Cyber security standards

ISO 17799

ISO 17799 incorporates both parts of the BS 7799 standard. Sometimes ISO 17799 is referred to as BS 7799 part 1 and sometimes it refers to part 1 and part 2. BS 7799 part 1 provides an outline for cyber security policy; whereas BS 7799 part 2 provides a certification. The outline is a high level guide to cyber security. It is most beneficial for an organization to obtain a certification in order to be recognized as compliant with the standard. The certification once obtained lasts three years and is periodically checked by the BSI to ensure an organization continues to be compliant throughout that three year period. ISO 27001 (ISMS) replaces BS 7799 part 2, but since it is backward compatible any organization working toward BS 7799 part 2 can easily transition to the ISO 27001 certification process. There is also a transitional audit available to make it easier once an organization is BS 7799 part 2-certified for the organization to become ISO 27001-certified. ISO 17799 states that information security is characterized by integrity, confidentiality, and availability. The ISO 17799 standard is arranged into eleven control areas; security policy, organizing information security, asset mangement, human resources security, physical and environmental security, communication and operations, access controls, information systems acquisition/development/maintenance, incident handling, business continuity management, compliance.

Standard of good practice

In 1998, the Information Security Forum (ISF) developed a comprehensive list of best practices for information security, published as the Standard of Good Practice (SoGP). The ISF also offers an assessment to identify benchmark environments and measure compliance to the SoGP. The SoGP is a biannual review cycle during which existing sections are revised and new sections are added according to ISF Member information and best-practices research.

Originally the Standard of Good Practice was a private document available only to ISF members, but the ISF has since made the full document available to the general public at no cost.

NERC

The North America Electric Reliability Council (NERC) has created many standards. The most widely recognized is NERC 1300 which is a modification/update of NERC 1200. The newest version of NERC 1300 is called CIP-002-1 through CIP-009-1 (CIP=Critical Infrastructure Protection). These standards are used to secure bulk electric systems although NERC has created standards within other areas. The bulk electric system standards also provide network security administration while still supporting best practice industry processes.

NIST

1) Special publication 800-12 provides a broad overview of computer security and control areas. It also emphasizes the importance of the security controls and ways to implement them. Initially this document was aimed at the federal government although most practices in this document can be applied to the private sector as well. Specifically it was written for those people in the federal government responsible for handling sensitive systems.

2) Special publication 800-14 describes common security principals that are used. It provides a high level description of what should be incorporated within a computer security policy. It describes what can be done to improve existing security as well as how to develop a new security practice. Eight principals and fourteen practices are described within this document.

3) Special publication 800-26 provides advice on how to manage IT security. This document emphasizes the importance of self assessments as well as risk assessments.

ISO 15408

This standard develops what is called the “Common Criteria�. It allows many different software applications to be integrated and tested in a secure way.

Copyright 2008 - France BtoB from Wikipédia