Cybersecurity standards

From Wikipedia, the free encyclopedia
  (Redirected from Cyber security standards)
Jump to navigation Jump to search

Cybersecurity standards (also styled cyber security standards)[1] are techniques generally set forth in published materials that attempt to protect the cyber environment of a user or organization.[2] This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

The principal objective is to reduce the risks, including prevention or mitigation of cyber-attacks. These published materials consist of collections of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies.

History[edit]

Cybersecurity standards have existed over several decades as users and providers have collaborated in many domestic and international forums to effect the necessary capabilities, policies, and practices - generally emerging from work at the Stanford Consortium for Research on Information Security and Policy in the 1990s.[3]

A 2016 US security framework adoption study reported that 70% of the surveyed organizations the NIST Cybersecurity Framework as the most popular best practice for Information Technology (IT) computer security, but many note that it requires significant investment.[4] Cross-border, cyber-exfiltration operations by law enforcement agencies to counter international criminal activities on the dark web raise complex jurisdictional questions that remain, to some extent, unanswered.[5][6] Tensions between domestic law enforcement efforts to conduct cross-border cyber-exfiltration operations and international jurisdiction are likely to continue to provide improved cybersecurity norms.[5][7]

Standards[edit]

The subsections below detail the most commonly used standards.

ISO/IEC 27001 and 27002[edit]

ISO/IEC 27001, part of the growing ISO/IEC 27000 family of standards, is an information security management system (ISMS) standard, of which the last revision was published in October 2013 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its full name is ISO/IEC 27001:2013 – Information technology – Security techniques – Information security management systems – Requirements.

ISO/IEC 27001 formally specifies a management system that is intended to bring information security under explicit management control.

ISO/IEC 27002 incorporates mainly part 1 of the BS 7799 good security management practice standard. The latest versions of BS 7799 is BS 7799-3. Sometimes ISO/IEC 27002 is therefore referred to as ISO 17799 or BS 7799 part 1 and sometimes it refers to part 1 and part 7. BS 7799 part 1 provides an outline or good practice guide for cybersecurity management; whereas BS 7799 part 2 and ISO/IEC 27001 are normative and therefore provide a framework for certification. ISO/IEC 27002 is a high level guide to cybersecurity. It is most beneficial as explanatory guidance for the management of an organisation to obtain certification to the ISO/IEC 27001 standard. The certification once obtained lasts three years. Depending on the auditing organisation, no or some intermediate audits may be carried out during the three years.

ISO/IEC 27001 (ISMS) replaces BS 7799 part 2, but since it is backward compatible any organization working toward BS 7799 part 2 can easily transition to the ISO/IEC 27001 certification process. There is also a transitional audit available to make it easier once an organization is BS 7799 part 2-certified for the organization to become ISO/IEC 27001-certified. ISO/IEC 27002 provides best practice recommendations on information security management for use by those responsible for initiating, implementing or maintaining information security management systems (ISMS). It states the information security systems required to implement ISO/IEC 27002 control objectives. Without ISO/IEC 27001, ISO/IEC 27002 control objectives are ineffective. ISO/IEC 27002 controls objectives are incorporated into ISO 27001 in Annex A.

ISO/IEC 21827 (SSE-CMM – ISO/IEC 21827) is an International Standard based on the Systems Security Engineering Capability Maturity Model (SSE-CMM) that can measure the maturity of ISO controls objectives.

NERC[edit]

An initial attempt to create information security standards for the electrical power industry was created by NERC in 2003 and was known as NERC CSS (Cyber Security Standards).[8] Subsequent to the CSS guidelines, NERC evolved and enhanced those requirements. The most widely recognized modern NERC security standard is NERC 1300, which is a modification/update of NERC 1200. The newest version of NERC 1300 is called CIP-002-3 through CIP-009-3 (CIP=Critical Infrastructure Protection). These standards are used to secure bulk electric systems although NERC has created standards within other areas. The bulk electric system standards also provide network security administration while still supporting best-practice industry processes.[2]

NIST[edit]

  1. The NIST Cybersecurity Framework (NIST CSF) "provides a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes." It is intended to help private sector organizations that provide critical infrastructure with guidance on how to protect it, along with relevant protections for privacy and civil liberties.[9]
  2. Special publication 800-12 provides a broad overview of computer security and control areas. It also emphasizes the importance of the security controls and ways to implement them. Initially this document was aimed at the federal government although most practices in this document can be applied to the private sector as well. Specifically it was written for those people in the federal government responsible for handling sensitive systems. [3]
  3. Special publication 800-14 describes common security principles that are used. It provides a high level description of what should be incorporated within a computer security policy. It describes what can be done to improve existing security as well as how to develop a new security practice. Eight principles and fourteen practices are described within this document. [4]
  4. Special publication 800-26 provides advice on how to manage IT security. Superseded by NIST SP 800-53 rev3. This document emphasizes the importance of self assessments as well as risk assessments. [5]
  5. Special publication 800-37, updated in 2010 provides a new risk approach: "Guide for Applying the Risk Management Framework to Federal Information Systems"
  6. Special publication 800-53 rev4, "Security and Privacy Controls for Federal Information Systems and Organizations", Published April 2013 updated to include updates as of January 15, 2014, specifically addresses the 194 security controls that are applied to a system to make it "more secure".
  7. Special publication 800-63-3, "Digital Identity Guidelines", Published June 2017 updated to include updates as of December 1, 2017, provides guidelines for implementing digital identity services, including identity proofing, registration, and authentication of users. [6]
  8. Special Publication 800-82, Revision 2, "Guide to Industrial Control System (ICS) Security", revised May 2015, describes how to secure multiple types of Industrial Control Systems against cyber attacks while considering the performance, reliability and safety requirements specific to ICS. [7]

ISO 15408[edit]

This standard develops what is called the “Common Criteria”. It allows many different software and hardware products to be integrated and tested in a secure way.

IEC 62443[edit]

The IEC-62443 cybersecurity standards are multi-industry standards listing cybersecurity protection methods and techniques. These documents are the result of the IEC standards creation process where ANSI/ISA-62443 proposals and other inputs are submitted to country committees where review is done and comments regarding changes are submitted. The comments are reviewed by various IEC 62443 committees where comments are discussed and changes are made as agreed upon.

The numbering and organization of IEC 62443 work products into categories.
Planned and published IEC 62443 work products for IACS Security.

All IEC 62443 standards and technical reports are organized into four general categories called General, Policies and Procedures, System and Component.[10]

  1. The first (top) category includes foundational information such as concepts, models and terminology.
  2. The second category of work products targets the Asset Owner. These address various aspects of creating and maintaining an effective IACS security program.
  3. The third category includes work products that describe system design guidance and requirements for the secure integration of control systems. Core in this is the zone and conduit design model.
  4. The fourth category includes work products that describe the specific product development and technical requirements of control system products.

ANSI/ISA 62443 (Formerly ISA-99)[edit]

ANSI/ISA 62443 is a series of standards, technical reports, and related information that define procedures for implementing secure Industrial Automation and Control Systems (IACS).

These documents were originally referred to as ANSI/ISA-99 or ISA99 standards, as they were created by the International Society for Automation (ISA) and publicly released as American National Standards Institute (ANSI) documents. In 2010, they were renumbered to be the ANSI/ISA-62443 series.

ISA99 remains the name of the Industrial Automation and Control System Security Committee of the ISA. Since 2002, the committee has been developing a multi-part series of standards and technical reports on the subject of IACS security. These work products are then submitted to the ISA approval and then publishing under ANSI. They are also submitted to IEC as input to the IEC 62443 series of international standards following the IEC standards development process.

See also[edit]

Notes[edit]

  1. ^ "Guidelines for Smart Grid Cyber Security". National Institute of Standards and Technology. 2010-08-01. Retrieved 2014-03-30.
  2. ^ http://www.itu.int/ITU-T/recommendations/rec.aspx?rec=9136
  3. ^ http://fsi.stanford.edu/research/consortium_for_research_on_information_security_and_policy
  4. ^ "NIST Cybersecurity Framework Adoption Hampered By Costs, Survey Finds". Retrieved 2016-08-02.
  5. ^ a b Ghappour, Ahmed (2017-01-01). "Tallinn, Hacking, and Customary International Law". AJIL Unbound. 111: 224–228. doi:10.1017/aju.2017.59.
  6. ^ Ghappour, Ahmed (2017-04-01). "Searching Places Unknown: Law Enforcement Jurisdiction on the Dark Web". Stanford Law Review. 69 (4): 1075.
  7. ^ Ghappour, Ahmed (2017). "Searching Places Unknown: Law Enforcement Jurisdiction on the Dark Web". Stanford Law Review. 69 (4).
  8. ^ Symantec Control Compliance Suite - NERC and FERC Regulation Archived 2016-10-22 at the Wayback Machine Subsection: History of NERC Standards
  9. ^ "NIST Cybersecurity Framework". Retrieved 2016-08-02.
  10. ^ More information about the activities and plans of the ISA99 committee is available on the committee Wiki site ([1])

References[edit]

  1. ^ Department of Homeland Security, A Comparison of Cyber Security Standards Developed by the Oil and Gas Segment. (November 5, 2004)
  2. ^ Guttman, M., Swanson, M., National Institute of Standards and Technology; Technology Administration; U.S. Department of Commerce., Generally Accepted Principles and Practices for Securing Information Technology Systems (800-14). (September 1996)
  3. ^ National Institute of Standards and Technology; Technology Administration; U.S. Department of Commerce., An Introduction to Computer Security: The NIST Handbook, Special Publication 800-12.
  4. ^ Swanson, M., National Institute of Standards and Technology; Technology Administration; U.S. Department of Commerce., Security Self-Assessment Guide for Information Technology Systems (800-26).
  5. ^ Grassi, P.; Garcia, M.; Fenton, J.;National Institute of Standards and Technology; U.S. Department of Commerce., Digital Identity Guidelines (800-63-3).
  6. ^ Stouffer, K.; Pillitteri, V.; Lightman, S.; Abrams, M.; Hahn, A.; National Institute of Standards and Technology; U.S. Department of Commerce., Guide to Industrial Control Systems (ICS) Security (800-82).
  7. ^ The North American Electric Reliability Council (NERC). http://www.nerc.com. Retrieved November 12, 2005.
  8. ^ Federal Financial Institutions Examination Council (FFIEC). https://www.ffiec.gov. Retrieved April 18, 2018.

External links[edit]