Revision as of 05:56, 19 December 2005 editJake Nelson (talk | contribs)2,272 editsm cat← Previous edit | Revision as of 08:18, 12 January 2006 edit undoQuarl (talk | contribs)Autopatrolled, Administrators32,378 edits define cyber security certificationNext edit → | ||
Line 1: | Line 1: | ||
'''Cyber security standards''' are ]s which enable ] to practice safe security techniques in order to minimize the number of successful ]s. These guides provide general outlines as well as specific techniques for implementing ]. For certain specific standards |
'''Cyber security standards''' are ]s which enable ] to practice safe security techniques in order to minimize the number of successful ]s. These guides provide general outlines as well as specific techniques for implementing ]. For certain specific standards, '''cyber security certification''' by an ] body can be obtained. There are many advantages to obtaining certification including the ability to get ]. | ||
==History== | ==History== |
Revision as of 08:18, 12 January 2006
Cyber security standards are security standards which enable organizations to practice safe security techniques in order to minimize the number of successful cyber security attacks. These guides provide general outlines as well as specific techniques for implementing cyber security. For certain specific standards, cyber security certification by an accredited body can be obtained. There are many advantages to obtaining certification including the ability to get cyber security insurance.
History
Cyber security standards have been created recently because sensitive information is now frequently stored on computers that are attached to the internet. Also many tasks that were once done by hand are carried out by computer; therefore there is a need for Information Assurance (IA) and security. Cyber security is important to individuals because they need to guard against identity theft. Businesses also have a need for this security because they need to protect their trade secrets, proprietary information, and customer’s personal information. The government also has the need to secure their information. This is particularly critical since some terrorism acts are organized and facilitated by using the internet. One of the most widely used security standards today is ISO 17799 which started in 1995. This standard consists of two basic parts. BS 7799 part 1 and BS 7799 part 2 both of which were created by (British Standards Institute) BSI. Recently this standard has become ISO 27001. The National Institute of Standards and Technology (NIST) has released several special papers addressing cyber security. Three of these special papers are very relevant to cyber security: the 800-12 titled “Computer Security Handbook;” 800-14 titled “Generally Accepted Principals and Practices for Securing Information Technology;” and the 800-26 titled “Security Self-Assessment Guide for Information Technology Systems”.
ISO 17799
ISO 17799 incorporates both parts of the BS 7799 standard. Sometimes ISO 17799 is referred to as BS 7799 part 1 and sometimes it refers to part 1 and part 2. BS 7799 part 1 provides an outline for cyber security policy; whereas BS 7799 part 2 provides a certification. The outline is a high level guide to cyber security. It is most beneficial for an organization to obtain a certification in order to be recognized as compliant with the standard. The certification once obtained lasts three years and is periodically checked by the BSI to ensure an organization continues to be compliant throughout that three year period. ISO 27001 (ISMS) replaces BS 7799 part 2, but since it is backward compatible any organization working toward BS 7799 part 2 can easily transition to the ISO 27001 certification process. There is also a transitional audit available to make it easier once an organization is BS 7799 part 2-certified for the organization to become ISO 27001-certified. ISO 17799 states that information security is characterized by integrity, confidentiality, and availability. The ISO 17799 standard is arranged into ten control areas; security policy, organizational security, asset classification and control, personnel security, physical and environmental security, communications and operation management, access control, systems development and maintenance, businesses continuity management, and compliance.
NERC
The North America Electric Reliability Council (NERC) has created many standards. The most widely recognized is NERC 1300 which is a modification/update of NERC 1200. The newest version of NERC 1300 is called CIP-002-1 through CIP-009-1 (CIP=Critical Infrastructure Protection). These standards are used to secure bulk electric systems although NERC has created standards within other areas. The bulk electric system standards also provide network security administration while still supporting best practice industry processes.
NIST
1) Special publication 800-12 provides a broad overview of computer security and control areas. It also emphasizes the importance of the security controls and ways to implement them. Initially this document was aimed at the federal government although most practices in this document can be applied to the private sector as well. Specifically it was written for those people in the federal government responsible for handling sensitive systems.
2) Special publication 800-14 describes common security principals that are used. It provides a high level description of what should be incorporated within a computer security policy. It describes what can be done to improve existing security as well as how to develop a new security practice. Eight principals and fourteen practices are described within this document.
3) Special publication 800-26 provides advice on how to manage IT security. This document emphasizes the importance of self assessments as well as risk assessments.
ISO 15408
This standard develops what is called the “Common Criteria”. It allows many different software applications to be integrated and tested in a secure way.
See Also
ISO 27001
ISMS
800-12
800-14
800-26
References
- 1.Department of Homeland Security, A Comparison of Cyber Security Standards Developed by the Oil and Gas Segment. (November 5, 2004)
- 2.Guttman, M., Swanson, M., National Institute of Standards and Technology; Technology Administration; U.S. Department of Commerce., Generally Accepted Principles and Practices for Securing Information Technology Systems (800-14). (September 1996)
- 3.National Institute of Standards and Technology; Technology Administration; U.S. Department of Commerce., An Introduction to Computer Security: The NIST Handbook, Special Publication 800-12.
- 4.Swanson, M., National Institute of Standards and Technology; Technology Administration; U.S. Department of Commerce., Security Self-Assessment Guide for Information Technology Systems (800-26).
- 5.The North America Electric Reliability (NERC). http://www.nerc.com. Retrieved November 12, 2005.
External Links
Information on ISO 17799 (http://iso-17799.safemode.org/)
NEWS about ISO 17799 (http://www.iso17799-web.com/)
BS 7799 certification (http://www.itmanagementnews.com/itmanagementnews-54-20040224BS7799CompliancyandCertification.html)
ISO webpage: (http://www.iso.org/iso/en/ISOOnline.frontpage)
BSI website: (http://www.bsi-global.com/index.xalter)
ISMS information (http://www.gammassl.co.uk/topics/hot1.html)
ISMS International User Group (http://www.iso17799-web.com/)
NERC Standards: (http://www.nerc.com/~filez/standards/Cyber-Security-Permanent.html)
NIST webpage: (http://www.nist.gov/)
CYBER-ATTACKS! Trends in US Corporations (http://www.bizforum.org/whitepapers/rand001.htm)
Securing Cyberspace-Media Link (http://hsgac.senate.gov/index.cfm?Fuseaction=Hearings.Detail&HearingID=261)
Categories: