Security Techniques

CategoryCyber Security Standards

Through the use of Information Security techniques, organizations develop and implement a framework for protecting their digital assets, including financial records, intellectual property, employee profiles, and information entrusted to them by customers or business partners.


Standards Overview


Cyber Security Processes and Controls

Information security standards define requirements for cyber security management, provide detailed guidance on how to establish and maintain a cyber security program, and describe security techniques to address specific risks. These standards can also be used by organizations to prepare an independent assessment of their IT systems and processes as it applies to the protection of business and customer private information.

All information held and processed by an organization is subject to threats of cyber attack, errors, natural disasters and vulnerabilities inherent in its use. Protecting information assets through defining, achieving, maintaining, and improving Information Security effectively is essential to enable an organization to achieve its objectives, and maintain and enhance its regulatory compliance and corporate image.

The following publications provide guidance on Information Security best practices and controls:

  • ISO/IEC 15408 — Evaluation Criteria for IT Security
  • ISO/IEC 18045 — Methodology for IT Security Evaluation
  • ISO/IEC 21827 — Systems Security Engineering - Capability Maturity Model (SSE-CMM)
  • ISO/IEC 27000 — Information Security Management Systems (ISMS) - Overview and Vocabulary
  • ISO/IEC 27001 — ISMS - Requirements
  • ISO/IEC 27002 — ISMS - Code of Practice
  • ISO/IEC 27003 — ISMS - Implementation Guidance
  • ISO/IEC 27004 — ISMS - Monitoring, Measurement, Analysis and Evaluation
  • ISO/IEC 27006 — ISMS - Requirements for Bodies Providing Audit and Certification
  • ISO/IEC 27007 — Guidelines for Information Security Management Systems Auditing
  • ISO/IEC 27008 — Guidelines for Auditors on Information Security Controls
  • ISO/IEC 27010 — Information Security Management for Inter-sector Communications
  • ISO/IEC 27011 — Information Security Controls for Telecommunications Organizations
  • ISO/IEC 27014 — Governance of Information Security
  • ISO/IEC 27019 — Information Security Controls for the Energy Utility Industry
  • ISO/IEC 27031 — Information and Communication Technology Readiness for Business Continuity
  • ISO/IEC 27032 — Guidelines for Cybersecurity
  • ISO/IEC 27033 — Network Security
  • ISO/IEC 27034 — Application Security
  • ISO/IEC 27035 — Information Security Incident Management
  • ISO/IEC 27036 — Information Security for Supplier Relationships
  • ISO/IEC 27037 — Identification, Collection, Acquisition and Preservation of Digital Evidence
  • ISO/IEC 27038 — Specification for Digital Redaction
  • ISO/IEC 27039 — Intrusion Detection and Prevention Systems (IDPS)
  • ISO/IEC 27040 — Storage Security
  • ISO/IEC 27041 — Guidance on Assuring Suitability and Adequacy of Incident Investigative Method
  • ISO/IEC 27042 — Guidelines for the Analysis and Interpretation of Digital Evidence
  • ISO/IEC 27043 — Incident Investigation Principles and Processes
  • ISO/IEC 27050 — Electronic Discovery
  • RFC 2289 — One-Time Password System
  • RFC 2243 — One-time Password Extended Responses
  • RFC 4226 — HOTP: HMAC-Based One-time Password Algorithm
  • RFC 6238 — TOTP: Time-Based One-Time Password Algorithm
  • RFC 2104 — HMAC: Keyed-Hashing for Message Authentication
  • RFC 3820 — Internet X.509 PKI: Proxy Certificate Profile
  • RFC 6960 — Internet X.509 PKI: Online Certificate Status Protocol (OCSP)
  • RFC 3647 — Internet X.509 PKI: Certificate Policy and Certification Practices Framework
  • RFC 4211 — Internet X.509 PKI: Certificate Request Message Format (CRMF)
  • RFC 5272 — Internet X.509 PKI: Certificate Management over CMS (CMC)
  • RFC 3739 — Internet X.509 PKI: Qualified Certificates Profile
  • RFC 3161 — Internet X.509 PKI: Time-Stamp Protocol (TSP)
  • RFC 5755 — Internet X.509 PKI: Attribute Certificate Profile for Authorization
  • RFC 4210 — Internet X.509 PKI: Certificate Management Protocol (CMP)
  • RFC 2585 — Internet X.509 PKI: Operational Protocols - FTP and HTTP
  • RFC 4107 — Internet X.509 PKI: Guidelines for Cryptographic Key Management
  • RFC 3779 — Internet X.509 PKI: X.509 Extensions for IP Addresses and AS Identifiers
  • RFC 3628 — Internet X.509 PKI: Policy Requirements for Time-Stamping Authorities (TSAs)
  • RFC 3379 — Internet X.509 PKI: Delegated Path Validation and Discovery Protocol
  • RFC 5280 — Internet X.509 PKI: Certificate and Certificate Revocation List (CRL) Profile
  • RFC 3279 — Internet X.509 PKI: Algorithms and Identifiers for CRL
  • RFC 5753 — Internet X.509 PKI: Use of Elliptic Curve Cryptography (ECC) Algorithms in CMS
  • RFC 3029 — Internet X.509 PKI: Data Validation and Certification Server Protocols
  • RFC 2528 — Internet X.509 PKI: Representation of Key Exchange Algorithm (KEA) Keys
  • RFC 2104 — HMAC: Keyed-Hashing for Message Authentication
  • RFC 1321 — MD5 Message-Digest Algorithm
  • RFC 8017 — PKCS #1: RSA Cryptography Specifications 2.2
  • RFC 2631 — PKCS #3: Diffie-Hellman Key Agreement Method
  • RFC 8018 — PKCS #5: Password-based Cryptography 2.1
  • RFC 2315 — PKCS #7: Cryptographic Message Syntax 1.7
  • RFC 5208 — PKCS #8: Private-Key Information Syntax 1.2
  • RFC 2985 — PKCS #9: Selected Object Classes and Attribute Types 2.0
  • RFC 5967 — PKCS #10: The application/pkcs10 Media Type
  • RFC 7512 — PKCS #11: Uniform Resource Identifier (URI) Scheme
  • RFC 7292 — PKCS #12: Personal Information Exchange 1.1
  • KMIP 1.4 — Key Management Interoperability Protocol 1.4
  • KMIP-Profiles 1.4 — Key Management Interoperability Protocol Profiles 1.4
  • NIST SP800-37 — Risk Management Framework for Information Systems and Organizations

security

Information is an asset that is essential to the business, and needs to be suitably protected.

Information security ensures availability, confidentiality and integrity of digital assets.

Coordinated activities directing the implementation of adequate controls and treating unacceptable security risks are generally known as Information Security management.

Organizations need to identify the emerging risks, monitor and evaluate the effectiveness of the implemented controls and procedures, and improve them as needed.

To interrelate cyber security activities, an organization needs to establish policies and standards for Information Security, and achieve compliance by using a management program.

There is an ever-increasing need in IT to use cryptographic mechanisms for the protection of data against unauthorized disclosure or manipulation, for entity authentication, and for non-repudiation.