Information security standards: Difference between revisions

Browse history interactively ← Previous editContent deleted Content addedVisual WikitextInline

Revision as of 04:22, 12 December 2005 editMwp2x (talk \| contribs)24 edits →See Also ← Previous edit		Latest revision as of 16:48, 3 January 2025 edit undoAadirulez8 (talk \| contribs)Extended confirmed users45,137 editsm v2.05 - Autofix / Fix errors for CW project (Link equal to linktext)Tag: WPCleaner
(555 intermediate revisions by more than 100 users not shown)
Line 1:		Line 1:
			{{Short description\|Technology standards and techniques}}
	Cyber security standards are guides which enable organizations, companies, or the government to practice safe security techniques in order to minimize the number of successful cyber security attacks. These guides provide general outlines as well as specific techniques for implementing cyber security. For certain specific standards certification by an accredited body can be obtained. There are many advantages to obtaining certification including the ability for an organization to get cyber security insurance.
			'''Information security standards''' (also '''cyber security standards'''<ref name=NIST>{{cite web\| url=https://nvlpubs.nist.gov/nistpubs/ir/2014/NIST.IR.7628r1.pdf\| title=Guidelines for Smart Grid Cyber Security \|publisher=] \| date=September 2014 \|doi=10.6028/NIST.IR.7628r1 \|accessdate=28 November 2023}}</ref>) are techniques generally outlined in published materials that attempt to protect a user's or organization's cyber environment.<ref>{{Cite web\|url=http://www.itu.int/ITU-T/recommendations/rec.aspx?rec=9136\|title = ITU-T Recommendation database}}</ref> This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

			The principal objective is to reduce the risks, including preventing or mitigating ]s. These published materials comprise tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance, and technologies.

	==History==		==History==
			] standards have existed over several decades as users and providers have collaborated in many domestic and international forums to effect the necessary capabilities, policies, and practices – generally emerging from work at the Stanford Consortium for Research on Information Security and Policy in the 1990s.<ref>{{Cite web\|url=http://fsi.stanford.edu/research/consortium_for_research_on_information_security_and_policy\|title = FSI - Consortium for Research on Information Security and Policy}}</ref>

			A 2016 US security framework adoption study reported that 70% of the surveyed organizations use the ] as the most popular best practice for ] (IT) computer security, but many note that it requires significant investment.<ref>{{Cite web\|url=http://www.darkreading.com/attacks-breaches/nist-cybersecurity-framework-adoption-hampered-by-costs-survey-finds/d/d-id/1324901\|title=NIST Cybersecurity Framework Adoption Hampered By Costs, Survey Finds\|date=30 March 2016\|access-date=2016-08-02}}</ref> Cross-border, cyber-exfiltration operations by law enforcement agencies to counter international criminal activities on the ] raise complex jurisdictional questions that remain, to some extent, unanswered.<ref name=":0">{{Cite journal\|last=Ghappour\|first=Ahmed\|date=2017-01-01\|title=Tallinn, Hacking, and Customary International Law\|url=https://scholarship.law.bu.edu/faculty_scholarship/206\|journal=AJIL Unbound\|volume=111\|pages=224–228\|doi=10.1017/aju.2017.59\|doi-access=free}}</ref><ref>{{Cite journal\|last=Ghappour\|first=Ahmed\|date=2017-04-01\|title=Searching Places Unknown: Law Enforcement Jurisdiction on the Dark Web\|url=https://scholarship.law.bu.edu/faculty_scholarship/204\|journal=Stanford Law Review\|volume=69\|issue=4\|pages=1075}}</ref> Tensions between domestic law enforcement efforts to conduct cross-border cyber-exfiltration operations and international jurisdiction will likely continue to provide improved cybersecurity norms.<ref name=":0" /><ref>{{Cite journal\|last=Ghappour, Ahmed\|date=2017\|title=Searching Places Unknown: Law Enforcement Jurisdiction on the Dark Web\|url=https://scholarship.law.bu.edu/faculty_scholarship/204\|journal=Stanford Law Review\|language=en\|volume=69\|issue=4}}</ref>

			== International Standards ==
			The subsections below detail international standards related to cybersecurity.

			=== ISO/IEC 27000 Family of Standards ===
			{{Main\|ISO/IEC 27001}}
			The ] is a family of international standards jointly published by the ] and the ]. These standards provide a globally recognized framework for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). The series is designed to help organizations of all sizes and industries protect their information assets systematically and cost-effectively.

			At the center of the ISO/IEC 27000 series is ''']''', which specifies the requirements for establishing and maintaining an ISMS.<ref>{{Cite web \|title=ISO/IEC 27001:2022 \|url=https://webstore.iec.ch/en/publication/79694 \|access-date=2024-12-30 \|website=webstore.iec.ch \|language=en}}</ref> The standard emphasizes a risk-based approach to managing information security, encouraging organizations to identify, assess, and mitigate risks specific to their operational environment. The ISO/IEC 27000 series is built upon the ] cycle, a methodology aimed at continuous improvement.

			While ISO/IEC 27001 sets the baseline for ISMS requirements, other standards in the series provide complementary guidelines and sector-specific recommendations. Together, they form a comprehensive ecosystem that addresses everything from risk assessment and incident management to privacy controls and cloud security.

			Supporting ISO/IEC 27001 is '''ISO/IEC 27002''', which serves as a practical guide for implementing the controls outlined in ISO/IEC 27001. It provides detailed recommendations and best practices for managing information security risks across different domains, including human resource security, physical security, and network security.<ref>{{Cite web \|title=ISO/IEC 27002:2022 \|url=https://webstore.iec.ch/en/publication/74287 \|access-date=2024-12-30 \|website=webstore.iec.ch \|language=en}}</ref>

			For organizations focused on risk management, '''ISO/IEC 27005''' offers a dedicated framework for identifying, assessing, and treating information security risks. It complements ISO/IEC 27001 by providing a methodology specifically tailored to managing information security vulnerabilities.<ref>{{Cite web \|title=ISO/IEC 27005:2022 \|url=https://webstore.iec.ch/en/publication/79713 \|access-date=2024-12-30 \|website=webstore.iec.ch \|language=en}}</ref>

			In recent years, cloud computing has introduced unique security challenges, and '''ISO/IEC 27017''' was developed to address these concerns.<ref>{{Cite web \|title=ISO/IEC 27017:2015 \|url=https://webstore.iec.ch/en/publication/23891 \|access-date=2024-12-30 \|website=webstore.iec.ch \|language=en}}</ref> This standard provides guidelines for implementing cloud-specific information security controls, ensuring secure use of cloud services by both cloud providers and customers. Alongside it, '''ISO/IEC 27018''' focuses on protecting personally identifiable information (PII) in public cloud environments, helping organizations meet privacy regulations and maintain customer trust.<ref>{{Cite web \|title=ISO/IEC 27018:2019 \|url=https://webstore.iec.ch/en/publication/64566 \|access-date=2024-12-30 \|website=webstore.iec.ch \|language=en}}</ref>

			Additionally, '''ISO/IEC 27035''' addresses incident management, offering guidance on how to effectively prepare for, detect, and respond to security incidents. It emphasizes structured incident response processes to minimize potential damage and ensure timely recovery.<ref>{{Cite web \|title=ISO/IEC 27035-1:2023 \|url=https://webstore.iec.ch/en/publication/83157 \|access-date=2024-12-30 \|website=webstore.iec.ch \|language=en}}</ref>

			With the rise of data privacy regulations such as the ], '''ISO/IEC 27701''' was introduced as an extension of ISO/IEC 27001 and ISO/IEC 27002. This standard provides guidelines for establishing and operating a Privacy Information Management System (PIMS), aligning information security management with privacy and data protection requirements.<ref>{{Cite web \|title=ISO/IEC 27701:2019 \|url=https://webstore.iec.ch/en/publication/65597 \|access-date=2024-12-30 \|website=webstore.iec.ch \|language=en}}</ref>

			===ISO/IEC 15408===
			{{Main\|Common Criteria}}
			The ''Common Criteria for Information Technology Security Evaluation'' (''Common Criteria'' or ''CC'') is an international standard ('''ISO/IEC 15408''') used to assess and certify the security properties of IT products and systems. It provides a globally recognized framework for defining security requirements, implementing protective measures, and evaluating whether these measures meet specified criteria.

			ISO/IEC 15408 is divided into five parts:

			* Part 1: Introduction and General Model – Defines key concepts, principles, and the general evaluation framework.<ref>{{Cite web \|title=ISO/IEC 15408-1:2022 \|url=https://www.iso.org/standard/72891.html \|access-date=2024-12-30 \|website=ISO \|language=en}}</ref>
			* Part 2: Security Functional Components – Provides a catalog of security functional requirements (e.g., access control, encryption, and audit functions).<ref>{{Cite web \|title=ISO/IEC 15408-2:2022 \|url=https://www.iso.org/standard/72892.html \|access-date=2024-12-30 \|website=ISO \|language=en}}</ref>
			* Part 3: Security Assurance Components – Specifies assurance levels (EAL1–EAL7), representing the depth and rigor of security evaluations.<ref>{{Cite web \|title=ISO/IEC 15408-3:2022 \|url=https://www.iso.org/standard/72906.html \|access-date=2024-12-30 \|website=ISO \|language=en}}</ref>
			* Part 4: Framework for the specification of evaluation methods and activities – Details the methodology and framework for conducting security evaluations, including evaluator responsibilities and reporting requirements.<ref>{{Cite web \|title=ISO/IEC 15408-4:2022 \|url=https://www.iso.org/standard/72913.html \|access-date=2024-12-30 \|website=ISO \|language=en}}</ref>
			* Part 5: Pre-defined Packages of Security Requirements – Offers reusable packages of security requirements, streamlining the evaluation process for common product types.<ref>{{Cite web \|title=ISO/IEC 15408-5:2022 \|url=https://www.iso.org/standard/72917.html \|access-date=2024-12-30 \|website=ISO \|language=en}}</ref>

			Certification under Common Criteria is facilitated by the '''''Common Criteria Recognition Arrangement'' (''CCRA'')''', ensuring mutual recognition of certifications among participating countries. This reduces duplication of effort and cost for vendors seeking global market access.<ref>{{Cite web \|title=NIAP \|url=https://www.niap-ccevs.org/ccra \|access-date=2024-12-30 \|website=www.niap-ccevs.org}}</ref>

			The EU has adopted the '''''European Cybersecurity Certification Scheme'' (''EUCC'')''', which is based on ISO/IEC 15408, to align with international standards while addressing regional requirements.<ref>{{Cite web \|title=EUCC Certification Scheme - EU Cybersecurity Certification \|url=https://certification.enisa.europa.eu/certification-library/eucc-certification-scheme_en \|access-date=2024-12-30 \|website=certification.enisa.europa.eu \|language=en}}</ref>

			===IEC 62443 ===
			{{anchor\|62443}}

			{{Main\|IEC 62443}}

			The IEC 62443 cybersecurity standard defines processes, techniques and requirements for ] (IACS). Its documents are the result of the IEC standards creation process where all national committees involved agree upon a common standard.
			All IEC 62443 standards and technical reports are organized into six general categories: ''General'', ''Policies and Procedures'', ''System,'' ''Component, Profiles,'' and ''Evaluation.''

			# The first category includes foundational information such as concepts, models, and terminology.
			# The second category of work products targets the Asset Owner. These address various aspects of creating and maintaining an effective IACS security program.
			# The third category includes work products that describe system design guidelines and requirements for the secure integration of control systems. The core of this is the zone, conduit, and design model.
			# The fourth category includes work products that describe the specific product development and technical requirements of control system products.
			# The fifth category provides profiles for industry-specific cybersecurity requirements according to IEC 62443-1-5.
			# The sixth category defines assessment methodologies that ensure that assessment results are consistent and reproducible.

			===ISO/SAE 21434===
			ISO/SAE 21434 "Road vehicles - Cybersecurity engineering" is a cybersecurity standard jointly developed by ] and ] working groups. It proposes cybersecurity measures for the development lifecycle of road vehicles. The standard was published in August 2021.<ref></ref>

			The standard is related to the ] regulation on cyber security that is currently being developed. In coordination with the EU, the ] has created a ] (CSMS) certification mandatory for ]. This is defined in the overarching ]; ] is a technical standard for automotive development which can demonstrate compliance with those regulations.

			A derivative of this is in the work of ''] WP29'', which provides regulations for vehicle cybersecurity and software updates. <ref>{{cite web \|title=UN Regulations on Cybersecurity and Software Updates to pave the way for mass roll-out of connected vehicles {{!}} UNECE \|url=https://unece.org/sustainable-development/press/un-regulations-cybersecurity-and-software-updates-pave-way-mass-roll \|website=unece.org}}</ref>

			===ETSI EN 303 645===
			The ETSI EN 303 645 standard provides a set of baseline requirements for security in consumer ] devices. It contains technical controls and organizational policies for developers and manufacturers of Internet-connected consumer devices. The standard was released in June 2020<ref></ref> and is intended to complement other, more specific standards. As many consumer IoT devices handle ], implementing the standard helps comply with the EU's ] in the EU.<ref></ref>

			The Cybersecurity provisions in this European standard are:
			# No universal default passwords
			# Implement a means to manage reports of vulnerabilities
			# Keep software updated
			# Securely store sensitive security parameters
			# Communicate securely
			# Minimize exposed attack surfaces
			# Ensure software integrity
			# Ensure that personal data is secure
			# Make systems resilient to outages
			# Examine system telemetry data
			# Make it easy for users to delete user data
			# Make installation and maintenance of devices easy
			# Validate input data

			Conformance assessment of these baseline requirements is via the standard TS 103 701, which allows self-certification or certification by another group.<ref>{{cite web \|title=ETSI TS 103 701 Cyber Security for Consumer Internet of Things: Conformance Assessment of Baseline Requirements \|url=https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/01.01.01_60/ts_103701v010101p.pdf \|website=ETSI}}</ref>

			=== EN 18031 ===
	Cyber security standards have been created recently because sensitive information is now frequently stored on computers that are attached to the internet. Also many tasks that were once done by hand are carried out by computer; therefore there is a need for Information Assurance (IA) and security. Cyber security is important to individuals because they need to guard against identity theft. Businesses also have a need for this security because they need to protect their trade secrets, proprietary information, and customer’s personal information. The government also has the need to secure their information. This is particularly critical since some terrorism acts are organized and facilitated by using the internet. One of the most widely used security standards today is ISO 17799 which started in 1995. This standard consists of two basic parts. BS 7799 part 1 and BS 7799 part 2 both of which were created by (British Standards Institute) BSI. Recently this standard has become ISO 27001. The National Institute of Standards and Technology (NIST) has released several special papers addressing cyber security. Three of these special papers are very relevant to cyber security: the 800-12 titled “Computer Security Handbook;” 800-14 titled “Generally Accepted Principals and Practices for Securing Information Technology;” and the 800-26 titled “Security Self-Assessment Guide for Information Technology Systems”.
			The EN 18031 series of standards, published by the ] in cooperation with the ], outlines essential information security requirements for radio-based devices and systems. By aligning with the ] and its accompanying Delegated Act, these standards support manufacturers and stakeholders in maintaining compliance and consistency across European markets. They also establish common testing protocols, performance criteria, and security guidelines, thereby aiding cross-border interoperability and addressing evolving industry needs.

			== National Standards ==
	==ISO 17799==
			The subsections below detail national standards and frameworks related to cybersecurity.

			===NERC CIP===
	ISO 17799 incorporates both parts of the BS 7799 standard. Sometimes ISO 17799 is referred to as BS 7799 part 1 and sometimes it refers to part 1 and part 2. BS 7799 part 1 provides an outline for cyber security policy; whereas BS 7799 part 2 provides a certification. The outline is a high level guide to cyber security. It is most beneficial for an organization to obtain a certification in order to be recognized as compliant with the standard. The certification once obtained lasts three years and is periodically checked by the BSI to ensure an organization continues to be compliant throughout that three year period. ISO 27001 (ISMS) replaces BS 7799 part 2, but since it is backward compatible any organization working toward BS 7799 part 2 can easily transition to the ISO 27001 certification process. There is also a transitional audit available to make it easier once an organization is BS 7799 part 2-certified for the organization to become ISO 27001-certified. ISO 17799 states that information security is characterized by integrity, confidentiality, and availability. The ISO 17799 standard is arranged into ten control areas; security policy, organizational security, asset classification and control, personnel security, physical and environmental security, communications and operation management, access control, systems development and maintenance, businesses continuity management, and compliance. {{ref\|department}}
			The ] is responsible for developing and enforcing cybersecurity standards to protect the reliability and security of the North American bulk power system, which spans the United States, Canada, and northern Baja California, Mexico.<ref>{{Cite web \|title=About NERC \|url=https://www.nerc.com/AboutNERC/Pages/default.aspx \|access-date=2024-12-30 \|website=www.nerc.com}}</ref>

			Its standards focus on cybersecurity measures for critical assets, including asset identification, electronic security perimeters, personnel training, incident response, and recovery planning. The key cybersecurity standards are defined in the '''Critical Infrastructure Protection (CIP)''' series, specifically '''CIP-002 to CIP-014'''.<ref>{{Cite web \|title=Reliability Standards \|url=https://www.nerc.com/pa/Stand/Pages/ReliabilityStandards.aspx \|access-date=2024-12-30 \|website=www.nerc.com}}</ref>
	==NERC==

			Compliance with these standards is mandatory for power system operators and owners under NERC’s jurisdiction, with enforcement overseen by the ] in the United States. Non-compliance can result in significant financial penalties.
	The North America Electric Reliability Council (NERC) has created many standards. The most widely recognized is NERC 1300 which is a modification/update of NERC 1200. The newest version of NERC 1300 is called CIP-002-1 through CIP-009-1 (CIP=Critical Infrastructure Protection). These standards are used to secure bulk electric systems although NERC has created standards within other areas. The bulk electric system standards also provide network security administration while still supporting best practice industry processes. {{ref\|NERC}}

	==NIST==		=== NIST Cybersecurity Standards ===
			{{Main category\|National Institute of Standards and Technology}}The ], a U.S. federal agency under the ], plays a central role in developing and maintaining cybersecurity standards, guidelines, and best practices. Initially created to ensure the security of federal information systems, NIST's standards have become globally influential, serving as foundational references for cybersecurity programs across industries and countries.

			NIST's approach emphasizes a risk-based methodology, focusing on five core functions: Identify, Protect, Detect, Respond, and Recover. These principles form the backbone of many of its guidelines and frameworks, enabling organizations to assess and manage cybersecurity risks effectively. While federal agencies are mandated to comply with NIST standards, private organizations across finance, healthcare, manufacturing, and other sectors often adopt them voluntarily due to their clarity, flexibility, and comprehensiveness.
	1)Special publication 800-12 provides a broad overview of computer security and control areas. It also emphasizes the importance of the security controls and ways to implement them. Initially this document was aimed at the federal government although most practices in this document can be applied to the private sector as well. Specifically it was written for those people in the federal government responsible for handling sensitive systems. {{ref\|800-12}}
	2)Special publication 800-14 describes common security principals that are used. It provides a high level description of what should be incorporated within a computer security policy. It describes what can be done to improve existing security as well as how to develop a new security practice. Eight principals and fourteen practices are described within this document. {{ref\|800-14}}
	3)Special publication 800-26 provides advice on how to manage IT security. This document emphasizes the importance of self assessments as well as risk assessments. {{ref\|800-26}}

			==== The NIST Cybersecurity Framework (CSF) ====
	==ISO 15408==
			{{Main article\|NIST Cybersecurity Framework}}
			One of NIST's most influential contributions is the ''']''', first published in 2014 and updated in 2024 (CSF 2.0). Developed in response to growing cyber threats and the need for standardized practices, the CSF provides a risk-based approach to managing cybersecurity risks. It is structured around five core functions: '''Identify, Protect, Detect, Respond, and Recover''', each representing a critical phase in cybersecurity risk management.<ref>{{Cite journal \|date=2013-11-12 \|title=Cybersecurity Framework \|url=https://www.nist.gov/cyberframework \|journal=NIST \|language=en}}</ref>

			The CSF serves as a universal guide, designed to be adaptable across organizations of all sizes and sectors. Its adoption extends far beyond U.S. federal agencies, with companies worldwide leveraging the framework to improve their cybersecurity resilience.
	This standard develops what is called the “Common Criteria”. It allows many different software applications to be integrated and tested in a secure way.

			==== Special Publications (SP) ====
	==See Also==
			NIST publishes a series of '''Special Publications (SP)''', which provide technical guidelines for specific aspects of cybersecurity. Among the most significant is '''SP 800-53''', titled "Security and Privacy Controls for Federal Information Systems and Organizations."<ref>{{Cite report \|url=https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final \|title=Security and Privacy Controls for Information Systems and Organizations \|last=Force \|first=Joint Task \|date=2020-12-10 \|publisher=National Institute of Standards and Technology \|issue=NIST Special Publication (SP) 800-53 Rev. 5 \|language=en}}</ref> This publication outlines a comprehensive set of controls addressing areas such as access control, incident response, system integrity, and encryption. It serves as the cornerstone for securing federal information systems and is often referenced in audits and compliance assessments.

			Another critical standard is '''SP 800-171''', which focuses on protecting Controlled Unclassified Information (CUI) in non-federal systems. It provides detailed requirements for organizations handling sensitive federal information, such as defense contractors and private sector partners. Compliance with SP 800-171 is often a prerequisite for participating in federal contracts.<ref>{{Cite report \|url=https://csrc.nist.gov/pubs/sp/800/171/r3/final \|title=Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations \|last=Ross \|first=Ron \|last2=Pillitteri \|first2=Victoria \|date=2024-05-14 \|publisher=National Institute of Standards and Technology \|issue=NIST Special Publication (SP) 800-171 Rev. 3 \|language=en}}</ref>
	]

			For the secure development of software, NIST introduced '''SP 800-218''', known as the "Secure Software Development Framework (SSDF)." This document emphasizes integrating security throughout all stages of the software development lifecycle, from design to deployment and maintenance.<ref>{{Cite web \|title=NIST SP 800-218, Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities \|url=https://csrc.nist.gov/pubs/sp/800/218/final}}</ref>
	]
	]
	]
	]
	]
	]
	]
	]
	]
	]
	]
	ISO 27001

			Recognizing the unique challenges posed by ], NIST published '''SP 800-82''', titled ''"Guide to Industrial Control Systems (ICS) Security."'' This guideline addresses the security of critical infrastructure systems, including SCADA systems, programmable logic controllers (PLCs), and other operational technology (OT) components.<ref>{{Cite report \|url=https://csrc.nist.gov/pubs/sp/800/82/r3/final \|title=Guide to Operational Technology (OT) Security \|last=Stouffer \|first=Keith \|last2=Pease \|first2=Michael \|last3=Tang \|first3=CheeYee \|last4=Zimmerman \|first4=Timothy \|last5=Pillitteri \|first5=Victoria \|last6=Lightman \|first6=Suzanne \|last7=Hahn \|first7=Adam \|last8=Saravia \|first8=Stephanie \|last9=Sherule \|first9=Aslam \|date=2023-09-28 \|publisher=National Institute of Standards and Technology \|issue=NIST Special Publication (SP) 800-82 Rev. 3 \|language=en}}</ref>
	==References==

			==== Federal Information Processing Standards (FIPS) ====
	#{{note\|department}}1.Department of Homeland Security, A Comparison of Cyber Security Standards Developed by the Oil and Gas Segment. (November 5, 2004)
			{{Main\|FIPS 140}}
			In addition to Special Publications, NIST develops '''Federal Information Processing Standards (FIPS)'''. These standards are legally binding for U.S. federal agencies and cover critical areas such as cryptography and secure data handling. For example, ], ''"Security Requirements for Cryptographic Modules,"'' specifies security requirements for cryptographic systems and is widely adopted by both government and private sector organizations requiring robust encryption capabilities.

			FIPS standards are not limited to federal use; they are frequently referenced in international compliance frameworks and form the basis for many commercial security products.
	#{{note\|800-14}}2.Guttman, M., Swanson, M., National Institute of Standards and Technology; Technology Administration; U.S. Department of Commerce., Generally Accepted Principles and Practices for Securing Information Technology Systems (800-14). (September 1996)

			=== NCSC Cyber Essentials ===
	#{{note\|800-12}}3.National Institute of Standards and Technology; Technology Administration; U.S. Department of Commerce., An Introduction to Computer Security: The NIST Handbook, Special Publication 800-12.
			{{Main\|Cyber Essentials}}
			Cyber Essentials is a ] government ] scheme operated by the ]. It encourages organizations to adopt good practices in information security. Cyber Essentials also includes an assurance framework and a simple set of security controls to protect information from threats coming from the internet.

			=== Essential Eight ===
	#{{note\|800-26}}4.Swanson, M., National Institute of Standards and Technology; Technology Administration; U.S. Department of Commerce., Security Self-Assessment Guide for Information Technology Systems (800-26).
			The ] has developed prioritised mitigation strategies, in the form of the Strategies to Mitigate Cyber Security Incidents, to help organisations protect themselves against various cyber threats. The most effective of these mitigation strategies is called the Essential Eight.<ref>{{cite web \|title=Essential Eight Maturity Model \|url=https://www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-maturity-model \|publisher=Australian Cyber Security Centre \|access-date=29 September 2022}} ] Text was copied from this source, which is available under a .</ref>

			===BSI IT-Grundschutz===
	#{{note\|NERC}}5.The North America Electric Reliability (NERC). http://www.nerc.com. Retrieved November 12, 2005.
			The ] ({{langx\|de\|Bundesamt für Sicherheit in der Informationstechnik}}, abbreviated as BSI) standards are an elementary component of the IT baseline protection ({{langx\|de\|IT-Grundschutz}}) methodology. They contain recommendations on methods, processes, and procedures, approaches, and measures for various aspects of information security. Users from public authorities, companies, manufacturers, or service providers can use the BSI standards to make their business processes and data more secure.<ref>{{cite web \| title=BSI - IT-Grundschutz \| website=BSI \| url=https://www.bsi.bund.de/EN/Topics/ITGrundschutz/itgrundschutz_node.html \| language=de \| access-date=2021-03-26 \| archive-date=2013-09-30 \| archive-url=https://web.archive.org/web/20130930163735/https://www.bsi.bund.de/EN/Topics/ITGrundschutz/itgrundschutz_node.html \| url-status=dead }}</ref>
			* BSI Standard 100-4 covers ].
			* BSI Standard 200-1 defines general requirements for an information security management system (ISMS). It is compatible with ISO 27001 and considers recommendations of other ISO standards, such as ISO 27002.
			* BSI Standard 200-2 forms the basis of BSI's methodology for establishing a sound information security management system (ISMS). It establishes three procedures for implementing IT baseline protection.
			* BSI Standard 200-3 bundles all risk-related steps in implementing IT baseline protection.

			== Industry-specific Standards ==
			The subsections below detail cybersecurity standards and frameworks related to specific industries.

	==~~External~~ ~~Links~~==		=== PCI DSS ===
			{{Main\|Payment Card Industry Data Security Standard}}
			The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes. The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud.

			=== UL 2900 ===
	Information on ISO 17799 (http://iso-17799.safemode.org/)
			UL 2900 is a series of standards published by ]. The standards include general cybersecurity requirements (UL 2900-1) as well as specific requirements for medical products (UL 2900-2-1), industrial systems (UL 2900-2-2), and security and life safety signalling systems (UL 2900-2-3).

			UL 2900 requires manufacturers to describe and document the attack surface of the technologies used in their products. It requires threat modeling based on the intended use and deployment environment. The standard requires effective security measures that protect sensitive (personal) data and other assets, such as command and control data. It also requires that security vulnerabilities in the software have been eliminated, security principles, such as defense-in-depth have been followed, and the security of the software has been verified through penetration testing.
	NEWS about ISO 17799 (http://www.iso17799-web.com/)

			== Organisations producing Standards ==
	BS 7799 certification (http://www.itmanagementnews.com/itmanagementnews-54-20040224BS7799CompliancyandCertification.html)
			The ] (ISO) is an international standards organization organized as a consortium of national standards institutions from 167 countries, coordinated through a secretariat in Geneva, Switzerland. ISO is the world's largest developer of international standards. The ] (IEC) is an international standards organization that deals with electrotechnology and cooperates closely with ISO. ISO/IEC 15443: "Information technology – Security techniques – A framework for IT security assurance", ]: "Information technology – Security techniques – Code of practice for information security management", ]: "Information technology – Service management", and ]: "Information technology – Security techniques – Information security management systems – Requirements" are of particular interest to information security professionals.

			The US ] (NIST) is a non-regulatory federal agency within the ]. The NIST Computer Security Division develops standards, metrics, tests, and validation programs, and it publishes standards and guidelines to increase secure IT planning, implementation, management, and operation. NIST is also the custodian of the U.S. ] publications (FIPS).
	ISO webpage: (http://www.iso.org/iso/en/ISOOnline.frontpage)

			] is a professional membership society with over 100 organizations and over 20,000 individual members in over 180 countries. It provides leadership in addressing issues that confront the future of the Internet, and it is the organizational home for the groups responsible for Internet infrastructure standards, including the ] (IETF) and the ] (IAB). The ISOC hosts the Requests for Comments (RFCs), including the Official Internet Protocol Standards and the RFC-2196 ].
	BSI website: (http://www.bsi-global.com/index.xalter)

			The German ] (in German ''Bundesamt für Sicherheit in der Informationstechnik (BSI)'') BSI-Standards 100–1 to 100-4 are a set of recommendations including "methods, processes, procedures, approaches, and measures relating to information security".<ref>{{cite web \|title=BSI-Standards \|url=https://www.bsi.bund.de/EN/Publications/BSIStandards/BSIStandards_node.html;jsessionid=8FB8A442EDCF66AECC34651426C22D11.2_cid359 \|url-status=dead \|archive-url=https://web.archive.org/web/20131203010908/https://www.bsi.bund.de/EN/Publications/BSIStandards/BSIStandards_node.html;jsessionid=8FB8A442EDCF66AECC34651426C22D11.2_cid359 \|archive-date=3 December 2013 \|access-date=29 November 2013 \|publisher=BSI}}</ref> The BSI-Standard 100-2 ''IT-Grundschutz Methodology'' describes how information security management can be implemented and operated. The standard includes a specific guide, the IT Baseline Protection Catalogs (IT-Grundschutz Catalogs). Before 2005, the catalogs were formerly known as "] Manual". The Catalogs are documents useful for detecting and combating security-relevant weak points in the IT environment (IT cluster). As of September 2013, the collection encompasses over 4,400 pages with the introduction and catalogs. The IT-Grundschutz approach is aligned with the ISO/IEC 2700x family.
	ISMS information (http://www.gammassl.co.uk/topics/hot1.html)

			The ] standardized a catalog of ] headed by the Industrial Specification Group (ISG) ISI.
	ISMS International User Group (http://www.iso17799-web.com/)

			==See also==
	NERC Standards: (http://www.nerc.com/~filez/standards/Cyber-Security-Permanent.html)
			* ]
			* ]
			* ]
			* ]
			* ]
			* ]
			* ] for cyber security investments

			== References ==
	NIST webpage: (http://www.nist.gov/)
			{{reflist}}

			==External links==
	CYBER-ATTACKS! Trends in US Corporations (http://www.bizforum.org/whitepapers/rand001.htm)
			*
			*
			*
			*
			*
			*
			*

			{{Information security}}
	Securing Cyberspace-Media Link (http://hsgac.senate.gov/index.cfm?Fuseaction=Hearings.Detail&HearingID=261)
			{{DEFAULTSORT:Cybersecurity Standards}}
			]
			]
			]

Latest revision as of 16:48, 3 January 2025

Technology standards and techniques

Information security standards (also cyber security standards) are techniques generally outlined in published materials that attempt to protect a user's or organization's cyber environment. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

The principal objective is to reduce the risks, including preventing or mitigating cyber-attacks. These published materials comprise tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance, and technologies.

History

Cybersecurity standards have existed over several decades as users and providers have collaborated in many domestic and international forums to effect the necessary capabilities, policies, and practices – generally emerging from work at the Stanford Consortium for Research on Information Security and Policy in the 1990s.

A 2016 US security framework adoption study reported that 70% of the surveyed organizations use the NIST Cybersecurity Framework as the most popular best practice for Information Technology (IT) computer security, but many note that it requires significant investment. Cross-border, cyber-exfiltration operations by law enforcement agencies to counter international criminal activities on the dark web raise complex jurisdictional questions that remain, to some extent, unanswered. Tensions between domestic law enforcement efforts to conduct cross-border cyber-exfiltration operations and international jurisdiction will likely continue to provide improved cybersecurity norms.

International Standards

The subsections below detail international standards related to cybersecurity.

ISO/IEC 27000 Family of Standards

Main article: ISO/IEC 27001

The ISO/IEC 27000 series is a family of international standards jointly published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). These standards provide a globally recognized framework for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). The series is designed to help organizations of all sizes and industries protect their information assets systematically and cost-effectively.

At the center of the ISO/IEC 27000 series is ISO/IEC 27001, which specifies the requirements for establishing and maintaining an ISMS. The standard emphasizes a risk-based approach to managing information security, encouraging organizations to identify, assess, and mitigate risks specific to their operational environment. The ISO/IEC 27000 series is built upon the Plan-Do-Check-Act (PDCA) cycle, a methodology aimed at continuous improvement.

While ISO/IEC 27001 sets the baseline for ISMS requirements, other standards in the series provide complementary guidelines and sector-specific recommendations. Together, they form a comprehensive ecosystem that addresses everything from risk assessment and incident management to privacy controls and cloud security.

Supporting ISO/IEC 27001 is ISO/IEC 27002, which serves as a practical guide for implementing the controls outlined in ISO/IEC 27001. It provides detailed recommendations and best practices for managing information security risks across different domains, including human resource security, physical security, and network security.

For organizations focused on risk management, ISO/IEC 27005 offers a dedicated framework for identifying, assessing, and treating information security risks. It complements ISO/IEC 27001 by providing a methodology specifically tailored to managing information security vulnerabilities.

In recent years, cloud computing has introduced unique security challenges, and ISO/IEC 27017 was developed to address these concerns. This standard provides guidelines for implementing cloud-specific information security controls, ensuring secure use of cloud services by both cloud providers and customers. Alongside it, ISO/IEC 27018 focuses on protecting personally identifiable information (PII) in public cloud environments, helping organizations meet privacy regulations and maintain customer trust.

Additionally, ISO/IEC 27035 addresses incident management, offering guidance on how to effectively prepare for, detect, and respond to security incidents. It emphasizes structured incident response processes to minimize potential damage and ensure timely recovery.

With the rise of data privacy regulations such as the General Data Protection Regulation (GDPR), ISO/IEC 27701 was introduced as an extension of ISO/IEC 27001 and ISO/IEC 27002. This standard provides guidelines for establishing and operating a Privacy Information Management System (PIMS), aligning information security management with privacy and data protection requirements.

ISO/IEC 15408

Main article: Common Criteria

The Common Criteria for Information Technology Security Evaluation (Common Criteria or CC) is an international standard (ISO/IEC 15408) used to assess and certify the security properties of IT products and systems. It provides a globally recognized framework for defining security requirements, implementing protective measures, and evaluating whether these measures meet specified criteria.

ISO/IEC 15408 is divided into five parts:

Part 1: Introduction and General Model – Defines key concepts, principles, and the general evaluation framework.
Part 2: Security Functional Components – Provides a catalog of security functional requirements (e.g., access control, encryption, and audit functions).
Part 3: Security Assurance Components – Specifies assurance levels (EAL1–EAL7), representing the depth and rigor of security evaluations.
Part 4: Framework for the specification of evaluation methods and activities – Details the methodology and framework for conducting security evaluations, including evaluator responsibilities and reporting requirements.
Part 5: Pre-defined Packages of Security Requirements – Offers reusable packages of security requirements, streamlining the evaluation process for common product types.

Certification under Common Criteria is facilitated by the Common Criteria Recognition Arrangement (CCRA), ensuring mutual recognition of certifications among participating countries. This reduces duplication of effort and cost for vendors seeking global market access.

The EU has adopted the European Cybersecurity Certification Scheme (EUCC), which is based on ISO/IEC 15408, to align with international standards while addressing regional requirements.

IEC 62443

Main article: IEC 62443

The IEC 62443 cybersecurity standard defines processes, techniques and requirements for Industrial Automation and Control Systems (IACS). Its documents are the result of the IEC standards creation process where all national committees involved agree upon a common standard. All IEC 62443 standards and technical reports are organized into six general categories: General, Policies and Procedures, System, Component, Profiles, and Evaluation.

The first category includes foundational information such as concepts, models, and terminology.
The second category of work products targets the Asset Owner. These address various aspects of creating and maintaining an effective IACS security program.
The third category includes work products that describe system design guidelines and requirements for the secure integration of control systems. The core of this is the zone, conduit, and design model.
The fourth category includes work products that describe the specific product development and technical requirements of control system products.
The fifth category provides profiles for industry-specific cybersecurity requirements according to IEC 62443-1-5.
The sixth category defines assessment methodologies that ensure that assessment results are consistent and reproducible.

ISO/SAE 21434

ISO/SAE 21434 "Road vehicles - Cybersecurity engineering" is a cybersecurity standard jointly developed by ISO and SAE working groups. It proposes cybersecurity measures for the development lifecycle of road vehicles. The standard was published in August 2021.

The standard is related to the European Union (EU) regulation on cyber security that is currently being developed. In coordination with the EU, the UNECE has created a Cyber Security Management System (CSMS) certification mandatory for vehicle-type approval. This is defined in the overarching UN Regulation 155; ISO/SAE 21434 is a technical standard for automotive development which can demonstrate compliance with those regulations.

A derivative of this is in the work of UNECE WP29, which provides regulations for vehicle cybersecurity and software updates.

ETSI EN 303 645

The ETSI EN 303 645 standard provides a set of baseline requirements for security in consumer Internet of Things (IoT) devices. It contains technical controls and organizational policies for developers and manufacturers of Internet-connected consumer devices. The standard was released in June 2020 and is intended to complement other, more specific standards. As many consumer IoT devices handle personally identifiable information (PII), implementing the standard helps comply with the EU's General Data Protection Regulation (GDPR) in the EU.

The Cybersecurity provisions in this European standard are:

No universal default passwords
Implement a means to manage reports of vulnerabilities
Keep software updated
Securely store sensitive security parameters
Communicate securely
Minimize exposed attack surfaces
Ensure software integrity
Ensure that personal data is secure
Make systems resilient to outages
Examine system telemetry data
Make it easy for users to delete user data
Make installation and maintenance of devices easy
Validate input data

Conformance assessment of these baseline requirements is via the standard TS 103 701, which allows self-certification or certification by another group.

EN 18031

The EN 18031 series of standards, published by the European Committee for Standardization (CEN) in cooperation with the European Committee for Electrotechnical Standardization (CENELEC), outlines essential information security requirements for radio-based devices and systems. By aligning with the Radio Equipment Directive (2014/53/EU) and its accompanying Delegated Act, these standards support manufacturers and stakeholders in maintaining compliance and consistency across European markets. They also establish common testing protocols, performance criteria, and security guidelines, thereby aiding cross-border interoperability and addressing evolving industry needs.

National Standards

The subsections below detail national standards and frameworks related to cybersecurity.

NERC CIP

The North American Electric Reliability Corporation (NERC) is responsible for developing and enforcing cybersecurity standards to protect the reliability and security of the North American bulk power system, which spans the United States, Canada, and northern Baja California, Mexico.

Its standards focus on cybersecurity measures for critical assets, including asset identification, electronic security perimeters, personnel training, incident response, and recovery planning. The key cybersecurity standards are defined in the Critical Infrastructure Protection (CIP) series, specifically CIP-002 to CIP-014.

Compliance with these standards is mandatory for power system operators and owners under NERC’s jurisdiction, with enforcement overseen by the Federal Energy Regulatory Commission (FERC) in the United States. Non-compliance can result in significant financial penalties.

NIST Cybersecurity Standards

Main category: National Institute of Standards and Technology

The National Institute of Standards and Technology (NIST), a U.S. federal agency under the Department of Commerce, plays a central role in developing and maintaining cybersecurity standards, guidelines, and best practices. Initially created to ensure the security of federal information systems, NIST's standards have become globally influential, serving as foundational references for cybersecurity programs across industries and countries.

NIST's approach emphasizes a risk-based methodology, focusing on five core functions: Identify, Protect, Detect, Respond, and Recover. These principles form the backbone of many of its guidelines and frameworks, enabling organizations to assess and manage cybersecurity risks effectively. While federal agencies are mandated to comply with NIST standards, private organizations across finance, healthcare, manufacturing, and other sectors often adopt them voluntarily due to their clarity, flexibility, and comprehensiveness.

The NIST Cybersecurity Framework (CSF)

Main article: NIST Cybersecurity Framework

One of NIST's most influential contributions is the Cybersecurity Framework (CSF), first published in 2014 and updated in 2024 (CSF 2.0). Developed in response to growing cyber threats and the need for standardized practices, the CSF provides a risk-based approach to managing cybersecurity risks. It is structured around five core functions: Identify, Protect, Detect, Respond, and Recover, each representing a critical phase in cybersecurity risk management.

The CSF serves as a universal guide, designed to be adaptable across organizations of all sizes and sectors. Its adoption extends far beyond U.S. federal agencies, with companies worldwide leveraging the framework to improve their cybersecurity resilience.

Special Publications (SP)

NIST publishes a series of Special Publications (SP), which provide technical guidelines for specific aspects of cybersecurity. Among the most significant is SP 800-53, titled "Security and Privacy Controls for Federal Information Systems and Organizations." This publication outlines a comprehensive set of controls addressing areas such as access control, incident response, system integrity, and encryption. It serves as the cornerstone for securing federal information systems and is often referenced in audits and compliance assessments.

Another critical standard is SP 800-171, which focuses on protecting Controlled Unclassified Information (CUI) in non-federal systems. It provides detailed requirements for organizations handling sensitive federal information, such as defense contractors and private sector partners. Compliance with SP 800-171 is often a prerequisite for participating in federal contracts.

For the secure development of software, NIST introduced SP 800-218, known as the "Secure Software Development Framework (SSDF)." This document emphasizes integrating security throughout all stages of the software development lifecycle, from design to deployment and maintenance.

Recognizing the unique challenges posed by Industrial Control Systems (ICS), NIST published SP 800-82, titled "Guide to Industrial Control Systems (ICS) Security." This guideline addresses the security of critical infrastructure systems, including SCADA systems, programmable logic controllers (PLCs), and other operational technology (OT) components.

Federal Information Processing Standards (FIPS)

Main article: FIPS 140

In addition to Special Publications, NIST develops Federal Information Processing Standards (FIPS). These standards are legally binding for U.S. federal agencies and cover critical areas such as cryptography and secure data handling. For example, FIPS 140-3, "Security Requirements for Cryptographic Modules," specifies security requirements for cryptographic systems and is widely adopted by both government and private sector organizations requiring robust encryption capabilities.

FIPS standards are not limited to federal use; they are frequently referenced in international compliance frameworks and form the basis for many commercial security products.

NCSC Cyber Essentials

Main article: Cyber Essentials

Cyber Essentials is a United Kingdom government information assurance scheme operated by the National Cyber Security Centre (NCSC). It encourages organizations to adopt good practices in information security. Cyber Essentials also includes an assurance framework and a simple set of security controls to protect information from threats coming from the internet.

Essential Eight

The Australian Cyber Security Centre has developed prioritised mitigation strategies, in the form of the Strategies to Mitigate Cyber Security Incidents, to help organisations protect themselves against various cyber threats. The most effective of these mitigation strategies is called the Essential Eight.

BSI IT-Grundschutz

The Federal Office for Information Security (German: Bundesamt für Sicherheit in der Informationstechnik, abbreviated as BSI) standards are an elementary component of the IT baseline protection (German: IT-Grundschutz) methodology. They contain recommendations on methods, processes, and procedures, approaches, and measures for various aspects of information security. Users from public authorities, companies, manufacturers, or service providers can use the BSI standards to make their business processes and data more secure.

BSI Standard 100-4 covers Business Continuity Management (BCM).
BSI Standard 200-1 defines general requirements for an information security management system (ISMS). It is compatible with ISO 27001 and considers recommendations of other ISO standards, such as ISO 27002.
BSI Standard 200-2 forms the basis of BSI's methodology for establishing a sound information security management system (ISMS). It establishes three procedures for implementing IT baseline protection.
BSI Standard 200-3 bundles all risk-related steps in implementing IT baseline protection.

Industry-specific Standards

The subsections below detail cybersecurity standards and frameworks related to specific industries.

PCI DSS

Main article: Payment Card Industry Data Security Standard

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes. The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud.

UL 2900

UL 2900 is a series of standards published by UL. The standards include general cybersecurity requirements (UL 2900-1) as well as specific requirements for medical products (UL 2900-2-1), industrial systems (UL 2900-2-2), and security and life safety signalling systems (UL 2900-2-3).

UL 2900 requires manufacturers to describe and document the attack surface of the technologies used in their products. It requires threat modeling based on the intended use and deployment environment. The standard requires effective security measures that protect sensitive (personal) data and other assets, such as command and control data. It also requires that security vulnerabilities in the software have been eliminated, security principles, such as defense-in-depth have been followed, and the security of the software has been verified through penetration testing.

Organisations producing Standards

The International Organization for Standardization (ISO) is an international standards organization organized as a consortium of national standards institutions from 167 countries, coordinated through a secretariat in Geneva, Switzerland. ISO is the world's largest developer of international standards. The International Electrotechnical Commission (IEC) is an international standards organization that deals with electrotechnology and cooperates closely with ISO. ISO/IEC 15443: "Information technology – Security techniques – A framework for IT security assurance", ISO/IEC 27002: "Information technology – Security techniques – Code of practice for information security management", ISO/IEC 20000: "Information technology – Service management", and ISO/IEC 27001: "Information technology – Security techniques – Information security management systems – Requirements" are of particular interest to information security professionals.

The US National Institute of Standards and Technology (NIST) is a non-regulatory federal agency within the U.S. Department of Commerce. The NIST Computer Security Division develops standards, metrics, tests, and validation programs, and it publishes standards and guidelines to increase secure IT planning, implementation, management, and operation. NIST is also the custodian of the U.S. Federal Information Processing Standard publications (FIPS).

The Internet Society is a professional membership society with over 100 organizations and over 20,000 individual members in over 180 countries. It provides leadership in addressing issues that confront the future of the Internet, and it is the organizational home for the groups responsible for Internet infrastructure standards, including the Internet Engineering Task Force (IETF) and the Internet Architecture Board (IAB). The ISOC hosts the Requests for Comments (RFCs), including the Official Internet Protocol Standards and the RFC-2196 Site Security Handbook.

The German Federal Office for Information Security (in German Bundesamt für Sicherheit in der Informationstechnik (BSI)) BSI-Standards 100–1 to 100-4 are a set of recommendations including "methods, processes, procedures, approaches, and measures relating to information security". The BSI-Standard 100-2 IT-Grundschutz Methodology describes how information security management can be implemented and operated. The standard includes a specific guide, the IT Baseline Protection Catalogs (IT-Grundschutz Catalogs). Before 2005, the catalogs were formerly known as "IT Baseline Protection Manual". The Catalogs are documents useful for detecting and combating security-relevant weak points in the IT environment (IT cluster). As of September 2013, the collection encompasses over 4,400 pages with the introduction and catalogs. The IT-Grundschutz approach is aligned with the ISO/IEC 2700x family.

The European Telecommunications Standards Institute standardized a catalog of information security indicators headed by the Industrial Specification Group (ISG) ISI.

References

"Guidelines for Smart Grid Cyber Security" (PDF). National Institute of Standards and Technology. September 2014. doi:10.6028/NIST.IR.7628r1. Retrieved 28 November 2023.
"ITU-T Recommendation database".
"FSI - Consortium for Research on Information Security and Policy".
"NIST Cybersecurity Framework Adoption Hampered By Costs, Survey Finds". 30 March 2016. Retrieved 2016-08-02.
^ Ghappour, Ahmed (2017-01-01). "Tallinn, Hacking, and Customary International Law". AJIL Unbound. 111: 224–228. doi:10.1017/aju.2017.59.
Ghappour, Ahmed (2017-04-01). "Searching Places Unknown: Law Enforcement Jurisdiction on the Dark Web". Stanford Law Review. 69 (4): 1075.
Ghappour, Ahmed (2017). "Searching Places Unknown: Law Enforcement Jurisdiction on the Dark Web". Stanford Law Review. 69 (4).
"ISO/IEC 27001:2022". webstore.iec.ch. Retrieved 2024-12-30.
"ISO/IEC 27002:2022". webstore.iec.ch. Retrieved 2024-12-30.
"ISO/IEC 27005:2022". webstore.iec.ch. Retrieved 2024-12-30.
"ISO/IEC 27017:2015". webstore.iec.ch. Retrieved 2024-12-30.
"ISO/IEC 27018:2019". webstore.iec.ch. Retrieved 2024-12-30.
"ISO/IEC 27035-1:2023". webstore.iec.ch. Retrieved 2024-12-30.
"ISO/IEC 27701:2019". webstore.iec.ch. Retrieved 2024-12-30.
"ISO/IEC 15408-1:2022". ISO. Retrieved 2024-12-30.
"ISO/IEC 15408-2:2022". ISO. Retrieved 2024-12-30.
"ISO/IEC 15408-3:2022". ISO. Retrieved 2024-12-30.
"ISO/IEC 15408-4:2022". ISO. Retrieved 2024-12-30.
"ISO/IEC 15408-5:2022". ISO. Retrieved 2024-12-30.
"NIAP". www.niap-ccevs.org. Retrieved 2024-12-30.
"EUCC Certification Scheme - EU Cybersecurity Certification". certification.enisa.europa.eu. Retrieved 2024-12-30.
ISO/SAE 21434:2021 Road vehicles — Cybersecurity engineering
"UN Regulations on Cybersecurity and Software Updates to pave the way for mass roll-out of connected vehicles | UNECE". unece.org.
ETSI announcement
ETSI EN 303 645 V2.1.0
"ETSI TS 103 701 Cyber Security for Consumer Internet of Things: Conformance Assessment of Baseline Requirements" (PDF). ETSI.
"About NERC". www.nerc.com. Retrieved 2024-12-30.
"Reliability Standards". www.nerc.com. Retrieved 2024-12-30.
"Cybersecurity Framework". NIST. 2013-11-12.
Force, Joint Task (2020-12-10). Security and Privacy Controls for Information Systems and Organizations (Report). National Institute of Standards and Technology.
Ross, Ron; Pillitteri, Victoria (2024-05-14). Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (Report). National Institute of Standards and Technology.
"NIST SP 800-218, Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities".
Stouffer, Keith; Pease, Michael; Tang, CheeYee; Zimmerman, Timothy; Pillitteri, Victoria; Lightman, Suzanne; Hahn, Adam; Saravia, Stephanie; Sherule, Aslam (2023-09-28). Guide to Operational Technology (OT) Security (Report). National Institute of Standards and Technology.
"Essential Eight Maturity Model". Australian Cyber Security Centre. Retrieved 29 September 2022. Text was copied from this source, which is available under a Creative Commons Attribution 4.0 International License.
"BSI - IT-Grundschutz". BSI (in German). Archived from the original on 2013-09-30. Retrieved 2021-03-26.
"BSI-Standards". BSI. Archived from the original on 3 December 2013. Retrieved 29 November 2013.

External links

v t e Information security
Related security categories	Computer security Automotive security Cybercrime Cybersex trafficking Computer fraud Cybergeddon Cyberterrorism Cyberwarfare Electromagnetic warfare Information warfare Internet security Mobile security Network security Copy protection Digital rights management	vectorial version
Threats	Adware Advanced persistent threat Arbitrary code execution Backdoors Bombs Fork Logic Time Zip Hardware backdoors Code injection Crimeware Cross-site scripting Cross-site leaks DOM clobbering History sniffing Cryptojacking Botnets Data breach Drive-by download Browser Helper Objects Viruses Data scraping Denial-of-service attack Eavesdropping Email fraud Email spoofing Exploits Fraudulent dialers Hacktivism Infostealer Insecure direct object reference Keystroke loggers Malware Payload Phishing Voice Polymorphic engine Privilege escalation Ransomware Rootkits Scareware Shellcode Spamming Social engineering Spyware Software bugs Trojan horses Hardware Trojans Remote access trojans Vulnerability Web shells Wiper Worms SQL injection Rogue security software Zombie
Defenses	Application security Secure coding Secure by default Secure by design Misuse case Computer access control Authentication Multi-factor authentication Authorization Computer security software Antivirus software Security-focused operating system Data-centric security Obfuscation (software) Data masking Encryption Firewall Intrusion detection system Host-based intrusion detection system (HIDS) Anomaly detection Information security management Information risk management Security information and event management (SIEM) Runtime application self-protection Site isolation

Categories: