Fundamentals of information systems security Ch 12 Summary
World Wide Web Consortium (W3C) - Standards developed or endorsed
•Cascading Style Sheets (CSS) •HyperText Markup Language (HTML) •Simple Object Access Protocol (SOAP) •Extensible Markup Language (XML)
Information Security Standards
•Necessary to create and maintain a competitive market for hardware and software vendors •Guarantee compatibility between products from different countries •Provide guidelines to ensure that products in today's computing environments work together
International Electrotechnical Commission (IEC) - Standards address a wide variety of areas
•Power generation •Semiconductors •Telecommunications •Physical computer and networking hardware
International Electrotechnical Commission (IEC)
•Works with the ISO •Is the preeminent organization for developing and publishing international standards for technologies related to electrical and electronic devices and processes
Request for Comments (RFC)
A document that ranges from a simple memo to several standards documents RFC model allows input from many sources; encourages collaboration and peer review Only some RFCs specify standards RFCs never change RFCs may originate with other organizations RFCs that define formal standards have four stages: Proposed Standard (PS), Draft Standard (DS), Standard (STD), and Best Current Practice (BCP)
ISO 17799 (Withdrawn)
A former international security standard that has been withdrawn. Is a comprehensive set of controls that represent best practices information systems. Enables potential customers to evaluate organizations on their efforts toward securing data.
Payment Card Industry Security Standards Council (PCI SSC)
Developed, publishes, and maintains the standards for payment cards.
Internet Engineering Task Force (IETF)
Develops and promotes Internet standards Focuses on the engineering aspects of Internet communication Works closely with the W3C and ISO/IEC Is a collection of working groups (WGs), with each group addressing a specific topic
ETSI Cyber Security Technical Committee (TC CYBER)
Develops standards for information and communications technologies (ICT) that are commonly adopted by member countries in the European Union (EU)
ITU-T Information Security Recommendations - X.1300 - X.1399: Secure applications and services
Different from X.1100 - X.1199, this series focuses on emergency communications and sensor network security
How many series does ITU-T divide its recommendations into?
Divides its recommendations into 26 separate series, each bearing a unique letter of the alphabet •For example, switching and signaling recommendations are in the Q series
ITU-T Information Security Recommendations - X.1100 - X.1199: Secure applications and services
Ensuring that applications and services are developed and deployed in a secure manner
National Institute of Standards and Technology (NIST)
Federal agency within the U.S. Department of Commerce Mission is to "promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life" Provides standards for measurement and technology on which nearly all computing devices rely
ITU-T Information Security Recommendations- X.1500 - X.1599: Cybersecurity information exchange
Focused on exchanging information between actors in a secure manner
ITU-T Information Security Recommendations - X.1000 - X.1099: Information and network security
General network security
Common IEEE 802 Standard Working Groups - What are common group standards?
Has the largest number of members of any technical professional organization in the world. Supports 39 societies that focus activities on specific technical areas, including magnetics, photonics, and computers. Provides training and educational opportunities covering a wide number of engineering topics.
Payment Card Industry Data Security Standard (PCI DSS)
International standard for handling transactions involving payment cards. Applies to all organizations that participate in any of the processes surrounding payment card processing. Requires layers of controls to protect all payment card-related information as it is processed, transmitted, and stored.
International Telecommunication Union Telecommunication Sector (ITU-T)
Is a United Nations agency responsible for managing and promoting information and technology issues.
Internet Architecture Board (IAB)
Is a subcommittee of the IETF Serves as an advisory body to the Internet Society (ISOC) Is composed of independent researchers and professionals who have a technical interest in the well-being of the Internet Provides oversight for the following: •Architecture for Internet protocols and procedures •Processes used to create standards •Editorial and publication procedures for RFCs •Confirmation of IETF chair and technical area directors
Institute of Electrical and ElectronicsEngineers (IEEE)
Is an international nonprofit organization that focuses on developing and distributing standards that relate to electricity and electronics.
ANSI is composed of __________?
Is composed of government agencies, organizations, educational institutions, and individuals
What does the ITU-T responsible for?
Is responsible for ensuring the efficient and effective production of standards covering all fields of telecommunications for all nations
World Wide Web Consortium (W3C)
Is the main international standards organization for the World Wide Web. Develops protocols and guidelines that unify the Web and ensure its long-term growth.
Standards Organizations
National Institute of Standards and Technology (NIST) International Organization for Standardization (ISO) International Electrotechnical Commission (IEC) World Wide Web Consortium (W3C) Internet Engineering Task Force (IETF) Institute of Electrical and Electronics Engineers (IEEE) International Telecommunication Union Telecommunication Sector (ITU-T) American National Standards Institute (ANSI) ETSI Cyber Security Technical Committee (TC CYBER)
ITU-T Information Security Recommendations - X.1200 - X.1299: Cyberspace security
Overall cybersecurity, identity management, and countering spam
What does (ANSI) over see?
Oversees the creation, publication, and management of many standards and guidelines that directly affect businesses in nearly every sector.
What does (ANSI) produce?
Produces standards that affect nearly all aspects of IT but primarily software development and computer system operation
ITU-T Information Security Recommendations - X.800 - X.849: Security
Recommendations in this series address security issues as they relate to different networking layers
ISO/IEC 27002: 12 Major sections
Risk Assessment, Security Policy, Organization of Information Security, Asset Management, Human Resources Security, Physical and Environmental Security, Communications and Operations Management, Access Control, Information Systems Acquisitions Development and Maintenance, Information Security Incident Management, Business Continuity Management, Compliance.
ITU-T Information Security Recommendations- X.1600 - X.1699: Cloud computing security
Security topics specifically related to cloud environments
What does (TC Cyber) standards cover in technologies?
Standards cover both wired and various wireless communication technologies
What does (TC Cyber) standards focus on regarding security?
Standards focus on security issues related to the Internet and the business communications it transports.
American National Standards Institute (ANSI)
Strives to ensure the safety and health of consumers and the protection of the environment.
ISO/IEC 27002
Supersedes ISO 17799 Directs its recommendations to management and security personnel responsible for information security management systems. Expands on its predecessor by adding two new sections and reorganizing several others.