Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cyber security standards

Published byHerman Kusumo Modified over 5 years ago

Similar presentations

Presentation on theme: "Cyber security standards"— Presentation transcript:

1 Cyber security standards
Controls by Erlan Bakiev, Ph.D.

2 Cybersecurity standards
Cybersecurity standards are techniques generally set forth in published materials that attempt to protect the cyber environment of a user or organization. This environment includes: users themselves networks devices all software processes information in storage or transit applications services systems that can be connected directly or indirectly to networks

3 Cybersecurity standards cont.
The principal objective: to reduce the risks including prevention or mitigation of cyber-attacks. These published materials consist of collections of: tools, Policies security concepts security safeguards guidelines, risk management approaches, actions, training, best practices, assurance and technologies.

4 Cybersecurity standards cont.
The principal objective: to reduce the risks including prevention or mitigation of cyber-attacks. These published materials consist of collections of: tools, Policies security concepts security safeguards guidelines, risk management approaches, actions, training, best practices, assurance and technologies.

5 Cybersecurity standards cont.
Cybersecurity standards have existed over several decades as users and providers have collaborated in many domestic and international forums to effect the necessary capabilities, policies, and practices - generally emerging from work at the Stanford Consortium for Research on Information Security and Policy in the 1990s.  Also many tasks that were once carried out by hand are now carried out by computer; therefore there is a need for information assurance (IA) and security. Around 70% of the surveyed organizations see the NIST Cybersecurity Framework as the most popular best practice for computer security, but many note that it requires significant investment (US SFA study report, 2016)

6 NIST Cybersecurity Framework (NIST CSF)
The NIST Cybersecurity Framework (NIST CSF) provides a policy framework of computer security guidance for how private sector organizations in the US can assess and improve their ability to prevent, detect, and respond to cyber attacks. It provides a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes. It is intended to help private sector organizations that provide critical infrastructure with guidance on how to protect it, along with relevant protections for privacy and civil liberties.

7 ETSI Cyber Security Technical Committee (TC CYBER)
TC CYBER is responsible for the standardization of Cyber Security internationally and for providing a center of relevant expertise for other ETSI committees. Growing dependence on networked digital systems has brought with it an increase in both the variety and quantity of cyber-threats. The different methods governing secure transactions in the various Member States of the EU sometimes make it difficult to assess the respective risks and to ensure adequate security. Building on ETSI's world-leading expertise in the security of Information and Communications Technologies (ICT), it set up a new Cyber Security committee (TC CYBER) in 2014 to meet the growing demand for standards to protect the Internet and the communications and business it carries.

8 ETSI Cyber Security Technical Committee (TC CYBER) Cont
TC CYBER is working closely with relevant stakeholders to develop appropriate standards to increase privacy and security for organizations and citizens across Europe. The committee is looking in particular at the security of infrastructures, devices, services and protocols, as well as security tools and techniques to ensure security. It offers security advice and guidance to users, manufacturers and network and infrastructure operators. Its standards are freely available on-line. A principal work item effort is the production of a global cyber security ecosystem of standardization and other activities

9 ISO/IEC and 27002 SO/IEC 27001, part of the growing ISO/IEC family of standards, is an information security management system (ISMS) standard, of which the last revision was published in October 2013 by the International Organization for Standardization (ISO) and the International Electro technical Commission (IEC). Its full name is ISO/IEC 27001:2013 – Information technology – Security techniques – Information security management systems – Requirements. ISO/IEC formally specifies a management system that is intended to bring information security under explicit management control.

10 ISO/IEC and Cont. ISO/IEC incorporates mainly part 1 of the BS 7799 good security management practice standard. The latest versions of BS 7799 is BS ISO/IEC is a high level guide to cybersecurity. It is most beneficial as explanatory guidance for the management of an organization to obtain certification to the ISO/IEC standard. The certification once obtained lasts three years. Depending on the auditing organization, no or some intermediate audits may be carried out during the three years.

11 CISQ CISQ develops standards for automating the measurement of software size and software structural quality. CISQ is a special interest group of the Object Management Group that submits specifications for approval as OMG international standards. The measurement standards are used for the static program analysis of software, a software testing practice that identifies critical vulnerabilities in the code and architecture of a software system. CISQ-developed standards are used to manage the Security, Reliability, Performance Efficiency and Maintainability characteristics of software risk.

12 CISQ Cont. The Automated Source Code Security standard is a measure of how easily an application can suffer unauthorized penetration which may result in stolen information, altered records, or other forms of malicious behavior. The Security standard is based on the most widespread and frequently exploited security weaknesses in software as identified in the Common Weakness Enumeration, SANS Top 25, and OWASP Top 10. The Automated Source Code Reliability standard is a measure of the availability, fault tolerance, recoverability, and data integrity of an application.

13 Standard of Good Practice
In the 1990s, the Information Security Forum (ISF) published a comprehensive list of best practices for information security, published as the Standard of Good Practice (SoGP). The ISF continues to update the SoGP every two years (with the exception of ); the latest version was published in 2016. Originally the Standard of Good Practice was a private document available only to ISF members, but the ISF has since made the full document available for sale to the general public. Among other programs, the ISF offers its member organizations a comprehensive benchmarking program based on the SoGP.

14 NERC The North American Electric Reliability Corporation (NERC) addresses patching in NERC CIP Requirement 2. It requires Bulk Power System (BPS) Operators/Owners to identify the source or sources utilized to provide Entiter Security related patches for Cyber Assets utilized in the operation of the Registered Entities are required to check for new patches once every thirty five calendar days. Upon identification of a new patch, entities are required to evaluate applicability of a patch and then complete mitigation or installation activities within 35 calendar days of completion of assessment of applicability The bulk electric system standards also provide network security administration while still supporting best-practice industry processes.

15 ISA/IEC-62443 (formerly ISA-99)
It is a series of standards, technical reports, and related information that define procedures for implementing electronically secure Industrial Automation and Control Systems (IACS). This guidance applies to end-users (i.e. asset owner), system integrators, security practitioners, and control systems manufacturers responsible for manufacturing, designing, implementing, or managing industrial automation and control systems.

16 ISA/IEC-62443 (formerly ISA-99) Cont.
These documents were originally referred to as ANSI/ISA-99 or ISA99 standards, as they were created by the International Society for Automation (ISA) and publicly released as American National Standards Institute (ANSI) documents. In 2010, they were renumbered to be the ANSI/ISA-62443 series. This change was intended to align the ISA and ANSI document numbering with the corresponding International Electrotechnical Commission (IEC) standards.

17 ISA/IEC-62443 (formerly ISA-99) Cont.
ISA99 remains the name of the Industrial Automation and Control System Security Committee of the ISA. Since 2002, the committee has been developing a multi-part series of standards and technical reports on the subject. These work products are then submitted to the ISA approval and publishing under ANSI. They are also submitted to IEC for review and approval as standards and specifications in the IEC series.

18 IEC 62443 Conformity Assessment Program
The ISA Security Compliance Institute (ISCI)  the first conformity assessment scheme for IEC IACS cybersecurity standards. This program certifies Commercial Off-the-shelf (COTS) IACS products and systems, addressing securing the IACS supply chain.

19 Security controls Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets.

20 Classification of Security controls
According to the time that they act, relative to a security incident: Before the event, preventive controls are intended to prevent an incident from occurring e.g. by locking out unauthorized intruders; During the event, detective controls are intended to identify and characterize an incident in progress e.g. by sounding the intruder alarm and alerting the security guards or police; After the event, corrective controls are intended to limit the extent of any damage caused by the incident e.g. by recovering the organization to normal working status as efficiently as possible.

21 Classification of Security controls Cont.
According to their nature: Physical controls e.g. fences, doors, locks and fire extinguishers; Procedural controls e.g. incident response processes, management oversight, security awareness and training; Technical controls e.g. user authentication (login) and logical access controls, antivirus software, firewalls; Legal and regulatory or compliance controls e.g. privacy laws, policies and clauses.

22 International information security standards
ISO/IEC 27001 specifies 114 controls in 14 groups: A.5: Information security policies A.6: How information security is organized A.7: Human resources security - controls that are applied before, during, or after employment. A.8: Asset management A.9: Access controls and managing user access A.10: Cryptographic technology A.11: Physical security of the organization's sites and equipment A.12: Operational security A.13: Secure communications and data transfer A.14: Secure acquisition, development, and support of information systems A.15: Security for suppliers and third parties A.16: Incident management A.17: Business continuity/disaster recovery (to the extent that it affects information security) A.18: Compliance - with internal requirements, such as policies, and with external requirements, such as laws.

23 U.S. Federal Government information security standards
From NIST Special Publication SP  revision 4. AC Access Control. AT Awareness and Training. AU Audit and Accountability. CA Security Assessment and Authorization. (historical abbreviation) CM Configuration Management. CP Contingency Planning. IA Identification and Authentication. IR Incident Response. MA Maintenance. MP Media Protection. PE Physical and Environmental Protection. PL Planning. PS Personnel Security. RA Risk Assessment. SA System and Services Acquisition. SC System and Communications Protection. SI System and Information Integrity. PM Program Management.

24 U.S. Department of Defense information security standards
From DoD Instruction  there are 8 Information Assurance (IA) areas and the controls are referred to as IA controls: DC Security Design & Configuration IA Identification and Authentication EC Enclave and Computing Environment EB Enclave Boundary Defense PE Physical and Environmental PR Personnel CO Continuity VI Vulnerability and Incident Management

Download ppt "Cyber security standards"

Similar presentations

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works

Security Controls – What Works
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.

Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.
OHT 2.1 Galin, SQA from theory to implementation © Pearson Education Limited 2004 Software Quality assurance (SQA) SWE 333 Dr Khalid Alnafjan

OHT 2.1 Galin, SQA from theory to implementation © Pearson Education Limited 2004 Software Quality assurance (SQA) SWE 333 Dr Khalid Alnafjan
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Evolving IT Framework Standards (Compliance and IT)

Evolving IT Framework Standards (Compliance and IT)
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.
Applied Technology Services, Inc. Your Partner in Technology www.appliedtechnologyservices.com Applied Technology Services, Inc. Your Partner in Technology.

Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Presented by : Miss Vrindah Chaundee

Presented by : Miss Vrindah Chaundee
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:

ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.

Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.

Similar presentations

Ads by Google