Security Policies and Standards

From The Secure Arc Wiki

Jump to: navigation, search

Most organisations must comply with various standards, policies and regulations, both internal and dictated. Not all of these are security related, but those that are typically map back to the Security Principles.

Of all the Standards and Policies that organisations need to comply with, the following are quite typical.


Important Security Standards

International Standards National or Regional Standards Organisational Standards or Guidelines
IT Security Management ISO 13335, ISO 13569, ISO 17799, ISO 27001, ISO 27002 BS 7799-2, NIST Standards ACSI-33, COBIT Security Baseline, ENV12924, ISF Standard of Good Practice, SAS 70
IT Governance ISO 38500:2008 COSO Internal Control - Integrated Framework COBIT, ITIL, BITS
Compliance Sarbanes-Oxley Act, Privacy Act, Trade Practices Act Basel II, FFIEC Handbook, Gramm-Leach-Bliley Act, BSA, FACTA, GISRA, CA Bill 1386, PCI DSS, FISMA
Privacy Directive 95/46 - European Union, ETS no. 108 - Council of Europe, PIPEDA - Canada, Privacy Act 1988 - Australia, Specter-Leahy Personal Data Privacy and Security Act 2005 - USA, Personal Information Protection Act No. 57 - Japan
Risk Management ISO 27005 AS/NZS 4360, COSO Enterprise Risk Management, M_o_R, NIST Standard 800-30
Security Metrics ISO 27004 NIST Standards Web Security Threat Classification, ISECOM, CVSS
Security Evaluation ISO 15408, ISO 27001 NIST Standards - FIPS, NSA IAM / IEM PCI DSS
Security Testing NIST Standard - 800-42 OWASP, OSSTMM, CHECK, ISACA, ISSAF, Test.html PTF, CREST

Technical Standards, Policy and Guidelines

Identification and Authentication

International Standards National Standards Organisational Standards or Guidelines
Identification and Authentication ISO 9798, ISO 9594-8:2001
Identity Management Frameworks CS1 (JTC 1/SC 27), IdM-GSI
Tokens EBS 111-1999
Personal Identification Numbers (PIN) ISO 9564 EBS 105-1998
Biometrics 19092:2008 ANSI X9.84-2001, ANSI INCITS 358-2002, 398-2005, 377-2004, 378-2004, 379-2004, 381-2004, 385-2004, 395-2005, 396-2005, 383-2004, 394-2004, 421-2006, 422-2006, 442-200 (BIAS)


Data Integrity

International Standards National Standards Organisational Standards or Guidelines
Message Authentication ISO 9797, ISO 16609 ANSI X9.71-2000
Hash-functions ISO 10118


Privacy and Confidentiality

International Standards National Standards Organisational Standards or Guidelines
Encipherment


Non-repudiation

International Standards National Standards Organisational Standards or Guidelines
Non-repudiation ISO 13888, ISO 10181-4
Time Stamping ISO 18014 ANSI X9.95:2005 ETSI TS 101 861-2001
Digital Signatures ISO 9796, ISO 14888 ANSI X9.31 ETSI TS 101 733, ETSI TR 102 572
Certificates ANSI X9.55-1997 ETSI TS 101 862-2000
Public Key Infrastructure (PKI) ANSI X9.77, ANSI X9.79-2001 ETSI TS 101 456


Accountability and Audit

International Standards National Standards Organisational Standards or Guidelines
Functionality Classes ISO 10181
Protection Profiles ISO 15292, ISO 15446 ANSI X9.79
Evaluation Criteria ISO 13491, ISO 15408 ANSI X9.74


Security Management

International Standards National Standards Organisational Standards or Guidelines
Security Management ISO 13335, ISO 13569, ISO 15816, ISO 15947 ANSI X9.41, BS 7799 ECBS TR 406
Key Management ISO 11770, ISO 13492 ANSI X9.24-1:2004, ANSI X9.24-2:2006, ANSI X9.42-2001, ANSI X9.44-2000, ANSI X9.63-2001 ECBS TR 405
Certificate Management ISO 15782 ANSI X9.57-1997, ANSI X9.79-2001 ECBS TR 402-1997, IETF RFC 2527:1999
Trusted Third Party Management ISO TR 14516, ISO 15945


Security Implementation Standards

Standard
Transport Layer SSL, TLS
Authentication SAML, WS-Federation,
Web Services WS-Security, WS-Policy, WS-Trust, WS-Privacy, WS-Secure Conversation, WS-Federation, WS-Authorisation
Symmetric Encryption AES


Navigation

Personal tools