Cyber security standards
Encyclopedia
Cyber security standards are security standards which enable organizations to practice safe security techniques to minimize the number of successful cyber security attacks. These guides provide general outlines as well as specific techniques for implementing cyber security. For certain specific standards, cyber security certification by an accredited body can be obtained. There are many advantages to obtaining certification including the ability to get cyber security insurance.

History

Cyber security standards have been created recently because sensitive information is now frequently stored on computers that are attached to the Internet. Also many tasks that were once done by hand are carried out by computer; therefore there is a need for Information Assurance (IA) and security. Cyber security is important in order to guard against identity theft. Businesses also have a need for cyber security because they need to protect their trade secrets, proprietary information, and personally identifiable information (PII) of their customers or employees. The government also has the need to secure its information. One of the most widely used security standards today is ISO/IEC 27002
ISO/IEC 27002
ISO/IEC 27002 is an information security standard published by the International Organization for Standardization and by the International Electrotechnical Commission , entitled Information technology - Security techniques - Code of practice for information security management.ISO/IEC 27002:2005...

 which started in 1995. This standard consists of two basic parts. BS 7799
BS 7799
BS 7799 was a standard originally published by BSI Group in 1995. It was written by the United Kingdom Government's Department of Trade and Industry , and consisted of several parts....

 part 1 and BS 7799
BS 7799
BS 7799 was a standard originally published by BSI Group in 1995. It was written by the United Kingdom Government's Department of Trade and Industry , and consisted of several parts....

 part 2 both of which were created by (British Standards Institute) BSI. Recently this standard has become ISO 27001. The National Institute of Standards and Technology (NIST) has released several special publications addressing cyber security. Three of these special papers are very relevant to cyber security: the 800-12 titled “Computer Security Handbook;” 800-14 titled “Generally Accepted Principles and Practices for Securing Information Technology;” and the 800-26 titled “Security Self-Assessment Guide for Information Technology Systems”. The International Society of Automation (ISA) developed cyber security standards for industrial automation control systems (IACS) that are broadly applicable across manufacturing industries. The series of ISA industrial cyber security standards are known as ISA-99 and are being expanded to address new areas of concern.

ISO 27002

ISO 27002 incorporates both parts of the BS 7799
BS 7799
BS 7799 was a standard originally published by BSI Group in 1995. It was written by the United Kingdom Government's Department of Trade and Industry , and consisted of several parts....

 standard. Sometimes ISO/IEC 27002
ISO/IEC 27002
ISO/IEC 27002 is an information security standard published by the International Organization for Standardization and by the International Electrotechnical Commission , entitled Information technology - Security techniques - Code of practice for information security management.ISO/IEC 27002:2005...

 is referred to as BS 7799
BS 7799
BS 7799 was a standard originally published by BSI Group in 1995. It was written by the United Kingdom Government's Department of Trade and Industry , and consisted of several parts....

 part 1 and sometimes it refers to part 1 and part 2. BS 7799
BS 7799
BS 7799 was a standard originally published by BSI Group in 1995. It was written by the United Kingdom Government's Department of Trade and Industry , and consisted of several parts....

 part 1 provides an outline for cyber security policy; whereas BS 7799
BS 7799
BS 7799 was a standard originally published by BSI Group in 1995. It was written by the United Kingdom Government's Department of Trade and Industry , and consisted of several parts....

 part 2 provides a certification. The outline is a high level guide to cyber security. It is most beneficial for an organization to obtain a certification to be recognized as compliant with the standard. The certification once obtained lasts three years and is periodically checked by the BSI to ensure an organization continues to be compliant throughout that three year period. ISO 27001 (ISMS) replaces BS 7799
BS 7799
BS 7799 was a standard originally published by BSI Group in 1995. It was written by the United Kingdom Government's Department of Trade and Industry , and consisted of several parts....

 part 2, but since it is backward compatible any organization working toward BS 7799
BS 7799
BS 7799 was a standard originally published by BSI Group in 1995. It was written by the United Kingdom Government's Department of Trade and Industry , and consisted of several parts....

 part 2 can easily transition to the ISO 27001 certification process. There is also a transitional audit available to make it easier once an organization is BS 7799
BS 7799
BS 7799 was a standard originally published by BSI Group in 1995. It was written by the United Kingdom Government's Department of Trade and Industry , and consisted of several parts....

 part 2-certified for the organization to become ISO 27001-certified. ISO/IEC 27002
ISO/IEC 27002
ISO/IEC 27002 is an information security standard published by the International Organization for Standardization and by the International Electrotechnical Commission , entitled Information technology - Security techniques - Code of practice for information security management.ISO/IEC 27002:2005...

 states that information security is characterized by integrity, confidentiality, and availability. The ISO/IEC 27002
ISO/IEC 27002
ISO/IEC 27002 is an information security standard published by the International Organization for Standardization and by the International Electrotechnical Commission , entitled Information technology - Security techniques - Code of practice for information security management.ISO/IEC 27002:2005...

 standard is arranged into eleven control areas; security policy, organizing information security, asset management, human resources security, physical and environmental security, communication and operations, access controls, information systems acquisition/development/maintenance, incident handling, business continuity management, compliance.

Standard of good practice

In the 1990s, the Information Security Forum
Information Security Forum
The Information Security Forum is an independent, not-for-profit association of leading organizations from around the world. It is dedicated to investigating, clarifying and resolving key issues in information security, and developing best practice methodologies, processes and solutions that meet...

 (ISF) published a comprehensive list of best practices for information security, published as the Standard of Good Practice
Standard of Good Practice
The Standard of Good Practice for Information Security, published by the Information Security Forum , is a business-focused, practical and comprehensive guide to identifying and managing information security risks in organizations and their supply chains....

(SoGP). The ISF continues to update the SoGP every two years; the latest version was published in 2011.

Originally the Standard of Good Practice
Standard of Good Practice
The Standard of Good Practice for Information Security, published by the Information Security Forum , is a business-focused, practical and comprehensive guide to identifying and managing information security risks in organizations and their supply chains....

was a private document available only to ISF members, but the ISF has since made the full document available to the general public at no cost.

Among other programs, the ISF offers its member organizations a comprehensive benchmarking program based on the SoGP.

NERC

The North American Electric Reliability Corporation (NERC) has created many standards. The most widely recognized is NERC 1300 which is a modification/update of NERC 1200. The newest version of NERC 1300 is called CIP-002-1 through CIP-009-2 (CIP=Critical Infrastructure Protection). These standards are used to secure bulk electric systems although NERC has created standards within other areas. The bulk electric system standards also provide network security administration while still supporting best practice industry processes.

NIST

  1. Special publication 800-12 provides a broad overview of computer security and control areas. It also emphasizes the importance of the security controls and ways to implement them. Initially this document was aimed at the federal government although most practices in this document can be applied to the private sector as well. Specifically it was written for those people in the federal government responsible for handling sensitive systems.
  2. Special publication 800-14 describes common security principles that are used. It provides a high level description of what should be incorporated within a computer security policy. It describes what can be done to improve existing security as well as how to develop a new security practice. Eight principles and fourteen practices are described within this document.
  3. Special publication 800-26 provides advice on how to manage IT security. This document emphasizes the importance of self assessments as well as risk assessments.
  4. Special publication 800-37, updated in 2010 provides a new risk approach: "Guide for Applying the Risk Management Framework to Federal Information Systems"
  5. Special publication 800-53 rev3, "Guide for Assessing the Security Controls in Federal Information Systems", updated in August 2009, specifically addresses the 194 security controls that are applied to a system to make it "more secure."

ISO 15408

This standard develops what is called the “Common Criteria
Common Criteria
The Common Criteria for Information Technology Security Evaluation is an international standard for computer security certification...

”. It allows many different software applications to be integrated and tested in a secure way.

RFC 2196

RFC 2196 is memorandum published by Internet Engineering Task Force
Internet Engineering Task Force
The Internet Engineering Task Force develops and promotes Internet standards, cooperating closely with the W3C and ISO/IEC standards bodies and dealing in particular with standards of the TCP/IP and Internet protocol suite...

 for developing security policies and procedures for information systems connected on the Internet. The RFC 2196 provides a general and broad overview of information security including network security, incident response or security policies. The document is very practical and focusing on day-to-day operations.

ISA-99

ISA99 is the Industrial Automation and Control System Security Committee of the International Society for Automation (ISA). The committee is developing a multi-part series of standards and technical reports on the subject, several of which have been publicly released as American National Standards Institute (ANSI)
American National Standards Institute
The American National Standards Institute is a private non-profit organization that oversees the development of voluntary consensus standards for products, services, processes, systems, and personnel in the United States. The organization also coordinates U.S. standards with international...

 documents. Work products from the ISA99 committee are also submitted to International Electrotechnical Commission (IEC)
International Electrotechnical Commission
The International Electrotechnical Commission is a non-profit, non-governmental international standards organization that prepares and publishes International Standards for all electrical, electronic and related technologies – collectively known as "electrotechnology"...

 as standards and specifications in the IEC 62443 series.

All ISA99 standards and technical reports are organized into four general categories. These categories identify the primary target audience for each group (i.e., General, Asset Owner, System Integrator and Component Provider).
  1. The first (top) category includes common or foundational information such as concepts, models and terminology. Also in this category is a work product that will describe security metrics.
  2. The second group of work products is targets at the Asset Owner and addresses various aspects of creating and maintaining an effective IACS security program.
  3. The third include work products that describe system design guidance and requirements for the secure integration of control systems. Core in this is the zone and conduit design model.
  4. The fourth category includes work products that describe the specific product development and technical requirements of control system products. This is primarily intended for control product vendors, but can be used by integrator and asset owners for to assist in the procurement of secure products.


There have been a number of changes in the ISA99 numbering scheme to align to the corresponding IEC standards. In the future all work products will be numbered using the convention “ISA-62443.xx.yy”. The previous ISA99 nomenclature will be maintained for continuity purposes.

The specific ISA99 documents are as follows:
  • Group 1: General
    • ISA-99.01.01 (formerly referred to as "Part 1") (ANSI/ISA 99.00.01) is approved and published.
    • ISA-TR99.01.02 is a master glossary of terms used by the committee. This document is still a working draft but the content is available on the committee Wiki site (http://isa99.isa.org/ISA99%20Wiki/Master%20Glossary.aspx)
    • ISA-99.01.03 identifies a set of compliance metrics for IACS security. This document is currently under development.
  • Group 2: Asset Owner
    • ISA-99.02.01 (formerly referred to as "Part 2") (ANSI/ISA 99.02.01-2009) addresses how to establish an IACS security program. This standard is approved and published. It has also been approved and published by the IEC as IEC 62443-2-1
    • ISA-99.02.02 addresses how to operate an IACS security program. This standard is currently under development.
    • ISA-TR99.02.03 is a technical report on the subject of patch management in IACS environments. This report is currently under development.
  • Group 3: System Integrator
  • Group 4: Component Provider
    • ISA-99.04.01 addresses the requirements for the development of secure IACS products and solutions. This standard is currently under development.
    • ISA-99.04.02 series address detailed technical requirements for IACS components level. This standard is currently under development.


Finally, an additional IEC standard is shown (in green) in anticipation of this document being accepted from the WIB organization. This document is NOT a work product of the ISA99 committee.

More information about the activities and plans of the ISA99 committee is available on the committee Wiki site (http://isa99.isa.org/ISA99%20Wiki/Home.aspx)

ISA Security Compliance Institute

Related to the work of ISA 99 is the work of the ISA Security Compliance Institute. The ISA Security Compliance Institute (ISCI) has developed compliance test specifications for ISA99 and other control system security standards. They have also created an ANSI accredited certification program called ISASecure for the certification of industrial automation devices such as programmable logic controllers (PLC), distributed control systems (DCS) and safety instrumented systems (SIS). These types of devices provided automated control of industrial processes such as those found in the oil & gas, chemical, electric utility, manufacturing, food & beverage and water/wastewater processing industries. There is growing concern from both governments as well as private industry regarding the risk that these systems could be intentionally compromised by "evildoers" such as hackers, disgruntled employees, organized criminals, terrorist organizations or even state-sponsored groups. The recent news about the industrial control system malware known as Stuxnet
Stuxnet
Stuxnet is a computer worm discovered in June 2010. It initially spreads via Microsoft Windows, and targets Siemens industrial software and equipment...

 has heightened concerns about the vulnerability of these systems.

See also

  • 201 CMR 17.00 (Massachusetts Standards for the Protection of Personal Information)
  • BS 7799
    BS 7799
    BS 7799 was a standard originally published by BSI Group in 1995. It was written by the United Kingdom Government's Department of Trade and Industry , and consisted of several parts....

  • Common Criteria
    Common Criteria
    The Common Criteria for Information Technology Security Evaluation is an international standard for computer security certification...

  • Computer security
    Computer security
    Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...

  • Computer Security Policy
    Computer security policy
    A computer security policy defines the goals and elements of an organization's computer systems. The definition can be highly formal or informal. Security policies are enforced by organizational policies or security mechanisms. A technical implementation defines whether a computer system is secure...

  • Information security
    Information security
    Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....

  • Information assurance
    Information Assurance
    Information assurance is the practice of managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes...

  • ISO/IEC 27002
    ISO/IEC 27002
    ISO/IEC 27002 is an information security standard published by the International Organization for Standardization and by the International Electrotechnical Commission , entitled Information technology - Security techniques - Code of practice for information security management.ISO/IEC 27002:2005...

  • IT Baseline Protection Catalogs
    IT Baseline Protection Catalogs
    The IT Baseline Protection Catalogs, or IT-Grundschutz-Kataloge, are a collection of documents from the German Federal Office for Security in Information Technology that provide useful information for detecting weaknesses and combating attacks in the information technology environment...

  • North American Electric Reliability Corporation (NERC)
  • National Institute of Standards and Technology
    National Institute of Standards and Technology
    The National Institute of Standards and Technology , known between 1901 and 1988 as the National Bureau of Standards , is a measurement standards laboratory, otherwise known as a National Metrological Institute , which is a non-regulatory agency of the United States Department of Commerce...

     (NIST)
  • Payment Card Industry Data Security Standard
  • Standard of Good Practice
    Standard of Good Practice
    The Standard of Good Practice for Information Security, published by the Information Security Forum , is a business-focused, practical and comprehensive guide to identifying and managing information security risks in organizations and their supply chains....

  • Semantic service-oriented architecture (SSOA)
  • ISA-99 Security for Industrial Automation and Control Systems
  • Control system security
    Control system security
    Control system security is the prevention of intentional or unintentional interference with the proper operation of industrial automation and control systems. These control systems manage essential services including electricity, petroleum production, water, transportation, manufacturing, and...

  • Good Practice Guide 13 - Protective Monitoring

External links

The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK