cite web |title=ETSI TS 103 701 Cyber Security for Consumer Internet of Things: Conformance Assessment of Baseline Requirements |url=https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/01.01.01_60/ts_103701v010101p.pdf |website=ETSI}}</ref> Conformance assessment of these baseline requirements is via the standard TS 103 701, which allows self-certification or certification by another group.<ref>{{cite web |title=ETSI TS 103 701 Cyber Security for Consumer Internet of Things: Conformance Assessment of Baseline Requirements |url=https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/01.01.01_60/ts_103701v010101p.pdf |website=ETSI}}</ref>


== National Standards == == National Standards ==
Line 73: Line 73:


===NERC=== ===NERC===
An initial attempt to create information security standards for the electrical power industry was created by NERC in 2003 and was known as NERC CSS (Cyber Security Standards).<ref> {{Webarchive|url=https://web.archive.org/web/20161022054805/http://eval.symantec.com/mktginfo/enterprise/fact_sheets/b-datasheet_css_nerc_ferc.10-2008.14566044-1.en-us.pdf |date=2016-10-22 }} Subsection: History of NERC Standards</ref> Subsequent to the CSS guidelines, NERC evolved and enhanced those requirements. The most widely recognized modern NERC security standard is NERC 1300, which is a modification/update of NERC 1200. The newest version of NERC 1300 is called CIP-002-3 through CIP-009-3 (CIP=Critical Infrastructure Protection). These standards are used to secure bulk electric systems although NERC has created standards within other areas. The bulk electric system standards also provide network security administration while still supporting best-practice industry processes.{{ref|NERC}} An initial attempt to create information security standards for the electrical power industry was created by NERC in 2003 and was known as NERC CSS (Cyber Security Standards).<ref> {{Webarchive|url=https://web.archive.org/web/20161022054805/http://eval.symantec.com/mktginfo/enterprise/fact_sheets/b-datasheet_css_nerc_ferc.10-2008.14566044-1.en-us.pdf |date=2016-10-22 }} Subsection: History of NERC Standards</ref> Subsequent to the CSS guidelines, NERC evolved and enhanced those requirements. The most widely recognized modern NERC security standard is NERC 1300, a modification/update of NERC 1200. The newest version of NERC 1300 is called CIP-002-3 through CIP-009-3 (CIP=Critical Infrastructure Protection). These standards secure bulk electric systems, although NERC has created standards in other areas. The bulk electric system standards also provide network security administration while supporting best-practice industry processes.{{ref|NERC}}


===NIST=== ===NIST===
{{Main category|National Institute of Standards and Technology}} {{Main category|National Institute of Standards and Technology}}
# The ] (NIST CSF) "provides a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes." It is intended to help private sector organizations that provide ] with guidance on how to protect it, along with relevant protections for ] and ].<ref>{{cite journal | url=https://www.nist.gov/cyberframework/ | title=NIST Cybersecurity Framework | journal=NIST | date=12 November 2013 | accessdate=2016-08-02 }}</ref> # The ] (NIST CSF) "provides a high-level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes." It is intended to help private sector organizations that provide ] with guidance on how to protect it, along with relevant protections for ] and ].<ref>{{cite journal | url=https://www.nist.gov/cyberframework/ | title=NIST Cybersecurity Framework | journal=NIST | date=12 November 2013 | accessdate=2016-08-02 }}</ref>
# Special publication 800-12 provides a broad overview of computer security and control areas. It also emphasizes the importance of security controls and ways to implement them. Initially, this document was aimed at the federal government although most practices in this document can be applied to the private sector as well. Specifically, it was written for those people in the federal government responsible for handling sensitive systems. {{ref|800-12}} # Special publication 800-12 provides a broad overview of computer security and control areas. It also emphasizes the importance of security controls and ways to implement them. Initially, this document was aimed at the federal government, although most practices in this document can also be applied to the private sector. Specifically, it was written for those in the federal government responsible for handling sensitive systems.{{ref|800-12}}
# Special publication 800-14 describes common security principles that are used. It provides a high-level description of what should be incorporated within a computer security policy. It describes what can be done to improve existing security as well as how to develop a new security practice. Eight principles and fourteen practices are described within this document. {{ref|800-14}} # Special publication 800-14 describes common security principles that are used. It provides a high-level description of what should be incorporated within a computer security policy. It describes what can be done to improve existing security and how to develop a new security practice. Eight principles and fourteen practices are described within this document. {{ref|800-14}}
# Special publication 800-26 provides advice on how to manage IT security. Superseded by NIST SP 800-53 rev3. This document emphasizes the importance of self-assessments as well as risk assessments. {{ref|800-26}} # Special publication 800-26 provides advice on how to manage IT security - superseded by NIST SP 800-53 rev3. This document emphasizes the importance of self-assessments as well as risk assessments. {{ref|800-26}}
# Special publication 800-37, updated in 2010 provides a new risk approach: "Guide for Applying the Risk Management Framework to Federal Information Systems" # Special publication 800-37, updated in 2010, provides a new risk approach: "Guide for Applying the Risk Management Framework to Federal Information Systems"
# Special publication 800-53 rev4, "Security and Privacy Controls for Federal Information Systems and Organizations", Published April 2013 updated to include updates as of January 15, 2014, specifically addresses the 194 security controls that are applied to a system to make it "more secure". # Special publication 800-53 rev4, "Security and Privacy Controls for Federal Information Systems and Organizations", published April 2013, updated to include updates as of January 15, 2014, specifically addresses the 194 security controls that are applied to a system to make it "more secure".
# Special publication 800-63-3, "Digital Identity Guidelines", Published June 2017 updated to include updates as of December 1, 2017, provides guidelines for implementing digital identity services, including identity proofing, registration, and authentication of users. {{ref|800-63-3}} # Special publication 800-63-3, "Digital Identity Guidelines", Published June 2017, updated to include updates as of December 1, 2017, provides guidelines for implementing digital identity services, including identity proofing, registration, and authentication of users. {{ref|800-63-3}}
# Special Publication 800-82, Revision 2, "Guide to Industrial Control System (ICS) Security", revised May 2015, describes how to secure multiple types of Industrial Control Systems against cyber-attacks while considering the performance, reliability and safety requirements specific to ICS. {{ref|800-82}} # Special Publication 800-82, Revision 2, "Guide to Industrial Control System (ICS) Security", revised May 2015, describes how to secure multiple types of Industrial Control Systems against cyber-attacks while considering the performance, reliability, and safety requirements specific to ICS. {{ref|800-82}}


=== FIPS 140 === === FIPS 140 ===
Line 92: Line 92:
=== NCSC Cyber Essentials === === NCSC Cyber Essentials ===
{{Main|Cyber Essentials}} {{Main|Cyber Essentials}}
Cyber Essentials is a ] government ] scheme that is operated by the ]. It encourages organizations to adopt good practice in information security. Cyber Essentials also includes an assurance framework and a simple set of security controls to protect information from threats coming from the internet. Cyber Essentials is a ] government ] scheme operated by the ]. It encourages organizations to adopt good practices in information security. Cyber Essentials also includes an assurance framework and a simple set of security controls to protect information from threats coming from the internet.


=== Essential Eight === === Essential Eight ===
The ] has developed prioritised mitigation strategies, in the form of the Strategies to Mitigate Cyber Security Incidents, to help organisations protect themselves against various cyber threats. The most effective of these mitigation strategies are called the Essential Eight.<ref>{{cite web |title=Essential Eight Maturity Model |url=https://www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-maturity-model |publisher=Australian Cyber Security Centre |access-date=29 September 2022}} ] Text was copied from this source, which is available under a .</ref> The ] has developed prioritised mitigation strategies, in the form of the Strategies to Mitigate Cyber Security Incidents, to help organisations protect themselves against various cyber threats. The most effective of these mitigation strategies is called the Essential Eight.<ref>{{cite web |title=Essential Eight Maturity Model |url=https://www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-maturity-model |publisher=Australian Cyber Security Centre |access-date=29 September 2022}} ] Text was copied from this source, which is available under a .</ref>


===BSI IT-Grundschutz=== ===BSI IT-Grundschutz===
The ] ({{lang-de|Bundesamt für Sicherheit in der Informationstechnik}}, abbreviated as BSI) standards are an elementary component of the IT baseline protection ({{lang-de|IT-Grundschutz}}) methodology. They contain recommendations on methods, processes and procedures as well as approaches and measures for various aspects of information security. Users from public authorities and companies as well as manufacturers or service providers can use the BSI standards to make their business processes and data more secure.<ref>{{cite web | title=BSI - IT-Grundschutz | website=BSI | url=https://www.bsi.bund.de/EN/Topics/ITGrundschutz/itgrundschutz_node.html | language=de | access-date=2021-03-26}}</ref> The ] ({{langx|de|Bundesamt für Sicherheit in der Informationstechnik}}, abbreviated as BSI) standards are an elementary component of the IT baseline protection ({{langx|de|IT-Grundschutz}}) methodology. They contain recommendations on methods, processes, and procedures, approaches, and measures for various aspects of information security. Users from public authorities, companies, manufacturers, or service providers can use the BSI standards to make their business processes and data more secure.<ref>{{cite web | title=BSI - IT-Grundschutz | website=BSI | url=https://www.bsi.bund.de/EN/Topics/ITGrundschutz/itgrundschutz_node.html | language=de | access-date=2021-03-26 | archive-date=2013-09-30 | archive-url=https://web.archive.org/web/20130930163735/https://www.bsi.bund.de/EN/Topics/ITGrundschutz/itgrundschutz_node.html | url-status=dead }}</ref>
* BSI Standard 100-4 covers ]. * BSI Standard 100-4 covers ].
* BSI Standard 200-1 defines general requirements for an information security management system (ISMS). It is compatible with ISO 27001 and considers recommendations of other ISO standards such as ISO 27002. * BSI Standard 200-1 defines general requirements for an information security management system (ISMS). It is compatible with ISO 27001 and considers recommendations of other ISO standards, such as ISO 27002.
* BSI Standard 200-2 forms the basis of BSI's methodology for establishing a sound information security management system (ISMS). It establishes three procedures for implementing IT baseline protection. * BSI Standard 200-2 forms the basis of BSI's methodology for establishing a sound information security management system (ISMS). It establishes three procedures for implementing IT baseline protection.
* BSI Standard 200-3 bundles all risk-related steps in the implementation of IT baseline protection. * BSI Standard 200-3 bundles all risk-related steps in implementing IT baseline protection.


== Industry-specific Standards == == Industry-specific Standards ==
Line 114: Line 114:
UL 2900 is a series of standards published by ]. The standards include general cybersecurity requirements (UL 2900-1) as well as specific requirements for medical products (UL 2900-2-1), industrial systems (UL 2900-2-2), and security and life safety signalling systems (UL 2900-2-3). UL 2900 is a series of standards published by ]. The standards include general cybersecurity requirements (UL 2900-1) as well as specific requirements for medical products (UL 2900-2-1), industrial systems (UL 2900-2-2), and security and life safety signalling systems (UL 2900-2-3).


UL 2900 requires that manufacturers have described and documented the attack surface of the technologies used in their products. It requires threat modeling based on the intended use and deployment environment. The standard requires the implementation of effective security measures that protect sensitive (personal) data as well as other assets such as command and control data. It also requires that security vulnerabilities in the software have been eliminated, security principles such as defence-in-depth have been followed, and the security of the software has been verified through penetration testing. UL 2900 requires manufacturers to describe and document the attack surface of the technologies used in their products. It requires threat modeling based on the intended use and deployment environment. The standard requires effective security measures that protect sensitive (personal) data and other assets, such as command and control data. It also requires that security vulnerabilities in the software have been eliminated, security principles, such as defense-in-depth have been followed, and the security of the software has been verified through penetration testing.

== Organisations producing Standards ==
The ] (ISO) is an international standards organization organized as a consortium of national standards institutions from 167 countries, coordinated through a secretariat in Geneva, Switzerland. ISO is the world's largest developer of international standards. The ] (IEC) is an international standards organization that deals with electrotechnology and cooperates closely with ISO. ISO/IEC 15443: "Information technology – Security techniques – A framework for IT security assurance", ]: "Information technology – Security techniques – Code of practice for information security management", ]: "Information technology – Service management", and ]: "Information technology – Security techniques – Information security management systems – Requirements" are of particular interest to information security professionals.

The US ] (NIST) is a non-regulatory federal agency within the ]. The NIST Computer Security Division develops standards, metrics, tests, and validation programs, and it publishes standards and guidelines to increase secure IT planning, implementation, management, and operation. NIST is also the custodian of the U.S. ] publications (FIPS).

] is a professional membership society with over 100 organizations and over 20,000 individual members in over 180 countries. It provides leadership in addressing issues that confront the future of the Internet, and it is the organizational home for the groups responsible for Internet infrastructure standards, including the ] (IETF) and the ] (IAB). The ISOC hosts the Requests for Comments (RFCs), including the Official Internet Protocol Standards and the RFC-2196 ].

The ] (IISP) is an independent, non-profit body governed by its members, with the principal objective of advancing the professionalism of information security practitioners and, thereby, the industry's professionalism. The institute developed the IISP Skills Framework. This framework describes the range of competencies that information security and information assurance professionals expect to perform their roles effectively. It was developed through collaboration between private and public sector organizations, world-renowned academics, and security leaders.<ref>{{cite web |title=IISP Skills Framework |url=https://www.iisp.org/imis15/iisp/Accreditation/Our_Skills_Framework/iispv2/Accreditation/Our_Skills_Framework.aspx?hkey=e77a6f03-9498-423e-aa7b-585381290ec4 |url-status=dead |archive-url=https://web.archive.org/web/20140315184556/https://www.iisp.org/imis15/iisp/Accreditation/Our_Skills_Framework/iispv2/Accreditation/Our_Skills_Framework.aspx?hkey=e77a6f03-9498-423e-aa7b-585381290ec4 |archive-date=2014-03-15 |access-date=2014-04-27}}</ref>

The German ] (in German ''Bundesamt für Sicherheit in der Informationstechnik (BSI)'') BSI-Standards 100–1 to 100-4 are a set of recommendations including "methods, processes, procedures, approaches, and measures relating to information security".<ref>{{cite web |title=BSI-Standards |url=https://www.bsi.bund.de/EN/Publications/BSIStandards/BSIStandards_node.html;jsessionid=8FB8A442EDCF66AECC34651426C22D11.2_cid359 |url-status=dead |archive-url=https://web.archive.org/web/20131203010908/https://www.bsi.bund.de/EN/Publications/BSIStandards/BSIStandards_node.html;jsessionid=8FB8A442EDCF66AECC34651426C22D11.2_cid359 |archive-date=3 December 2013 |access-date=29 November 2013 |publisher=BSI}}</ref> The BSI-Standard 100-2 ''IT-Grundschutz Methodology'' describes how information security management can be implemented and operated. The standard includes a specific guide, the IT Baseline Protection Catalogs (IT-Grundschutz Catalogs). Before 2005, the catalogs were formerly known as "] Manual". The Catalogs are documents useful for detecting and combating security-relevant weak points in the IT environment (IT cluster). As of September 2013, the collection encompasses over 4,400 pages with the introduction and catalogs. The IT-Grundschutz approach is aligned with the ISO/IEC 2700x family.

The ] standardized a catalog of ] headed by the Industrial Specification Group (ISG) ISI.


==See also== ==See also==
Line 148: Line 161:
* *
* *
*


{{Information security}} {{Information security}}

Latest revision as of 14:31, 28 November 2024

Technology standards and techniques

Information security standards (also cyber security standards) are techniques generally outlined in published materials that attempt to protect a user's or organization's cyber environment. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

The principal objective is to reduce the risks, including preventing or mitigating cyber-attacks. These published materials comprise tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance, and technologies.

History

Cybersecurity standards have existed over several decades as users and providers have collaborated in many domestic and international forums to effect the necessary capabilities, policies, and practices – generally emerging from work at the Stanford Consortium for Research on Information Security and Policy in the 1990s.

A 2016 US security framework adoption study reported that 70% of the surveyed organizations use the NIST Cybersecurity Framework as the most popular best practice for Information Technology (IT) computer security, but many note that it requires significant investment. Cross-border, cyber-exfiltration operations by law enforcement agencies to counter international criminal activities on the dark web raise complex jurisdictional questions that remain, to some extent, unanswered. Tensions between domestic law enforcement efforts to conduct cross-border cyber-exfiltration operations and international jurisdiction will likely continue to provide improved cybersecurity norms.

International Standards

The subsections below detail international standards related to cybersecurity.

ISO/IEC 27001 and 27002

Main article: ISO/IEC 27001

ISO/IEC 27001, part of the growing ISO/IEC 27000 family of standards, is an information security management system (ISMS) standard, of which the last revision was published in October 2022 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its full name is ISO/IEC 27001:2022 – Information security, cybersecurity and privacy protection - Information security management systems - Requirements.

The ISO/IEC 27001 Standard has been adopted identically as EN ISO/IEC 27001 by CEN and CENELEC.

ISO/IEC 27001 formally specifies a management system to bring information security under explicit management control.

ISO/IEC 27002 incorporates part 1 of the BS 7799 good security management practice standard. The latest version of BS 7799 is BS 7799-3. Sometimes, ISO/IEC 27002 is referred to as ISO 17799 or BS 7799 part 1, and sometimes it refers to part 1 and part 7. BS 7799 part 1 provides an outline or good practice guide for cybersecurity management, whereas BS 7799 part 2 and ISO/IEC 27001 are normative and provide a framework for certification. ISO/IEC 27002 is a high-level guide to cybersecurity. It is most beneficial as explanatory guidance for the management of an organisation to obtain certification to the ISO/IEC 27001 standard. The certification, once obtained, lasts three years. No or some intermediate audits may be carried out during the three years, depending on the auditing organisation.

ISO/IEC 27001 (ISMS) replaces BS 7799 part 2, but since it is backward compatible, any organization working toward BS 7799 part 2 can easily transition to the ISO/IEC 27001 certification process. A transitional audit is also available to make it easier once an organization is BS 7799 part 2-certified for the organization to become ISO/IEC 27001-certified. ISO/IEC 27002 provides best practice recommendations on information security management for those responsible for initiating, implementing, or maintaining information security management systems (ISMS). It states the information security systems required to implement ISO/IEC 27002 control objectives. Without ISO/IEC 27001, ISO/IEC 27002 control objectives are ineffective. In Annex A, ISO/IEC 27002 control objectives are incorporated into ISO 27001.

ISO/IEC 21827 (SSE-CMM – ISO/IEC 21827) is an International Standard based on the Systems Security Engineering Capability Maturity Model (SSE-CMM) that can measure the maturity of ISO control objectives.

ISO/IEC 15408

Main article: Common Criteria

This standard develops what is called the “Common Criteria.” It allows many different software and hardware products to be integrated and tested in a secure way.

IEC/ISA 62443

Main article: IEC/ISA 62443

The IEC/ISA 62443 cybersecurity standards define processes, techniques, and requirements for Industrial Automation and Control Systems (IACS). The documents in this series are developed through a collaborative relationship between the ISA99 committee and IEC TC65 WG10, applying the IEC standards creation process where all national committees involved agree upon a common standard.

All IEC 62443 standards and technical reports are organized into four general categories: General, Policies and Procedures, System, and Component.

  1. The first category includes foundational information such as concepts, models, and terminology.
  2. The second category of work products targets the Asset Owner. These address various aspects of creating and maintaining an effective IACS security program.
  3. The third category includes work products that describe system design guidelines and requirements for the secure integration of control systems. The core of this is the zone, conduit, and design model.
  4. The fourth category includes work products that describe the specific product development and technical requirements of control system products.

ISO/SAE 21434

ISO/SAE 21434 "Road vehicles - Cybersecurity engineering" is a cybersecurity standard jointly developed by ISO and SAE working groups. It proposes cybersecurity measures for the development lifecycle of road vehicles. The standard was published in August 2021.

The standard is related to the European Union (EU) regulation on cyber security that is currently being developed. In coordination with the EU, the UNECE has created a Cyber Security Management System (CSMS) certification mandatory for vehicle-type approval. This is defined in the overarching UN Regulation 155; ISO/SAE 21434 is a technical standard for automotive development which can demonstrate compliance with those regulations.

A derivative of this is in the work of UNECE WP29, which provides regulations for vehicle cybersecurity and software updates.

ETSI EN 303 645

The ETSI EN 303 645 standard provides a set of baseline requirements for security in consumer Internet of Things (IoT) devices. It contains technical controls and organizational policies for developers and manufacturers of Internet-connected consumer devices. The standard was released in June 2020 and is intended to complement other, more specific standards. As many consumer IoT devices handle personally identifiable information (PII), implementing the standard helps comply with the EU's General Data Protection Regulation (GDPR) in the EU.

The Cybersecurity provisions in this European standard are:

  1. No universal default passwords
  2. Implement a means to manage reports of vulnerabilities
  3. Keep software updated
  4. Securely store sensitive security parameters
  5. Communicate securely
  6. Minimize exposed attack surfaces
  7. Ensure software integrity
  8. Ensure that personal data is secure
  9. Make systems resilient to outages
  10. Examine system telemetry data
  11. Make it easy for users to delete user data
  12. Make installation and maintenance of devices easy
  13. Validate input data

Conformance assessment of these baseline requirements is via the standard TS 103 701, which allows self-certification or certification by another group.

National Standards

The subsections below detail national standards and frameworks related to cybersecurity.

NERC

An initial attempt to create information security standards for the electrical power industry was created by NERC in 2003 and was known as NERC CSS (Cyber Security Standards). Subsequent to the CSS guidelines, NERC evolved and enhanced those requirements. The most widely recognized modern NERC security standard is NERC 1300, a modification/update of NERC 1200. The newest version of NERC 1300 is called CIP-002-3 through CIP-009-3 (CIP=Critical Infrastructure Protection). These standards secure bulk electric systems, although NERC has created standards in other areas. The bulk electric system standards also provide network security administration while supporting best-practice industry processes.

NIST

Main category: National Institute of Standards and Technology
  1. The NIST Cybersecurity Framework (NIST CSF) "provides a high-level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes." It is intended to help private sector organizations that provide critical infrastructure with guidance on how to protect it, along with relevant protections for privacy and civil liberties.
  2. Special publication 800-12 provides a broad overview of computer security and control areas. It also emphasizes the importance of security controls and ways to implement them. Initially, this document was aimed at the federal government, although most practices in this document can also be applied to the private sector. Specifically, it was written for those in the federal government responsible for handling sensitive systems.
  3. Special publication 800-14 describes common security principles that are used. It provides a high-level description of what should be incorporated within a computer security policy. It describes what can be done to improve existing security and how to develop a new security practice. Eight principles and fourteen practices are described within this document.
  4. Special publication 800-26 provides advice on how to manage IT security - superseded by NIST SP 800-53 rev3. This document emphasizes the importance of self-assessments as well as risk assessments.
  5. Special publication 800-37, updated in 2010, provides a new risk approach: "Guide for Applying the Risk Management Framework to Federal Information Systems"
  6. Special publication 800-53 rev4, "Security and Privacy Controls for Federal Information Systems and Organizations", published April 2013, updated to include updates as of January 15, 2014, specifically addresses the 194 security controls that are applied to a system to make it "more secure".
  7. Special publication 800-63-3, "Digital Identity Guidelines", Published June 2017, updated to include updates as of December 1, 2017, provides guidelines for implementing digital identity services, including identity proofing, registration, and authentication of users.
  8. Special Publication 800-82, Revision 2, "Guide to Industrial Control System (ICS) Security", revised May 2015, describes how to secure multiple types of Industrial Control Systems against cyber-attacks while considering the performance, reliability, and safety requirements specific to ICS.

FIPS 140

Main article: FIPS 140

The 140 series of Federal Information Processing Standards (FIPS) are U.S. government computer security standards that specify requirements for cryptography modules. Both FIPS 140-2 and FIPS 140-3 are accepted as current and active.

NCSC Cyber Essentials

Main article: Cyber Essentials

Cyber Essentials is a United Kingdom government information assurance scheme operated by the National Cyber Security Centre (NCSC). It encourages organizations to adopt good practices in information security. Cyber Essentials also includes an assurance framework and a simple set of security controls to protect information from threats coming from the internet.

Essential Eight

The Australian Cyber Security Centre has developed prioritised mitigation strategies, in the form of the Strategies to Mitigate Cyber Security Incidents, to help organisations protect themselves against various cyber threats. The most effective of these mitigation strategies is called the Essential Eight.

BSI IT-Grundschutz

The Federal Office for Information Security (German: Bundesamt für Sicherheit in der Informationstechnik, abbreviated as BSI) standards are an elementary component of the IT baseline protection (German: IT-Grundschutz) methodology. They contain recommendations on methods, processes, and procedures, approaches, and measures for various aspects of information security. Users from public authorities, companies, manufacturers, or service providers can use the BSI standards to make their business processes and data more secure.

  • BSI Standard 100-4 covers Business Continuity Management (BCM).
  • BSI Standard 200-1 defines general requirements for an information security management system (ISMS). It is compatible with ISO 27001 and considers recommendations of other ISO standards, such as ISO 27002.
  • BSI Standard 200-2 forms the basis of BSI's methodology for establishing a sound information security management system (ISMS). It establishes three procedures for implementing IT baseline protection.
  • BSI Standard 200-3 bundles all risk-related steps in implementing IT baseline protection.

Industry-specific Standards

The subsections below detail cybersecurity standards and frameworks related to specific industries.

PCI DSS

Main article: Payment Card Industry Data Security Standard

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes. The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud.

UL 2900

UL 2900 is a series of standards published by UL. The standards include general cybersecurity requirements (UL 2900-1) as well as specific requirements for medical products (UL 2900-2-1), industrial systems (UL 2900-2-2), and security and life safety signalling systems (UL 2900-2-3).

UL 2900 requires manufacturers to describe and document the attack surface of the technologies used in their products. It requires threat modeling based on the intended use and deployment environment. The standard requires effective security measures that protect sensitive (personal) data and other assets, such as command and control data. It also requires that security vulnerabilities in the software have been eliminated, security principles, such as defense-in-depth have been followed, and the security of the software has been verified through penetration testing.

Organisations producing Standards

The International Organization for Standardization (ISO) is an international standards organization organized as a consortium of national standards institutions from 167 countries, coordinated through a secretariat in Geneva, Switzerland. ISO is the world's largest developer of international standards. The International Electrotechnical Commission (IEC) is an international standards organization that deals with electrotechnology and cooperates closely with ISO. ISO/IEC 15443: "Information technology – Security techniques – A framework for IT security assurance", ISO/IEC 27002: "Information technology – Security techniques – Code of practice for information security management", ISO/IEC 20000: "Information technology – Service management", and ISO/IEC 27001: "Information technology – Security techniques – Information security management systems – Requirements" are of particular interest to information security professionals.

The US National Institute of Standards and Technology (NIST) is a non-regulatory federal agency within the U.S. Department of Commerce. The NIST Computer Security Division develops standards, metrics, tests, and validation programs, and it publishes standards and guidelines to increase secure IT planning, implementation, management, and operation. NIST is also the custodian of the U.S. Federal Information Processing Standard publications (FIPS).

The Internet Society is a professional membership society with over 100 organizations and over 20,000 individual members in over 180 countries. It provides leadership in addressing issues that confront the future of the Internet, and it is the organizational home for the groups responsible for Internet infrastructure standards, including the Internet Engineering Task Force (IETF) and the Internet Architecture Board (IAB). The ISOC hosts the Requests for Comments (RFCs), including the Official Internet Protocol Standards and the RFC-2196 Site Security Handbook.

The Institute of Information Security Professionals (IISP) is an independent, non-profit body governed by its members, with the principal objective of advancing the professionalism of information security practitioners and, thereby, the industry's professionalism. The institute developed the IISP Skills Framework. This framework describes the range of competencies that information security and information assurance professionals expect to perform their roles effectively. It was developed through collaboration between private and public sector organizations, world-renowned academics, and security leaders.

The German Federal Office for Information Security (in German Bundesamt für Sicherheit in der Informationstechnik (BSI)) BSI-Standards 100–1 to 100-4 are a set of recommendations including "methods, processes, procedures, approaches, and measures relating to information security". The BSI-Standard 100-2 IT-Grundschutz Methodology describes how information security management can be implemented and operated. The standard includes a specific guide, the IT Baseline Protection Catalogs (IT-Grundschutz Catalogs). Before 2005, the catalogs were formerly known as "IT Baseline Protection Manual". The Catalogs are documents useful for detecting and combating security-relevant weak points in the IT environment (IT cluster). As of September 2013, the collection encompasses over 4,400 pages with the introduction and catalogs. The IT-Grundschutz approach is aligned with the ISO/IEC 2700x family.

The European Telecommunications Standards Institute standardized a catalog of information security indicators headed by the Industrial Specification Group (ISG) ISI.

See also

Notes

  1. "Guidelines for Smart Grid Cyber Security" (PDF). National Institute of Standards and Technology. September 2014. doi:10.6028/NIST.IR.7628r1. Retrieved 28 November 2023.
  2. "ITU-T Recommendation database".
  3. "FSI - Consortium for Research on Information Security and Policy".
  4. "NIST Cybersecurity Framework Adoption Hampered By Costs, Survey Finds". 30 March 2016. Retrieved 2016-08-02.
  5. ^ Ghappour, Ahmed (2017-01-01). "Tallinn, Hacking, and Customary International Law". AJIL Unbound. 111: 224–228. doi:10.1017/aju.2017.59.
  6. Ghappour, Ahmed (2017-04-01). "Searching Places Unknown: Law Enforcement Jurisdiction on the Dark Web". Stanford Law Review. 69 (4): 1075.
  7. Ghappour, Ahmed (2017). "Searching Places Unknown: Law Enforcement Jurisdiction on the Dark Web". Stanford Law Review. 69 (4).
  8. "Information Security Standards". Genorma.com. Genorma, CEN and CENELEC standards.
  9. ISO/SAE 21434:2021 Road vehicles — Cybersecurity engineering
  10. "UN Regulations on Cybersecurity and Software Updates to pave the way for mass roll-out of connected vehicles | UNECE". unece.org.
  11. ETSI announcement
  12. ETSI EN 303 645 V2.1.0
  13. "ETSI TS 103 701 Cyber Security for Consumer Internet of Things: Conformance Assessment of Baseline Requirements" (PDF). ETSI.
  14. Symantec Control Compliance Suite – NERC and FERC Regulation Archived 2016-10-22 at the Wayback Machine Subsection: History of NERC Standards
  15. "NIST Cybersecurity Framework". NIST. 12 November 2013. Retrieved 2016-08-02.
  16. "Essential Eight Maturity Model". Australian Cyber Security Centre. Retrieved 29 September 2022. Text was copied from this source, which is available under a Creative Commons Attribution 4.0 International License.
  17. "BSI - IT-Grundschutz". BSI (in German). Archived from the original on 2013-09-30. Retrieved 2021-03-26.
  18. "IISP Skills Framework". Archived from the original on 2014-03-15. Retrieved 2014-04-27.
  19. "BSI-Standards". BSI. Archived from the original on 3 December 2013. Retrieved 29 November 2013.

References

  1. Department of Homeland Security, A Comparison of Cyber Security Standards Developed by the Oil and Gas Segment. (November 5, 2004)
  2. Guttman, M., Swanson, M., National Institute of Standards and Technology; Technology Administration; U.S. Department of Commerce., Generally Accepted Principles and Practices for Securing Information Technology Systems (800–14). (September 1996)
  3. National Institute of Standards and Technology; Technology Administration; U.S. Department of Commerce., An Introduction to Computer Security: The NIST Handbook, Special Publication 800-12.
  4. Swanson, M., National Institute of Standards and Technology; Technology Administration; U.S. Department of Commerce., Security Self-Assessment Guide for Information Technology Systems (800–26).
  5. Grassi, P.; Garcia, M.; Fenton, J.;National Institute of Standards and Technology; U.S. Department of Commerce., Digital Identity Guidelines (800-63-3).
  6. Stouffer, K.; Pillitteri, V.; Lightman, S.; Abrams, M.; Hahn, A.; National Institute of Standards and Technology; U.S. Department of Commerce., Guide to Industrial Control Systems (ICS) Security (800–82).
  7. The North American Electric Reliability Council (NERC). http://www.nerc.com. Retrieved November 12, 2005.
  8. Federal Financial Institutions Examination Council (FFIEC). https://www.ffiec.gov. Retrieved April 18, 2018.

External links

Information security
Related security categories
vectorial version
vectorial version
Threats
Defenses
Categories: