Five standardization bodies security professionals need to know
Standardization bodies are organizations that exist specifically for developing, coordinating, promoting and interpreting technical standards.
As with any vital area, there are several standardization bodies focused on producing information security related standards. Here are five standardization bodies all security engineers should know about:
The International Organization for Standardization (ISO)
ISO is an international standardization body composed of representatives from multiple national standards organizations. ISO is responsible for the principal information security standards series, the ISO 27000 family.
Composed of more than a dozen published standards, the 27000 family helps organizations manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties.
ISO/IEC 27001 is the best-known standard in the family. It provides the requirements for an information security management system (ISMS), a must read for any security engineer.
The National Institute of Standards and Technology (NIST)
NIST is a measurement standards laboratory, and a non-regulatory agency of the United States Department of Commerce. Its mission is to promote innovation and industrial competitiveness.
Amongst several freely available special publications, including the SP 800 (Computer security), SP 1800 (Cybersecurity practice guides) and SP 500 (Information technology (relevant documents)) series, the NIST Cybersecurity Framework (NIST CSF) is a policy framework that provides guidance on how private-sector organizations in the United States can assess and improve their ability regarding computer security.
Another great publication is NIST’s special publication 800-30, a guide for conducting risk assessments that shares more than a few similarities with ISO/IEC 27005 — Information security risk management, but has the advantage of being completely free.
The British Standards Institution (BSI)
BSI is the United Kingdom’s national standardization body. BSI produces several technical standards on a wide range of products and services, and also supplies certification and standards-related services to businesses.
In 1995, the BSI was responsible for the publications of the British Standard 7799, which later became ISO/IEC 27001, the most internationally recognized and widely used information security management standard.
With a deep ISO/IEC 27001 knowledge, BSI not only helps improving it, but also provides services that train and certify countless organizations around the world to embed an effective ISO/IEC 27001 ISMS.
The Internet Engineering Task Force (IETF)
IETF is an open standards organization with no formal membership or membership requirements. The IETF creates and promotes voluntary Internet standards, in particular the standards for the Internet protocol suite (TCP/IP).
The IETF is organized in several working groups, focused into areas by subject matter. The current areas include applications, Internet, operations and management, real-time applications and infrastructure, routing, transport and, quite obviously, security.
The Payment Card Industry Security Standards Council (PCI SSC)
PCI SSC is a global, open body responsible for creating, improving, disseminating and helping with the understanding of the security standards for payment account security.
The Payment Card Industry Data Security Standard (PCI DSS) was devised as a means of increasing security controls over cardholder data and reducing the risk of credit card fraud. It requires an annual compliance validation, conducted either by an external qualified security assessor (QSA) or by a company-specific internal security assessor that creates a compliance report for organizations handling large amounts of transactions. For handling smaller volumes, it’s also possible to perform a self-assessment questionnaire (SAQ).
While understanding the PCI is only mandatory for companies that handle cardholder information, any security engineer can benefit from the standard’s knowledge, since it is free, and its control objectives include relevant information for the protection of any company.
The Payment Application Data Security Standard (PA-DSS) is another important PCI publication. This standard primary objective is to help prevent developed payment applications for third parties from storing prohibited secure data such as the magnetic stripe, CVV2 or PIN. Quite obviously, the PA-DSS is closely linked with the PCI-DSS, as it determines that payment applications must be compliant with the Payment Card Industry Data Security Standards.
What should you learn next?
Sources
- 12 pre-built training plans
- Employer-requested skills
- Personalized, hands-on training
In this Series
- Five standardization bodies security professionals need to know
- Free Valentine's Day cybersecurity cards: Keep your love secure!
- How to design effective cybersecurity policies
- What is attack surface management and how it makes the enterprise more secure
- Is a cybersecurity boot camp worth it?
- The aftermath: An analysis of recent security breaches
- Understanding cybersecurity breaches: Types, common causes and potential risks
- Breaking the Silo: Integrating Email Security with XDR
- What is Security Service Edge (SSE)?
- Cybersecurity in Biden’s era
- Password security: Using Active Directory password policy
- Inside a DDoS attack against a bank: What happened and how it was stopped
- Inside Capital One’s game-changing breach: What happened and key lessons
- A DevSecOps process for ransomware prevention
- What is Digital Risk Protection (DRP)?
- How to choose and harden your VPN: Best practices from NSA & CISA
- Will immersive technology evolve or solve cybercrime?
- Twitch and YouTube abuse: How to stop online harassment
- Can your personality indicate how you’ll react to a cyberthreat?
- The 5 biggest cryptocurrency heists of all time
- Pay GDPR? No thanks, we’d rather pay cybercriminals
- Customer data protection: A comprehensive cybersecurity guide for companies
- Online certification opportunities: 4 vendors who offer online certification exams [updated 2021]
- FLoC delayed: what does this mean for security and privacy?
- Stolen company credentials used within hours, study says
- Don’t use CAPTCHA? Here are 9 CAPTCHA alternatives
- 10 ways to build a cybersecurity team that sticks
- Verizon DBIR 2021 summary: 7 things you should know
- 2021 cybersecurity executive order: Everything you need to know
- Kali Linux: Top 5 tools for stress testing
- Android security: 7 tips and tricks to secure you and your workforce [updated 2021]
- Mobile emulator farms: What are they and how they work
- 3 tracking technologies and their impact on privacy
- In-game currency & money laundering schemes: Fortnite, World of Warcraft & more
- Quantitative risk analysis [updated 2021]
- Understanding DNS sinkholes - A weapon against malware [updated 2021]
- Python for network penetration testing: An overview
- Python for exploit development: Common vulnerabilities and exploits
- Python for exploit development: All about buffer overflows
- Python language basics: understanding exception handling
- Python for pentesting: Programming, exploits and attacks
- Increasing security by hardening the CI/CD build infrastructure
- Pros and cons of public vs internal container image repositories
- CI/CD container security considerations
- Vulnerability scanning inside and outside the container
- How Docker primitives secure container environments
- Top 4 Zapier security risks
- Common container misconfigurations and how to prevent them
- Building container images using Dockerfile best practices
- Securing containers using Docker isolation
- Introduction to container security
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
General security
Free Valentine's Day cybersecurity cards: Keep your love secure!
General security
General security