adam's notes

Standards

A standard is the expected outcome or state of a task that has been performed in accordance with policies and procedures.

  • can be determined internally, or measured against external frameworks
  • Regulatory requirements are the primary driver for adopting standards
    • often require implementing specific standards or using guidelines for achieving compliance
  • each organization must adopt standards that specifically address its needs
    • e.g.,
      • credit card transactions PCI DSS
      • cloud-reliant orgs ISO/IEC 27017 & 27018
  • risk management standards
    • e.g.,
      • information security management ISO/IEC 27001

Industry Standards

  • IEC 27001
  • ISO/IEC 27002
    • is a companion standard to ISO 27001
    • provides detailed guidance on specific controls to include in an ISMS
  • ISO/IEC 27017
    • extension to ISO 27001
    • specific to cloud services
  • ISO/IEC 27018
    • addition to ISO 27001
    • specific to protecting personally identifiable information (PII) in public clouds
  • NIST Special Publication 800-63
    • A US government standard for digital identity guidelines
      • including password and access control requirements
  • PCI DSS (Payment Card Industry Data Security Standard)
  • Federal Information Processing Standards (FIPS)

Internal Standards

  • internal standards ensure the safety and integrity of operations and protect valuable resources
  • provide consistent descriptions to define and manage important organizational practices
  • differ from policies:
    • standards focus on implementation
    • policies focus on business practices

Password Standards

Password standards describe the specific technical requirements required to design and implement systems, including how passwords are managed within those systems to ensure that different systems can interoperate and use consistent password-handling methods.

  • Hashing Algorithms
    • Defines requirements for the hash functions used to store passwords
  • Password Salting
    • Defines the methods used to protect password hashes to protect them from rainbow table attacks
  • Secure Password Transmission
    • Defines the methods for secure password transmission, including details regarding appropriate cipher suites
  • Password Reset
    • Defines appropriate identity verification methods to protect password reset requests from exploitation
  • Password Managers
    • Defines the requirements for password managers that organizations may choose to incorporate

Access Control Standards

Access control standards ensure that only authorized individuals can access the systems and data they need to do their jobs to protect sensitive information and help prevent accidental changes or damage.

  • elements:
  • Access Control Models
    • Defines appropriate access models for different use cases
  • User Identity Verification
    • Defines acceptable methods to verify identities before granting access
      • e.g., simple passwords, security tokens, biometric data, etc.
  • Privilege Management
    • Defines the methods for managing user privileges to ensure they have the minimum required access
  • Authentication Protocols
    • Defines specific acceptable authentication protocols
      • e.g., Kerberos, OAuth, or SAML
  • Session Management
    • Defines allowable session management practices
    • include requirements for
      • session timeouts
      • secure generation and transmission of session cookies
      • etc.
  • Audit Trails
    • Defines mandatory audit capabilities designed to assist with identifying and investigating security incidents

Physical Security Standards

  • Building Security
    • Methods for securing facilities, including card access systems, CCTV surveillance, and security personnel
  • Workstation Security
    • Standards for physically securing laptops or other portable devices
  • Datacenter and Server Room Security
    • Defines requirements for card access, biometric scans, sign-in/sign-out logs, and escorted access for visitors
  • Equipment Disposal
    • Defines requirements for securely disposing (or repurposing) equipment to ensure that sensitive data is irrecoverable
  • Visitor Management
    • Defines the requirements for managing visitors
    • e.g., sign-in/sign-out procedures, visitor badges, and escorted access requirements

Encryption Standards

Encryption standards identify the acceptable cipher suites and expected procedures needed to provide assurance that data remains protected.

  • Encryption Algorithms
    • Defines allowable encryption algorithms
    • e.g., AES for symmetric or ECC for asymmetric encryption
  • Key Length
    • Defines the minimum allowable key lengths for different types of encryption
  • Key Management
    • Defines how keys are generated, distributed, stored, and changed
    • often includes
      • requirements for using secure key management systems
      • procedures for regularly changing keys
      • and procedures for revoking them if they are compromised

Graph View

Backlinks