Encyclopedia of Security Standards: Chapter #1 - Introduction

IT security standards?or?cybersecurity standards can assist organizations in identifying and implementing appropriate measures to protect their systems and data from cyber threats. Regardless of the size of the company or whether it runs business globally or domestically, cybersecurity is an important aspect of your company. In order for your customers to trust you, you must meet certain cybersecurity requirements. Being able to comply with and even be certified with the cybersecurity standards that meet these requirements is a great way to show your clients and partners that you value their information and data security. Standards can also help you respond to and recover from cybersecurity incidents.

Cybersecurity standards are statements that describe what must be achieved in terms of security outcomes in order to fulfill an enterprise’s stated security objectives. How the standards are to be implemented and what solutions are used to achieve the standard are normally not part of the standard itself. Instead, these activities should be described in the ensuing plans and operational procedures that are developed to implement the standard at a given point in time.

Cybersecurity standards represent a key step in the IT governance process. As a means for managing and containing risk to acceptable levels, the standards must be wholly consistent with IT governance instruments and closely aligned with and driven by the enterprise’s cybersecurity policies.??

The following diagram shows how cybersecurity standards affect our design and posture.

Each enterprise has unique requirements for risk management and liability protection that are specific to their business or industry. Senior management frequently identifies these requirements at the security and risk strategy and policy levels.

To meet the requirements, tailored standards and control objectives must be defined and added to the enterprise's existing standards.

Most of the standards are generic, created with the experience of many years in order to increase the cybersecurity posture. Compliance with some standards is voluntary, while compliance with others is mandatory nationally. While there are special standards for critical sectors, compliance with some standards and certifying them is now accepted as a symbol of prestige for customers, even if it is not mandatory.

Of course, these standards should be kept up to date in line with technological developments and needs, and each of these standards is created, updated, and maintained by local or national organizations. Some of these organizations are listed below. Of course, there are many more organizations than the ones listed below, but I have chosen the ones that give direction to the sector with their standards and guidelines.

Organizations

Major Organizations

• ISO/IEC is a joint technical committee (JTC) of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its mission is to create, maintain, and promote standards in information and communications technology (ICT).
• NIST (National Institute of Standards and Technology) was established in 1901 and is now a division of the United States Department of Commerce. NIST operates several laboratories to advance and deploy technological innovations that improve security. Engineering, information technology, nanoscale science, neutron research, material measurement, and physical measurement are among the NIST laboratory programs. NIST also creates and maintains standards used in science, technology, and other fields. These standards assist federal agencies, contractors, and other businesses that collaborate with the government in meeting the requirements of various frameworks, such as the Federal Information Security Management Act (FISMA), which mandates specific cybersecurity standards. These standards are also used by other organizations in the public and private sectors as part of their cybersecurity programs. NIST does not issue certifications; instead, it develops and promotes guidelines for federal agencies to follow.
• ETSI (European Telecommunications Standard Institute): ETSI is a European Standards Organization (ESO). They are the recognized regional standards body dealing with telecommunications, broadcasting and other electronic communications networks and services.
• The PCI SSC (Payment Card Industry Security Standards Council) was formed on September 7, 2006, by American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. with the goal of managing the ongoing evolution of the Payment Card Industry Data Security Standard.
• ENISA (European Union Agency for Cybersecurity) is the Union's agency dedicated to achieving a high common level of cybersecurity across Europe. The European Union Agency for Cybersecurity, founded in 2004 and strengthened by the EU Cybersecurity Act, contributes to EU cyber policy, improves the trustworthiness of ICT products, services, and processes through cybersecurity certification schemes, collaborates with Member States and EU bodies, and assists Europe in preparing for tomorrow's cyber challenges.
• ISA (International Society of Automation) is a non-profit professional association founded in 1945 with the goal of making the world a better place through automation. Through standards and knowledge sharing, ISA empowers the global automation community, driving the advancement of individual careers and the profession as a whole. ISA established the ISA Global Cybersecurity Alliance (isa.org/ISAGCA) to advance cybersecurity readiness and awareness in manufacturing and critical infrastructure facilities and processes.
• NERC (The North American Electric Reliability Corporation) is a non-profit international regulatory body whose mission is to ensure the effective and efficient reduction of risks to the grid's reliability and security. NERC creates and enforces Reliability Standards, assesses seasonal and long-term reliability on an annual basis, monitors the bulk power system through system awareness, and educates, trains, and certifies industry personnel.
• CIS (The Center for Internet Security, Inc.) is a community-driven nonprofit, responsible for the CIS Controls??and CIS Benchmarks?, globally recognized best practices for securing IT systems and data. CIS leads a global community of IT professionals to continuously evolve these standards and provide products and services to proactively safeguard against emerging threats.
• OWASP (The Open Web Application Security Project?) is a non-profit organization dedicated to improving software security. The OWASP Foundation is the source for developers and technologists to secure the web, with hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences.

Other Organizations

• BSI (Bundesamt für Sicherheit in der Informationstechnik; English: The?Federal Office for Information Security) is the German upper-level federal agency in charge of managing the German government's computer and communication security. Its areas of expertise and responsibility include computer application security, critical infrastructure protection, Internet security, cryptography, counter-eavesdropping, security product certification, and security test laboratory accreditation.
• The Australian Cyber Security Centre (ACSC) leads the Australian Government’s efforts to improve cyber security. Their role is to help make Australia the most secure place to connect online.
• INSIBE (Instituto Nacional De Ciberseguridad; English: The National Institute of Cybersecurity of Spain), formerly the National Institute of Communication Technologies, is a company dependent on the Ministry of Economic Affairs and Digital Transformation through the Secretary of State for Digitization and Artificial Intelligence and consolidated as a reference entity for the development of cybersecurity and the digital trust of citizens, academic and research networks, professionals, companies and especially for strategic sectors.
• ANSSI: The Agence nationale de la sécurité des systèmes d'information (ANSSI; English: French National Agency for the Security of Information Systems) is a French service created on 7 July 2009 with responsibility for computer security.
• The Qatar National Cyber Security Agency (NCSA) was established under the Amiri Decision No.1 of 2021. NCSA is responsible for implementing and overseeing issues associated with national cyber risks and threats, enhancing readiness and resilience against cyber crises, and protecting vital infrastructure, as well as other duties.
• The Kingdom of Saudi Arabia National Cybersecurity Authority (NCA) was established in 2017 by a Royal Order that links it directly to HM the King. The NCA has both regulatory and operational functions related to cybersecurity and it works closely with public and private entities to improve the cybersecurity posture of the country in order to safeguard its vital interests, national security, critical infrastructures, high-priority sectors, and government services and activities in alignment with Vision 2030.
• TC 260: The National Information Security Standardization Technical Committee is the Chinese organization in charge of developing cybersecurity frameworks (also known as Technical Committee 260 or TC260). Despite its strange name, it wields extraordinary power over Chinese cyberspace; it had issued over 300 standards related to information security and cybersecurity, with another 700 on the way. Although TC260 is not an enforcement body, its influence is felt throughout the Chinese government. For example, in October 2020, it released an updated personal information security standard that includes recommended data governance and security practices. Three weeks later, the government issued a draft of its updated Personal Information Protection Law for public comment, and two days later, China's National Computer Virus Emergency Response Center was established.

In this article, we will examine the following standards in depth, but let's first list the important standards below and get a sense of what we'll be looking at next.

Well Known Standards

International Standards

• ISO/IEC 27000(27K) Series of Standards: includes information security standards published collaboratively by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The standards are the product of?ISO/IEC JTC (Joint Technical Committee). The standards, however, are not specific to any industry, and this makes them able to be applied in any business, regardless of size and industry. The series' scope is purposefully broad, covering more than just privacy, confidentiality, and IT/technical/cybersecurity concerns. It is applicable to all types of organizations. All organizations are encouraged to assess their information risks and then treat them (typically through the use of information security controls) in accordance with their requirements, utilizing the guidance and suggestions where applicable. Because information risk and security are dynamic, the ISMS concept incorporates continuous feedback and improvement activities to respond to changes in threats, vulnerabilities, or incident impacts. Of course, when ISO 27000 series is mentioned, ISO 27001 comes to mind first. This standard contains 114 generic controls for the security of your institution (with the 2022 version) and your compliance with these controls can be evaluated and certified by authorized organizations. For this reason, ISO 27001 is the most well-known among these standards. However, currently, the ISO 27000 family includes more than 60 standards. Among these standards, the most widely used are the following.

1. ISO/IEC 27001 — Information security management systems — Requirements
2. ISO/IEC 27002 — Information security controls
3. ISO/IEC 27005 — Guidance on managing information security risks
4. ISO/IEC 27011 — Information security management guidelines for telecommunications organizations?
5. ISO/IEC 27017 — Code of practice for information security controls based on ISO/IEC 27002 for cloud services
6. ISO/IEC 27019 — Information security for process control in the energy industry
7. ISO/IEC 27031 — Guidelines for information and communication technology readiness for business continuity
8. ISO/IEC 27033 — Security Techniques - Network security?
9. ISO/IEC 27035 — Information security incident management?
10. ISO/IEC 27036 — Information security for supplier relationships
11. ISO/IEC 27701 — Privacy Information Management System (PIMS).
12. ISO 27799 — Information security management in health?

• ISA/IEC 62443 Series of Standards: The standards in the ISA/IEC 62443 series define the requirements and processes for implementing and maintaining electronically secure industrial automation and control systems (IACS). These standards establish best practices for security and provide a means of evaluating security performance. Their holistic approach to the cybersecurity challenge bridges the gap between operations and information technology, as well as process safety and cybersecurity. The ISA/IEC standards establish cybersecurity benchmarks for all IACS-using industries, including building automation, electric power generation and distribution, medical devices, transportation, and process industries such as chemicals and oil, and gas. The IEC 62443 standard series is divided into four parts:

1. General: This section covers topics that apply to the entire series.
2. Policies and Procedures: This section focuses on IACS security methods and processes.
3. System: This section discusses system requirements.
4. Components and Requirements: This section contains detailed specifications for IACS products.

• GDPR: The EU general data protection regulation?(GDPR) governs how the personal data of individuals in the EU may be processed and transferred. The GDPR states Individuals' fundamental rights in the digital age, the obligations of those processing data, compliance methods, and sanctions for those who break the rules. GDPR replaces the 1995 EU Data Protection Directive. The new directive focuses on making businesses more transparent and expanding data subjects' privacy rights. When a serious data breach is discovered, the GDPR requires the company to notify all affected individuals and the supervising authority within 72 hours. Mandates in the GDPR apply to all data produced by EU citizens, regardless of whether the company collecting the data is located within the EU, and to all people whose data is stored within the EU, regardless of whether they are actually EU citizens. Penalties for non-compliance are also defined in the GDPR.
• Common Criteria (ISO/IEC 15408): The Common Criteria for Information Technology Security Evaluation (Common Criteria or CC) is an international standard for IT product security certification (ISO / IEC 15408). It is a framework for independent, scalable, and globally recognized security inspections of IT products. It is especially suited to products destined for high-security markets such as the government, banking, and military sectors. Certification in accordance with this standard is thus required. Part 1 (Introduction and general model), Part 2 (Security functional requirements), and Part 3 (Security functional requirements) comprise ISO/IEC 15408. (Security assurance requirements). Another document used by security auditors to evaluate IT products is the Common Evaluation Methodology (CEM).
• NIST Standards: The National Institute of Standards and Technology (NIST) is a Department of Commerce agency in the United States. Although the standards published by NIST are US national standards, the standards published especially in the field of information security are followed all over the world and form a basis for both national and sectoral standards. NIST Special Publication (SP) 800 series publications present information of interest to the computer security community. The series includes NIST's cybersecurity guidelines, recommendations, technical specifications, and annual reports. SP 800 publications are designed to address and support the information and information systems security and privacy needs of the United States Federal Government. The NIST Cybersecurity Framework is one of the most widely used NIST security standards (CSF). This internationally recognized framework provides organizations with voluntary guidance based on existing standards, guidelines, and practices to better manage and reduce cybersecurity risk. It provides businesses with an easy-to-understand common language for discussing cybersecurity risk, regardless of where they are on the organizational chart - from the server room to the board room. Five core functions are identified by the NIST Cybersecurity Framework: Identify, Protect, Detect, Respond, Recover. The framework describes understandable desired outcomes, applies to any type of risk management, defines the entire scope of cybersecurity, and spans both prevention and reaction.
• FIPS 140: Like NIST SP-800 Series, FIPS 140 is a US national standard, but is an internationally accepted standard. The National Institute of Standards and Technology (NIST) publishes the 140 Publication Series to coordinate the requirements and standards for cryptographic modules that include both hardware and software components for use by United States federal government departments and agencies.
• ETSI EN 303 645?is designed to prevent large-scale, prevalent attacks against smart devices that cybersecurity experts see every day, by establishing a security baseline for connected consumer products and providing a basis for future IoT certification schemes. This standard describes building security into IoT products from their design, rather than awkwardly bolting security measures at the end. ETSI EN 303 645?supports a good security baseline for connected consumer products, provisioning a set of 13 recommendations, with the top three beings: no default passwords, implementing a vulnerability disclosure policy and keeping software updated. There are also specific data protection provisions for consumer IoT devices.
• CSA CCM: The CSA Cloud Controls Matrix (CCM) is a cloud computing cybersecurity control framework. It is made up of 197 control objectives organized into 17 domains that cover all key aspects of cloud technology. It can be used as a tool for conducting a systematic assessment of cloud implementation and provides recommendations on which security controls should be implemented by which actor in the cloud supply chain.
• OWASP: There will be a very detailed explanation about this part.

Industry Standards

• PCI DSS (Banking Industry): The Payment Card Industry Data Security Standard (PCI DSS) was created to encourage and improve payment card account data security, as well as to facilitate the global adoption of consistent data security measures. PCI DSS establishes a foundation of technical and operational requirements for the protection of account data. While PCI DSS was designed to protect against threats and secure other elements of the payment ecosystem, it can also be used to protect against threats and secure other elements of the payment ecosystem.
• HIPAA (Healthcare Industry): The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its regulations are a set of US healthcare laws that establish requirements for the use, disclosure, and safeguarding of protected health information, among other things (PHI). HIPAA applies to covered entities, which include doctors' offices, hospitals, health insurers, and other healthcare organizations that create, receive, maintain, transmit, or access protected health information (PHI). HIPAA also applies to covered entities' business associates who perform certain functions or activities involving PHI as part of providing services to or on behalf of the covered entity.

Note: One of the key distinctions between HIPAA and GDPR is who these regulations apply to. At the outset, it is clear that GDPR applies to EU citizens, whereas HIPAA only applies to Americans and healthcare organizations.        

• ISO/SAE 21434 (Automotive Industry): The ISO/SAE 21434 "Road vehicles - Cybersecurity engineering" standard was developed collaboratively by ISO and SAE working groups. It suggests cybersecurity measures for the entire lifecycle of a road vehicle. The standard is related to a cyber security regulation being developed by the European Union (EU). In collaboration with the EU, the UNECE is developing a certification for a "Cyber Security Management System" (CSMS), which will be required for vehicle-type approval. ISO/SAE 21434 is an automotive development technical standard that can demonstrate compliance with those regulations.
• TISAX (Automotive Industry): The ENX Association manages the Trusted Information Security Assessment Exchange (TISAX) on behalf of the German Automotive Industry Association (Verband der Automobilindustrie, VDA). As a catalog of criteria for assessing information security, VDA created an information security assessment (ISA). The VDA ISA is based on ISO/IEC 27001 and ISO/IEC 27002 standards that have been modified for the automotive industry. The VDA assessment was updated in 2017 to include controls for the use of cloud services.
• AS 7770 (Railway): This Standard specifies the requirements for Rail Transport Operators (RTOs) for managing cyber security risk on the Australian Railway Network. It has been developed to assist RTOs to establish and maintain a good practice approach to Operational Technology (OT) and Information Technology (IT) that is used within their organizations to operate rail systems and protect them from deliberate cyber-attack.
• CLC/TS 50701 (Railway): Following this standard, the Technical Specification 50701 was issued (CLC/TS 50701, 2021). This European Technical Specification applies ISA/IEC 62443 to the railway sector. It applies to the communications, signaling, processing, rolling stock, and fixed installations domains. It provides references to models and concepts from which requirements and recommendations can be derived and which are suitable to ensure that the residual risk from security threats is identified, supervised, and managed to an acceptable level by the railway system duty holder. CLC/TS 50701 can be used to define a list of OT components for the railway sector, and to build a list of OT-specific security measures.?
• RTCA DO-326A (Aviation): RTCA DO-326A, titled “Airworthiness Security Process Specification,” provides guidance for handling the threat of intentional, malicious interference with aircraft systems. It outlines compliance objectives and data requirements for aircraft and airborne equipment manufacturers and examines the interactions between security and safety. DO-326 and ED-202 are the first in a series of documents on Aeronautical Systems Security that will address information security for the overall Aeronautical Information System Security (AISS) of airborne systems with related ground systems and environment, according to the original document language. But there were many more changes on the way. DO-326/ED-202 was heavily based on the then-published ISO/IEC 27005 of the ISO27K family, as well as the de-facto industry standard, SAE ARP 4754, "Certification Considerations for Highly-Integrated or Complex Aircraft Systems," and created a useful, relatively seamless continuum with those.
• IMO Resolution MSC.428(98) (Maritime Industry): The International Maritime Organization (IMO) adopted Resolution MSC.428(98) Maritime Cyber Risk Management in Safety Management Systems in 2017 and issued MSC-FAL.1/Circ.3 Guidelines on Maritime Cyber Risk Management after that. Whilst recognizing that cyber technologies had become essential to the operation and management of numerous systems critical to the safety and security of shipping and the protection of the marine environment, the IMO acknowledged the vulnerabilities of these technologies to cyber risks and cyber threats.
• UR E26 / UR E27 (Maritime Industry): IACS is a not-for-profit membership organization of classification societies that establish minimum technical standards and requirements that address maritime safety and environmental protection and ensures their consistent application. IACS release two standards for the maritime sector. UR E26 for the Cyber resilience of ships and UR E27 is for the Cyber resilience of onboard systems and equipment.

Regional Standards

• NERC CIP: The North American Electric Reliability Corporation (NERC) is a non-profit regulatory authority tasked with ensuring the reliability of the North American bulk power system. The US Federal Energy Regulatory Commission (FERC) and Canadian governmental authorities oversee NERC. The NERC Critical Infrastructure Protection (CIP) standards are developed and enforced by NERC. If you own, operate, or use a bulk power system, you must follow NERC CIP standards. You must also register with the NERC. NERC CIP standards do not apply to cloud service providers or third-party vendors; however, the CIP standards include goals that should be considered when registered entities use vendors in the operation of the Bulk Electric System (BES).
• BSI IT-Grundschutz (Germany): Information security is the prerequisite for successful digitization.?The?IT-Grundschutz provides a solid technical foundation and a comprehensive working tool for this.?It is a method, instruction, recommendation and help for self-help for authorities, companies, and institutions that want to deal with the protection of their data, systems, and information. Companies or authorities can create?IT?-Grundschutz profiles for specific use cases and then make them available to other interested parties.?Users who have similar security requirements can use this template to check the security level in a way that saves resources, or they can start building an information security management system (?ISMS?) based on?IT?baseline protection.
• Essential Eight (Australia): The Australian Cyber Security Centre (ACSC) has developed prioritized mitigation strategies, in the form of the Strategies to Mitigate Cyber Security Incidents, to help organizations protect themselves against various cyber threats. The most effective of these mitigation strategies is the Essential Eight. When implementing the Essential Eight, organizations should identify and plan for a target maturity level suitable for their environment. Organizations should then progressively implement each maturity level until that target is achieved. To assist organizations with their implementation of the Essential Eight, four maturity levels have been defined (Maturity Level Zero through to Maturity Level Three).
• Cyber Essentials (United Kingdom): Cyber Essentials is an effective, government-backed scheme that will assist you in protecting your organization, no matter how large or small, against a wide range of common cyber attacks. Cyber attacks come in a variety of shapes and sizes, but the vast majority are very simple in nature and are carried out by relatively unskilled individuals. There are two certification levels; Cyber Essentials (Our self-assessment option protects you against a wide range of common cyber attacks. This is significant because vulnerability to simple attacks can identify you as a target for more in-depth unwanted attention from cyber criminals and others. Because these attacks are looking for targets that do not have the Cyber Essentials technical controls in place, certification gives you peace of mind that your defenses will protect you against the vast majority of common cyber attacks. Cyber Essentials teaches you how to address the fundamentals and avoid the most common attacks) and Cyber Essentials Plus (Cyber Essentials Plus retains the Cyber Essentials trademark simplicity of approach, and the protections you must implement remain the same, but Cyber Essentials Plus includes a hands-on technical verification. Alternatively, you can become acquainted with cyber security terminology, gaining sufficient knowledge to begin securing your IT)
• ITSG-33: The ITSG-33 publication has been developed to help government Government of Canada (GC) ensure security is considered right from the start. ITSG-33 contains a catalog of Security Controls structured into three classes of control families: Technical, Operational, and Management. Technical security controls are implemented using technology, such as a firewall, while operational security controls are implemented using human processes, such as manual procedures. Management security controls focus on the management of IT security and IT security risks.?

In the next articles of the series, we will touch on the details of both standards and organizations. In particular, I would like to create an almanac of cybersecurity standards here by explaining how we can adapt standards to our infrastructure with examples.