What is it?
A common set of rules designed to ensure interoperability between different products, systems, and organizations.
Why is it important?
Standards provide stable, long-term guidelines that products can be validated against to ensure they will operate correctly and securely with other products that adhere to the same standard. Standards reflect the best practices of experienced cybersecurity professionals.
Why does a business professional need to know this?
Business professionals must decide which standards make business sense for their companies to implement. In the area of cybersecurity, the National Institute for Science and Technology Cybersecurity Framework (NIST CSF)(NIST 2017) is the most widely used framework for cybersecurity.
Other important security standards and standards organizations include the following:
- ISO/IEC 27001 and 27002: information security management systems(ISO/IEC 27000)
- Consortium for IT Software Quality (CISQ): develops standards related to software quality(CISQ)
- Information Security Forum (ISF): publishes the Standard of Good Practice(SoGP)
- ISO 15408: standards for computer security certification, also known as Common Criteria(ISO 15408)
- Payment Card Industry Data Security Standard (PCI DSS): standard for handling credit and debit card data and transactions(PCI DSS)
- Federal Information Processing Standards (FIPS): series of standards for cryptography and US federal standards for government systems(FIPS)
Some standards, for example PCI DSS, are mandated by industry to ensure a high level of security across multiple participants. If you want to process credit and debit cards, you must follow PCI DSS or partner with a processor who complies with that standard. Other standards are based on industry best practices that have been shown to improve security.
- (ISO/IEC 27000) ISO/IEC 2700 family – Information security management systems.: International Organization for Standardization (ISO) (2013). Home to the ISO/IEC 27000 family of standards, which provides a model for setting up and operating an information security management system.
- (CISQ) Consortium for IT Software Quality (CISQ): CISQ (2017). IT leadership group that develops international standards that enable IT and business leaders to measure the risk IT applications pose to the business, as well as estimate the cost of ownership.
- (SoGP) The ISF Standard of Good Practice for Information Security: Information Security Forum (2016). Executive summary of the standard and information about topics including threat intelligence, risk assessment, security architecture, and enterprise mobility management. Registration required.
- (ISO 15408) Common Criteria: Home for
Common Criteria for Information Technology Security Evaluationand the companion
Common Methodology for Information Technology Security Evaluationstandards. Common Criteria standards are used to eliminate redundant evaluation activities, clarify terminology to reduce misunderstanding, and restructure and refocus evaluation activities to those areas where security assurance is gained.
- (FIPS) FIPS General Information: FIPS (2017). National Institute of Standards and Technology (NIST). Home of US Federal Information Processing Standards that includes a variety of online resources, publications, and access to a keyword searchable publication database.