Standards for Enterprise

Cybersecurity


While cybersecurity is a topic as vast as the Internet, S4E will begin with Information Security Forum’s Standard of Good Practice.
 
ISF is a global nonprofit association headquartered in London with url: SecurityForum.org. This organization has been around since 1989. Information security best practice research is its mantra. On their home page they claim “The ISF is the world's leading authority on information riskStandard of Good Practice management.” 

Only members can access to ISF’s Standard of Good Practice and its library of reports about information security issues, along with powerful web-based solutions for security assessment, benchmarking and risk management.

As you can imagine a number of other organizations have entered the fray of cybersecurity standards development. Some are industry specific and industry sponsored; others are government specific and government sponsored. 

For example, the U.S. National Institute of Standards and Technology (NIST, a division of the U.S. Department of Commerce) has been in existence since 1901. Originally known as the National Bureau of Standards, NIST exists to “Promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.”

Recently NIST has developed and published Special Pub 800-12 -- An Introduction to Computer Security: The NIST Handbook and a number of other publications in the 800 series that are available free of charge from the NIST web site.

To return briefly to a global level we will point to the ISO/IEC 27032:2012 Information technology — Security techniques — Guidelines for cybersecurity.

ISO is the International Organization for Standardization based in Geneva, Switzerland and claims to be “the world’s largest developer of international voluntary standards.” S4E heartily agrees with ISO when it states on its About Us page “International Standards make things work. They give world-class specifications for products, services and systems, to ensure quality, safety and efficiency. They are instrumental in facilitating international trade.”

IEC, the International Electrotechnical Commission has focus on “International Standards and Conformity Assessment for all electrical, electronic and related technologies.” 

Working via a joint technical committee ISO and IEC developed ISO/IEC 27032:2012. This standard provides guidance for improving the state of cybersecurity, drawing out the unique aspects of that activity and its dependencies on other security domains, in particular:
  • information security,
  • network security,
  • internet security, and
  • critical information infrastructure protection (CIIP).
It covers the baseline security practices for stakeholders in the Cyberspace. This International Standard provides:
  • an overview of Cybersecurity,
  • an explanation of the relationship between Cybersecurity and other types of security,
  • a definition of stakeholders and a description of their roles in Cybersecurity,
  • guidance for addressing common Cybersecurity issues, and
  • a framework to enable stakeholders to collaborate on resolving Cybersecurity issues
Next and final in this paper we will talk about the ISA/IEC-62443 standards that assist in the implementation of electronically secure Industrial Automation and Control Systems (IACS). These standards apply to end-users (i.e. asset owner), system integrators, security practitioners, and control systems manufacturers responsible for manufacturing, designing, implementing, or managing industrial automation and control systems.

International Society of Automation (www.isa.org) was founded in 1945 and is based in Research Triangle Park, North Carolina, U.S.A. ISA is a leading, global, nonprofit organization that is setting the standard for automation by helping over 30,000 worldwide members and other professionals solve difficult technical problems, while enhancing their leadership and personal career capabilities. 

ISA industrial cybersecurity standards include:




It is safe to assume the organizations and agencies listed above will get even more aggressive in addressing cybersecurity standards in light of the Sony/North Korea debacle. Applying the latest and greatest standards and updates to your enterprise system must become a greater priority than ever before.

S4E will continue to follow cybersecurity standards development and keep members updated.

While cybersecurity is a topic as vast as the Internet, S4E will begin with Information Security Forum’s Standard of Good Practice.

 

ISF is a global nonprofit association headquartered in London with url: SecurityForum.org. This organization has been around since 1989. Information security best practice research is its mantra. On their home page they claim “The ISF is the world's leading authority on information risk management.”

Only members can access to ISF’s Standard of Good Practice and its library of reports about information security issues, along with powerful web-based solutions for security assessment, benchmarking and risk management.

As you can imagine a number of other organizations have entered the fray of cybersecurity standards development. Some are industry specific and industry sponsored; others are government specific and government sponsored.

For example, the U.S. National Institute of Standards and Technology (NIST, a division of the U.S. Department of Commerce) has been in existence since 1901. Originally known as the National Bureau of Standards, NIST exists to “Promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.”

Recently NIST has developed and published Special Pub 800-12 -- An Introduction to Computer Security: The NIST Handbook and a number of other publications in the 800 series that are available free of charge from the NIST web site.

To return briefly to a global level we will point to the ISO/IEC 27032:2012 Information technology — Security techniques — Guidelines for cybersecurity.

ISO is the International Organization for Standardization based in Geneva, Switzerland and claims to be “the world’s largest developer of international voluntary standards.” S4E heartily agrees with ISO when it states on its About Us page “International Standards make things work. They give world-class specifications for products, services and systems, to ensure quality, safety and efficiency. They are instrumental in facilitating international trade.”

IEC, the International Electrotechnical Commission has focus on “International Standards and Conformity Assessment for all electrical, electronic and related technologies.”

Working via a joint technical committee ISO and IEC developed ISO/IEC 27032:2012. This standard provides guidance for improving the state of cybersecurity, drawing out the unique aspects of that activity and its dependencies on other security domains, in particular:

  • information security,
  • network security,
  • internet security, and
  • critical information infrastructure protection (CIIP).

It covers the baseline security practices for stakeholders in the Cyberspace. This International Standard provides:

  • an overview of Cybersecurity,
  • an explanation of the relationship between Cybersecurity and other types of security,
  • a definition of stakeholders and a description of their roles in Cybersecurity,
  • guidance for addressing common Cybersecurity issues, and
  • a framework to enable stakeholders to collaborate on resolving Cybersecurity issues

Next and final in this paper we will talk about the ISA/IEC-62443 standards that assist in the implementation of electronically secure Industrial Automation and Control Systems (IACS). These standards apply to end-users (i.e. asset owner), system integrators, security practitioners, and control systems manufacturers responsible for manufacturing, designing, implementing, or managing industrial automation and control systems.

International Society of Automation (www.isa.org) was founded in 1945 and is based in Research Triangle Park, North Carolina, U.S.A. ISA is a leading, global, nonprofit organization that is setting the standard for automation by helping over 30,000 worldwide members and other professionals solve difficult technical problems, while enhancing their leadership and personal career capabilities.

ISA industrial cybersecurity standards include:

ANSI/ISA-62443-3-3 (99.03.03)-2013 - Security for Industrial Automation and Control Systems Part 3-3: System Security Requirements and Security levels

ANSI/ISA-62443-2-1 (99.02.01)-2009 - Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program

ANSI/ISA-62443-1-1 (99.01.01)-2007 - Security for Industrial Automation and Control Systems Part 1: Terminology, Concepts, and Models

It is safe to assume the organizations and agencies listed above will get even more aggressive in addressing cybersecurity standards in light of the Sony/North Korea debacle. Applying the latest and greatest standards and updates to your enterprise system must become a greater priority than ever before.

S4E will continue to follow cybersecurity standards development and keep members updated.

Sign Up Here for S4E's Newsletter!

Want to support S4E? 

Join Business Change Alliance to support our work in standards, change management and business process. Click here for details!

S4E Inc.
Pittsburgh, Pennsylvania 15101 USA
+1-412-487-2922
Powered by Wild Apricot. Try our all-in-one platform for easy membership management