Standards can be contrasted with another category of documents, generally referred to as guidelines. Both standards and guidelines provide guidance aimed at enhancing cyber security, but guidelines usually lack the level of consensus and formality associated with standards. Some standards, such as ANSI Standards and FIPS Publications, are easily recognized because they include the term standard in their titles. Others are harder to recognize. For example, standards issued by the International Telecommunications Union (ITU), an international standards developer, are designated as Recommendations. A standard issued by the IETF starts out as an RFC and retains that designation even after being adopted as a standard. In other cases, documents that are not standards in the strict sense of the word may be treated as such by an organization if it suits the organization’s needs. For example, many US and international organizations and businesses have adopted National Institute of Standards and Technology (NIST) Special Publications as standards, even though those documents are published as guidelines for use by US Federal agencies.
Some organizations develop both standards and guidelines. For example, in addition to international standards, ISO/IEC issues several types of guidelines, including technical specifications, publicly available specifications (PAS), and technical reports, according to the ISO/IEC Directives, Part 1, Section 3 . A technical specification may be published when the immediate release of an international standard is not feasible, such as when the subject in question is still under development. A PAS may be an intermediate specification published prior to the development of a full international standard, or in International Electrotechnical Commission (IEC) it may be a “dual logo” publication published in collaboration with an external organization. A PAS does not fulfill the requirements for a standard. A technical report is an informative document generally intended to educate the reader, not to specify an international standard.
Why do we need standards?
Protecting your organization’s information is critical for the successful management and smooth operation of your organization. Following a Standard will aid your organization in managing and protecting your valuable data and information assets.
Standards provide us with a common set of reference points to enable us to evaluate whether an organization has processes, procedures and other controls in place that meet an agreed minimum requirement. If an organization is compliant/meets a certain standard then it gives third parties such as customers, suppliers and partners confidence in that organization’s ability to deliver to that standard. It can also provide an organization with a competitive advantage over other organizations. For example, an organization that is compliant with a security standard may have an advantage over a competitor who does not when customers are evaluating their products or services.
Standards can also help organizations meet with regulatory requirements such as the Data Protection Act, SOX, HIPAA etc. By using a standard to create a strong foundation for managing and securing your systems. you will find it easier to meet existing and new regulatory requirements easier than an organization that does not.
Benefits in following Standards
Compliance with legislation: Having a structured Information Security Management System in place makes the task of compliance much easier.
Improved Management: Knowing what is in place and how it should be managed and secured makes it easier to manage information resources within a company.
Improved Customer and Partner Relationships: By demonstrating the company takes information security seriously, customers and trading partners can deal with the company confidently knowing that the company has taken an independently verifiable approach to information security risk management.
Reduced Costs: A standards-based approach to information security ensures that all controls are measured and managed in a structured manner. This ensures that processes and procedures are more streamlined and effective thus reducing costs.
Some companies have found they can better manage the tools they have in place by consolidating redundant systems or re-assigning other systems from assets with low risk to those with higher risk.
Market Reach: Improved market access as a result of increased competitiveness and efficiency, reduced trading costs, simplified contractual agreements, and increased quality.
Increased reliability and security of systems: Security is often defined as protecting the Confidentiality, Integrity and Availability of an asset. Using a standards-based approach, which ensures that adequate controls, processes and procedures are in place will ensure that the above goals are met. Meeting the CIA goals of security will also by default improve the reliability, availability and stability of systems.
Increased profits: Having stable, secure and reliable systems ensures that interruptions to those systems are minimized thereby increasing their availability and productivity. In addition to the above, a standards-based approach to information security demonstrates to customers that the company can be trusted with their business. This can increase profitability by retaining existing, and attracting new, customers.
Some Standards and Specifications
IT Governance Standards and Best Practices
ISO/IEC 27000 family of Information Security Management Systems – This document provides an overview of ISO/IEC 27000 family of Information Security Management Systems which consists of inter-related standards and guidelines, already published or under development, and contains a number of significant structural components.
ISO 27001 – This document provides the ISO standards of the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization.
ISO 27002 – This document introduces the code of practice for information security controls.
COBIT – The Control Objectives for Information and related Technology (COBIT) is published by the Standards Board of Information Systems Audit and Control Association (ISACA) providing a control framework for the governance and management of enterprise IT.
Common Criteria (also known as ISO/IEC 15408) – This set of evaluation criteria’s is developed by and aligned with national security standards organizations of Australia, Canada, France, Germany, Japan, Netherlands, New Zealand, Spain, UK and US.
ITIL (or ISO/IEC 20000 series) – This document introduces a collection of best practices in IT service management (ITSM), and focuses on the service processes of IT and considers the central role of the user.
National Information Security Technology Standard Specification – This webpage introduces a collection of national information security standards formulated by the National Information Security Standards Technical Committee. These standards include information security management, information security evaluation, authentication and authorization, etc.
SANS Security Policy Resource – These resources are published by SANS Institute for the rapid development and implementation of information security policies.
Guidelines on Safeguarding Data Privacy
A Series Guidance Notes on Data Privacy – The guidance notes are provided by the Office of the Privacy Commissioner for Personal Data to specific industires, organisation and users for general reference.
Guidelines on Conducting Online Businesses and Activities
Electronic Transactions Ordinance – This Ordinance concerns the legal status of electronic records and digital signatures used in electronic transactions as that of their paper-based counterparts.
Consumer Protection in E-commerce – OECD Recommendation– This guideline is published by the Organization for Economic Co-operation and Development (OECD) listing the principles and good practices on e-commerce
OWASP Top Ten Project – This document for web application security is published by The Open Web Application Security Project (OWASP) representing a broad consensus about what the most critical web application security flaws are.
Payment Card Industry Data Security Standard – This standard is developed by a number of major credit card companies (including American Express, MasterCard Worldwide and Visa International) for enhancing payment account data security.
Technical Standards Relevant to Cloud Computing – This webpage introduces a collection of technical standards relevant to Cloud Computing released by various international organisations. These standards include management, web services, security of cloud computing, etc.
TRUSTe – Under this program, a privacy seal, or called a “trustmark”, is awarded to websites that adhere to the privacy principles and comply with the oversight and consumer resolution process.
WebTrust program – Under this program, a WebTrust seal at the website means the company is complied to WebTrust principles including, on-line privacy, security, business practices and transaction integrity, availability and WebTrust for Certification Authorities.
1. National Institute for Standards and Technology (2001). FIPS PUB 140-2: Security Requirements for Cryptographic Modules, May. http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf.
2. ITU-T, European Network and Information Security Agency (ENISA), Network and Information Security Steering Group (NISSG) (2007). ICT Security Standards Roadmap, version 2.2, September 2007. http://www.itu.int/ITU-T/studygroups/com17/ict/index.html.
3. ISO/IEC JTC1/SC27 (2008). Standing Document 6 (SD6): Glossary of IT Security Terminology, 2008-0319. http://www.jtc1sc27.din.de/sce/SD6.
4. Recognized information security standards, guidelines and effective security practices for reference. https://www.infosec.gov.hk/english/technical/standards.html