While cybersecurity is a topic as vast as the Internet, S4E will begin with Information Security Forum’s Standard of Good Practice.
ISF is a global nonprofit association headquartered in London with url: SecurityForum.org
. This organization has been around since 1989. Information security best practice research is its mantra. On their home page they claim “The ISF is the world's leading authority on information risk
Only members can access to ISF’s Standard of Good Practice
and its library of reports about information security issues, along with powerful web-based solutions for security assessment, benchmarking and risk management.
As you can imagine a number of other organizations have entered the fray of cybersecurity standards development. Some are industry specific and industry sponsored; others are government specific and government sponsored.
For example, the U.S. National Institute of Standards and Technology (NIST
, a division of the U.S. Department of Commerce) has been in existence since 1901. Originally known as the National Bureau of Standards, NIST exists to “Promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.”
To return briefly to a global level we will point to the ISO/IEC 27032:2012
Information technology — Security techniques — Guidelines for cybersecurity.
ISO is the International Organization for Standardization
based in Geneva, Switzerland and claims to be “the world’s largest developer of international voluntary standards.” S4E heartily agrees with ISO when it states on its About Us page “International Standards make things work. They give world-class specifications for products, services and systems, to ensure quality, safety and efficiency. They are instrumental in facilitating international trade.”
Working via a joint technical committee ISO and IEC developed ISO/IEC 27032:2012
. This standard provides guidance for improving the state of cybersecurity, drawing out the unique aspects of that activity and its dependencies on other security domains, in particular:
- information security,
- network security,
- internet security, and
- critical information infrastructure protection (CIIP).
It covers the baseline security practices for stakeholders in the Cyberspace. This International Standard provides:
- an overview of Cybersecurity,
- an explanation of the relationship between Cybersecurity and other types of security,
- a definition of stakeholders and a description of their roles in Cybersecurity,
- guidance for addressing common Cybersecurity issues, and
- a framework to enable stakeholders to collaborate on resolving Cybersecurity issues
Next and final in this paper we will talk about the ISA/IEC-62443
standards that assist in the implementation of electronically secure Industrial Automation and Control Systems (IACS). These standards apply to end-users (i.e. asset owner), system integrators, security practitioners, and control systems manufacturers responsible for manufacturing, designing, implementing, or managing industrial automation and control systems.
International Society of Automation (www.isa.org
) was founded in 1945 and is based in Research Triangle Park, North Carolina, U.S.A. ISA is a leading, global, nonprofit organization that is setting the standard for automation by helping over 30,000 worldwide members and other professionals solve difficult technical problems, while enhancing their leadership and personal career capabilities.
ISA industrial cybersecurity standards include:
It is safe to assume the organizations and agencies listed above will get even more aggressive in addressing cybersecurity standards in light of the Sony/North Korea debacle. Applying the latest and greatest standards and updates to your enterprise system must become a greater priority than ever before.
S4E will continue to follow cybersecurity standards development and keep members updated.