Cyber security standards
This article may be too technical for most readers to understand. Please help improve it to make it understandable to non-experts, without removing the technical details. (March 2014) (Learn how and when to remove this template message)
|This article is part of a series on|
|Related security categories|
Cybersecurity standards (also styled cyber security standards) are techniques generally set forth in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks. The principal objective is to reduce the risks, including prevention or mitigation of cyber-attacks. These published materials consist of collections of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies.
- 1 History
- 2 ETSI Cyber Security Technical Committee (TC CYBER)
- 3 ISO/IEC 27001 and 27002
- 4 CISQ
- 5 Standard of Good Practice
- 6 NERC
- 7 NIST
- 8 ISO 15408
- 9 RFC 2196
- 10 ANSI/ISA 62443 (Formerly ISA-99)
- 11 IEC 62443
- 12 IASME Governance
- 13 U.S. Banking Regulators
- 14 See also
- 15 Notes
- 16 References
- 17 External links
Cybersecurity standards have existed over several decades as users and providers have collaborated in many domestic and international forums to effect the necessary capabilities, policies, and practices - generally emerging from work at the Stanford Consortium for Research on Information Security and Policy in the 1990s. Also many tasks that were once carried out by hand are now carried out by computer; therefore there is a need for information assurance (IA) and security.
A 2016 US security framework adoption study reported that 70% of the surveyed organizations see the NIST Cybersecurity Framework as the most popular best practice for Information Technology (IT) computer security, but many note that it requires significant investment.
A Chief information security officer is typically charged with selecting, implementing and monitoring the efficiency and effectiveness of IT Cybersecurity standards for their organization.
ETSI Cyber Security Technical Committee (TC CYBER)
TC CYBER is responsible for the standardisation of Cyber Security internationally and for providing a centre of relevant expertise for other ETSI committees. Growing dependence on networked digital systems has brought with it an increase in both the variety and quantity of cyber-threats.  The different methods governing secure transactions in the various Member States of the European Union sometimes make it difficult to assess the respective risks and to ensure adequate security. Building on ETSI's world-leading expertise in the security of Information and Communications Technologies (ICT), it set up a new Cyber Security committee (TC CYBER) in 2014 to meet the growing demand for standards to protect the Internet and the communications and business it carries.
TC CYBER is working closely with relevant stakeholders to develop appropriate standards to increase privacy and security for organisations and citizens across Europe. The committee is looking in particular at the security of infrastructures, devices, services and protocols, as well as security tools and techniques to ensure security. It offers security advice and guidance to users, manufacturers and network and infrastructure operators. Its standards are freely available on-line. A principal work item effort is the production of a global cyber security ecosystem of standardization and other activities.
ISO/IEC 27001 and 27002
ISO/IEC 27001, part of the growing ISO/IEC 27000 family of standards, is an information security management system (ISMS) standard, of which the last revision was published in October 2013 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its full name is ISO/IEC 27001:2013 – Information technology – Security techniques – Information security management systems – Requirements.
ISO/IEC 27001 formally specifies a management system that is intended to bring information security under explicit management control.
ISO/IEC 27002 incorporates mainly part 1 of the BS 7799 good security management practice standard. The latest versions of BS 7799 is BS 7799-3. Sometimes ISO/IEC 27002 is therefore referred to as ISO 17799 or BS 7799 part 1 and sometimes it refers to part 1 and part 7. BS 7799 part 1 provides an outline or good practice guide for cybersecurity management; whereas BS 7799 part 2 and ISO/IEC 27001 are normative and therefore provide a framework for certification. ISO/IEC 27002 is a high level guide to cybersecurity. It is most beneficial as explanatory guidance for the management of an organisation to obtain certification to the ISO/IEC 27001 standard. The certification once obtained lasts three years. Depending on the auditing organisation, no or some intermediate audits may be carried out during the three years.
ISO/IEC 27001 (ISMS) replaces BS 7799 part 2, but since it is backward compatible any organization working toward BS 7799 part 2 can easily transition to the ISO/IEC 27001 certification process. There is also a transitional audit available to make it easier once an organization is BS 7799 part 2-certified for the organization to become ISO/IEC 27001-certified. ISO/IEC 27002 provides best practice recommendations on information security management for use by those responsible for initiating, implementing or maintaining information security management systems (ISMS). It states the information security systems required to implement ISO/IEC 27002 control objectives. Without ISO/IEC 27001, ISO/IEC 27002 control objectives are ineffective. ISO/IEC 27002 controls objectives are incorporated into ISO 27001 in Annex A.
ISO/IEC 21827 (SSE-CMM – ISO/IEC 21827) is an International Standard based on the Systems Security Engineering Capability Maturity Model (SSE-CMM) that can measure the maturity of ISO controls objectives.
CISQ develops standards for automating the measurement of software size and software structural quality. CISQ is a special interest group of the Object Management Group that submits specifications for approval as OMG international standards. The measurement standards are used for the static program analysis of software, a software testing practice that identifies critical vulnerabilities in the code and architecture of a software system.
CISQ-developed standards are used to manage the Security, Reliability, Performance Efficiency and Maintainability characteristics of software risk. The Automated Source Code Security standard is a measure of how easily an application can suffer unauthorized penetration which may result in stolen information, altered records, or other forms of malicious behavior. The Security standard is based on the most widespread and frequently exploited security weaknesses in software as identified in the Common Weakness Enumeration, SANS Top 25, and OWASP Top 10. The Automated Source Code Reliability standard is a measure of the availability, fault tolerance, recoverability, and data integrity of an application. The Reliability standard measures the risk of potential application failures and the stability of an application when confronted with unexpected conditions. CISQ is working on an automated measure of Technical Debt.
Standard of Good Practice
In the 1990s, the Information Security Forum (ISF) published a comprehensive list of best practices for information security, published as the Standard of Good Practice (SoGP). The ISF continues to update the SoGP every two years (with the exception of 2013-2014); the latest version was published in 2018.
Originally the Standard of Good Practice was a private document available only to ISF members, but the ISF has since made the full document available for sale to the general public.
Among other programs, the ISF offers its member organizations a comprehensive benchmarking program based on the SoGP. Furthermore, it is important for those in charge of security management to understand and adhere to NERC CIP compliance requirements.
The North American Electric Reliability Corporation (NERC) addresses patching in NERC CIP 007-6 Requirement 2. Summarily, it requires Bulk Power System (BPS) Operators/Owners to identify the source or sources utilized to provide
Entiter Security related patches for Cyber Assets utilized in the operation of the Registered Entities are required to check for new patches once every thirty five calendar days. Upon identification of a new patch, entities are required to evaluate applicability of a patch and then complete mitigation or installation activities within 35 calendar days of completion of assessment of applicability.e BPS.y
An initial attempt to create information security standards for the electrical power industry was created by NERC in 2003 and was known as NERC CSS (Cyber Security Standards). Subsequent to the CSS guidelines, NERC evolved and enhanced those requirements. The most widely recognized modern NERC security standard is NERC 1300, which is a modification/update of NERC 1200. The newest version of NERC 1300 is called CIP-002-3 through CIP-009-3 (CIP=Critical Infrastructure Protection). These standards are used to secure bulk electric systems although NERC has created standards within other areas. The bulk electric system standards also provide network security administration while still supporting best-practice industry processes.
- The NIST Cybersecurity Framework (NIST CSF) "provides a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes." It is intended to help private sector organizations that provide critical infrastructure with guidance on how to protect it, along with relevant protections for privacy and civil liberties.
- Special publication 800-12 provides a broad overview of computer security and control areas. It also emphasizes the importance of the security controls and ways to implement them. Initially this document was aimed at the federal government although most practices in this document can be applied to the private sector as well. Specifically it was written for those people in the federal government responsible for handling sensitive systems. 
- Special publication 800-14 describes common security principles that are used. It provides a high level description of what should be incorporated within a computer security policy. It describes what can be done to improve existing security as well as how to develop a new security practice. Eight principles and fourteen practices are described within this document. 
- Special publication 800-26 provides advice on how to manage IT security. Superseded by NIST SP 800-53 rev3. This document emphasizes the importance of self assessments as well as risk assessments. 
- Special publication 800-37, updated in 2010 provides a new risk approach: "Guide for Applying the Risk Management Framework to Federal Information Systems"
- Special publication 800-53 rev4, "Security and Privacy Controls for Federal Information Systems and Organizations", Published April 2013 updated to include updates as of January 15, 2014, specifically addresses the 194 security controls that are applied to a system to make it "more secure".
- Special Publication 800-82, Revision 2, "Guide to Industrial Control System (ICS) Security", revised May 2015, describes how to secure multiple types of Industrial Control Systems against cyber attacks while considering the performance, reliability and safety requirements specific to ICS. 
This standard develops what is called the “Common Criteria”. It allows many different software and hardware products to be integrated and tested in a secure way.
RFC 2196 is memorandum published by Internet Engineering Task Force for developing security policies and procedures for information systems connected on the Internet. The RFC 2196 provides a general and broad overview of information security including network security, incident response, or security policies. The document is very practical and focusing on day-to-day operations.
ANSI/ISA 62443 (Formerly ISA-99)
ANSI/ISA 62443 is a series of standards, technical reports, and related information that define procedures for implementing electronically secure Industrial Automation and Control Systems (IACS). This guidance applies to end-users (i.e. asset owner), system integrators, security practitioners, and control systems manufacturers responsible for manufacturing, implementing, or managing IACS.
These documents were originally referred to as ANSI/ISA-99 or ISA99 standards, as they were created by the International Society for Automation (ISA) and publicly released as American National Standards Institute (ANSI) documents. In 2010, they were renumbered to be the ANSI/ISA-62443 series. This change was intended to align the ISA and ANSI document numbering with the corresponding International Electrotechnical Commission (IEC) standards.
ISA99 remains the name of the Industrial Automation and Control System Security Committee of the ISA. Since 2002, the committee has been developing a multi-part series of standards and technical reports on the subject of IACS security. These work products are then submitted to the ISA approval and then publishing under ANSI. They are also submitted to IEC for consideration as standards and specifications in the IEC 62443 series of international standards following the IEC standards development process.
All ISA-62443 standards and technical reports are organized into four general categories called General, Policies and Procedures, System and Component.
- The first (top) category includes foundational information such as concepts, models and terminology.
- The second category of work products targets the Asset Owner. These address various aspects of creating and maintaining an effective IACS security program.
- The third category includes work products that describe system design guidance and requirements for the secure integration of control systems. Core in this is the zone and conduit design model.
- The fourth category includes work products that describe the specific product development and technical requirements of control system products. This is primarily intended for control product vendors, but can be used by integrator and asset owners for to assist in the procurement of secure products.
The ISA Security Compliance Institute (ISCI) Conformity Assessment Program
ISCI created the first conformity assessment scheme (commonly known as a certification scheme) for the ISA S99 IACS cybersecurity standards. This program certifies Commercial Off-the-shelf (COTS) IACS products and systems, addressing securing the IACS supply chain. ISCI development processes include maintenance policies to ensure that the ISASecure certifications remain in alignment with the IEC 62443 standards as they evolve. While the IEC 62443 standards are designed to horizontally address technical cybersecurity requirements of a cross-section of industries, the ISASecure scheme’s certification requirements working groups include subject matter experts from the chemical and oil and gas industries and are reflective of their cybersecurity needs.
The ISASecure scheme requires that all test tools be evaluated and approved to ensure the tools meet functional requirements necessary and sufficient to execute all required product tests and that test results will be consistent among the recognized tools.
exida from the United States was the first certification body accredited for the ISCI scheme by the American National Standards Institute (ANSI) followed by the Control Systems Security Center – Certification Laboratory (CSSC-CL) accredited by the Japan Accreditation Board (JAB) and TÜV Rheinland accredited by Deutsche Akkreditierungsstelle (DAkkS).
ISCI Certification Offerings
Two COTS product certifications are available under the ISASecure® brand: ISASecure-EDSA (Embedded Device Security Assurance) certifying IACS products to the 62443-4-1 / 62443-4-2 IACS cybersecurity standards and ISASecure-SSA (System Security Assurance), certifying IACS systems to the same standards.
A third certification, SDLA (Secure Development Lifecycle Assurance) is available from ISCI which certifies IACS development organizations to the 62443-4-1 cybersecurity standard.
ISO 17065 and Global Accreditation
The ISASecure 62443 conformity assessment scheme is an ISO 17065 program whose labs (certification bodies or CB) are independently accredited by ANSI/ANAB, JAB and other global ISO 17011 accreditation bodies (AB). The certification labs must also meet ISO 17025 lab accreditation requirements to ensure consistent application of certification requirements and recognized tools.
Through Mutual Recognition Arrangements (MRA) with IAF, ILAC and others, the accreditation of the ISASecure labs by the ISA 17011 accreditation bodies ensures that certificates issued by any of the ISASecure labs are globally recognized.
The IEC-62443 cybersecurity standards are multi-industry standards listing cybersecurity protection methods and techniques. These documents are the result of the IEC standards creation process where ANSI/ISA-62443 proposals and other inputs are submitted to country committees where review is done and comments regarding changes are submitted. The comments are reviewed by various IEC 62443 committees where comments are discussed and changes are made as agreed upon. Many members of the IEC committees are the same persons from the ISA S99 committees. To date, the fundamental concepts from the original ANSI/ISA 62443 documents have been utilized.
IEC 62443 Certification Programs
IEC 62443 certification schemes have also been established by several global Certification Bodies. Each has defined their own scheme based upon the referenced standards and procedures which describes their test methods, surveillance audit policy, public documentation policies, and other specific aspects of their program. Cybersecurity certification programs for IEC 62443 standards are being offered globally by several recognized CBs including UL, exida, TÜV Rheinland, TÜV Sud, TÜV Nord, and SGS-TÜV Saar. In the automation system market space most cybersecurity certifications have been done by exida.
Global Accreditation and Recognition
A global infrastructure has been established to ensure consistent evaluation per these standards. Impartial third party organizations called Certification Bodies (CB) are accredited to operate ISO/IEC 17065 and ISO/IEC 17025. Certification Bodies are accredited to perform the auditing, assessment, and testing work by an Accreditation Body (AB). There is often one national AB in each country. These ABs operate per the requirements of ISO/IEC 17011, a standard that contains requirements for the competence, consistency, and impartiality of accreditation bodies when accrediting conformity assessment bodies. ABs are members of the International Accreditation Forum (IAF) for work in management systems, products, services, and personnel accreditation or the International Laboratory Accreditation Cooperation (ILAC) for laboratory accreditation. A Multilateral Recognition Arrangement (MLA) between ABs will ensure global recognition of accredited CBs.
IASME Governance is a UK-based standard for information assurance at small-to-medium enterprises (SMEs). It provides criteria and certification for small-to-medium business cybersecurity readiness. It also allows small to medium business to provide potential and existing customers and clients with an accredited measurement of the cybersecurity posture of the enterprise and its protection of personal/business data.
The IASME Governance standard was developed to enable businesses to achieve an accreditation similar to ISO 27001 but with reduced complexity, cost, and administrative overhead (specifically focused on SME in recognition that it is difficult for small cap businesses to achieve and maintain ISO 27001). Certifications to the IASME Governance standard include free basic cyber security insurance for UK-based SME applicants.
The cost of the certification is progressively graduated based upon the employee population of the SME (e.g., 10 & fewer, 11 to 25, 26 - 100, 101 - 250 employees); the certification can be based upon a self-assessment with an IASME questionnaire or by a third-party professional assessor. Some insurance companies reduce premiums for cybersecurity related coverage based upon the IASME certification.
U.S. Banking Regulators
In October 2016 the Federal Reserve Board, the Office of Comptroller of the Currency, and the Federal Deposit Insurance Corporation, jointly issued an Advance Notice of Proposed Rulemaking (ANPR) regarding cyber risk management standards (for regulated entities). The ANPR aims to enhance the ability of large, interconnected financial services entities to prevent and recover from cyber attacks, and goes beyond existing requirements.
The proposal requires that entities with total assets of $50 billion or more and their third party service providers take steps to strengthen their incident response programs, enhance their cyber risk governance and management practices,
In May 2017, the US based Federal Financial Institutions Examination Council, which is comprised the principals of the following: The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, the Consumer Financial Protection Bureau, and the State Liaison Committee, issued a cyber security assessment tool. The tool includes completing an inherent risk profile for the organization which covers five areas:
- Technologies and connection types,
- Delivery channels,
- Online/mobile products and technology services,
- Organizational characteristics, and
- External threats.
- 201 CMR 17.00 (Massachusetts Standards for the Protection of Personal Information)
- BS 7799
- Chief information security officer
- Common Criteria
- Computer security
- Computer Security Policy
- Cyber Essentials (UK Government Standard)
- Information security
- Information assurance
- ISO/IEC 27002
- IT Baseline Protection Catalogs
- North American Electric Reliability Corporation (NERC)
- National Institute of Standards and Technology (NIST)
- Open Information Security Maturity Model
- Payment Card Industry Data Security Standard (PCI DSS)
- Privacy engineering
- Standard of Good Practice
- Semantic service-oriented architecture (SSOA)
- ISA99 Committee on Industrial Automation and Control Systems Security
- Control system security
- Information security indicators
- "Guidelines for Smart Grid Cyber Security". National Institute of Standards and Technology. 2010-08-01. Retrieved 2014-03-30.
- "NIST Cybersecurity Framework Adoption Hampered By Costs, Survey Finds". Retrieved 2016-08-02.
- Symantec Control Compliance Suite - NERC and FERC Regulation Subsection: History of NERC Standards
- "NIST Cybersecurity Framework". Retrieved 2016-08-02.
- More information about the activities and plans of the ISA99 committee is available on the committee Wiki site ()
- "IASME". www.iasme.co.uk. Retrieved 2018-10-08.
- "PwC - Cybersecurity: Banking regulators weigh in" (PDF). pwc.com. PwC Financial Crimes Observer. Retrieved 25 November 2016.
- "FFIEC - Cybersecurity Assessment Tool". www.ffiec.com. Federal Financial Institutions Examination Council (FFIEC). Retrieved 18 April 2018.
- "FFIEC - Cybersecurity Assessment Tool User's Guide" (PDF). www.ffiec.com. Federal Financial Institutions Examination Council (FFIEC). Retrieved 18 April 2018.
- ^ Department of Homeland Security, A Comparison of Cyber Security Standards Developed by the Oil and Gas Segment. (November 5, 2004)
- ^ Guttman, M., Swanson, M., National Institute of Standards and Technology; Technology Administration; U.S. Department of Commerce., Generally Accepted Principles and Practices for Securing Information Technology Systems (800-14). (September 1996)
- ^ National Institute of Standards and Technology; Technology Administration; U.S. Department of Commerce., An Introduction to Computer Security: The NIST Handbook, Special Publication 800-12.
- ^ Swanson, M., National Institute of Standards and Technology; Technology Administration; U.S. Department of Commerce., Security Self-Assessment Guide for Information Technology Systems (800-26).
- ^ Stouffer, K.; Pillitteri, V.; Lightman, S.; Abrams, M.; Hahn, A.; National Institute of Standards and Technology; U.S. Department of Commerce., Guide to Industrial Control Systems (ICS) Security (800-82).
- ^ The North American Electric Reliability Council (NERC). http://www.nerc.com. Retrieved November 12, 2005.
- ^ Federal Financial Institutions Examination Council (FFIEC). https://www.ffiec.gov. Retrieved April 18, 2018.
- ISA99 Committee home page
- NERC Standards (see CIP 002-009)
- Securing Cyberspace-Media
- Presentation by Professor William Sanders, University of Illinois
- Global Cybersecurity Policy Conference
- A 10 Minute Guide to the NIST Cybersecurity Framework
- Federal Financial Institutions Examination Council's (FFIEC) Web Site