Five standardization bodies security professionals need to know
Standardization bodies are organizations that exist specifically for developing, coordinating, promoting and interpreting technical standards.
As with any vital area, there are several standardization bodies focused on producing information security related standards. Here are five standardization bodies all security engineers should know about:
The International Organization for Standardization (ISO)
ISO is an international standardization body composed of representatives from multiple national standards organizations. ISO is responsible for the principal information security standards series, the ISO 27000 family.
Composed of more than a dozen published standards, the 27000 family helps organizations manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties.
ISO/IEC 27001 is the best-known standard in the family. It provides the requirements for an information security management system (ISMS), a must read for any security engineer.
The National Institute of Standards and Technology (NIST)
NIST is a measurement standards laboratory, and a non-regulatory agency of the United States Department of Commerce. Its mission is to promote innovation and industrial competitiveness.
Amongst several freely available special publications, including the SP 800 (Computer security), SP 1800 (Cybersecurity practice guides) and SP 500 (Information technology (relevant documents)) series, the NIST Cybersecurity Framework (NIST CSF) is a policy framework that provides guidance on how private-sector organizations in the United States can assess and improve their ability regarding computer security.
Another great publication is NIST’s special publication 800-30, a guide for conducting risk assessments that shares more than a few similarities with ISO/IEC 27005 — Information security risk management, but has the advantage of being completely free.
The British Standards Institution (BSI)
BSI is the United Kingdom’s national standardization body. BSI produces several technical standards on a wide range of products and services, and also supplies certification and standards-related services to businesses.
In 1995, the BSI was responsible for the publications of the British Standard 7799, which later became ISO/IEC 27001, the most internationally recognized and widely used information security management standard.
With a deep ISO/IEC 27001 knowledge, BSI not only helps improving it, but also provides services that train and certify countless organizations around the world to embed an effective ISO/IEC 27001 ISMS.
The Internet Engineering Task Force (IETF)
IETF is an open standards organization with no formal membership or membership requirements. The IETF creates and promotes voluntary Internet standards, in particular the standards for the Internet protocol suite (TCP/IP).
The IETF is organized in several working groups, focused into areas by subject matter. The current areas include applications, Internet, operations and management, real-time applications and infrastructure, routing, transport and, quite obviously, security.
The Payment Card Industry Security Standards Council (PCI SSC)
PCI SSC is a global, open body responsible for creating, improving, disseminating and helping with the understanding of the security standards for payment account security.
The Payment Card Industry Data Security Standard (PCI DSS) was devised as a means of increasing security controls over cardholder data and reducing the risk of credit card fraud. It requires an annual compliance validation, conducted either by an external qualified security assessor (QSA) or by a company-specific internal security assessor that creates a compliance report for organizations handling large amounts of transactions. For handling smaller volumes, it’s also possible to perform a self-assessment questionnaire (SAQ).
While understanding the PCI is only mandatory for companies that handle cardholder information, any security engineer can benefit from the standard’s knowledge, since it is free, and its control objectives include relevant information for the protection of any company.
The Payment Application Data Security Standard (PA-DSS) is another important PCI publication. This standard primary objective is to help prevent developed payment applications for third parties from storing prohibited secure data such as the magnetic stripe, CVV2 or PIN. Quite obviously, the PA-DSS is closely linked with the PCI-DSS, as it determines that payment applications must be compliant with the Payment Card Industry Data Security Standards.