Security standards are set up to provide a set of common guidelines for companies that handle customer information. They cover all kinds of transactions and technologies and can be peculiar to particular industries.

CBR looks at some of the major security standards. Absent from the list are the upcoming European cyber security standards from ETSI, which are in development at the time of writing.

1. PCI DSS

Payment Card Industry Data Security Standard (PCI DSS) is a worldwide standard that helps businesses securely process card payments and reduce fraud.

security standardsThe requirements fall into six major categories: building a secure network, protecting cardholder data, maintaining a vulnerability management programme, implementing strong access control measures, regularly resting and monitoring networks and maintaining an information security policy.

Included in the standard are requirements to install a firewall and anti-virus software, encrypt data and restrict access to cardholder data.

2. IASME

This UK-based standard for small-to-medium enterprises (SMEs), defined here as businesses with capitalisation of £1.2 billion or less.

It aims to allow these SMEs to achieve an accredited measurement of their cyber security readiness to provide to their customers, clients or partners, with a lower complexity, cost and administrative overhead.

female-business-travellerThe cost of the certification depends on the number of employees in the company, and can be based upon a self-assessment through a questionnaire or a third-party assessment.

IASME is one of four Cyber Essentials accreditation bodies appointed by the UK Government.

3. FIDO

Fast IDentity Online (FIDO) takes advantage of features on a smart device such as a fingerprint scanner, camera or microphone to allow the user to register their biometric or PIN to the device.

When the authentication is required, the user is authenticated by a client on the device itself and the encrypted key is sent to the server to authenticate the user.

FIDO: How a secure authentication protocol could redefine online and IoT security

This is both easier for the user, who doesn’t have to generate and memorise a password for every application they use, and more secure, since passwords can easily be intercepted or broken.

 

4. IEC 62443

Originally called ISA99, this set of standards deals with electronically securing industrial automation and control systems (IACS).

The guidance is aimed at all parties within the supply chain, including the end-user, system integrator, security practitioner and the manufacturers themselves.

industry-1140760_1920The standards were defined by the International Society of Automation (ISA). The first standard was published in late 2007 and serves as the foundation for all subsequent standards in the series.

The standard was renumbered to 62433 in 2010, with the intention being to align the numbering with the corresponding International Electrotechnical Commission standards.

Areas addressed include patch management and wireless systems security.

There is also a focus on the convergence of safety and security and technical requirements at the system and component levels.

5. Common Criteria

The Common Criteria for Information Technology Security Evaluation, abbreviated to Common Criteria or CC, is an international standard that allows users to specify their requirements for security.

common-criteriaSystem users can specify their functional and assurance requirements using Protection Profiles.

Vendors can make claims about the security attributes of products, while testing laboratories can evaluate them according to the same criteria.

CC is also known as ISO/IEC 15408.

 

 

6. ISO/IEC 27001 and ISO/IEC 27002

ISO/IEC 27001 and ISO/IEC 27002 are part of a family of standards that helps organisations secure their information assets on an information security management system (ICMS).

ISO/IEC 27001, the best-known standard in the family, provides a top-down, technology-neutral approach.

The six parts of the planning process include defining a security policy, defining the scope of the ISMS, conducted a risk assessment, managing identified risks, selecting control objectives to be implemented and preparing a statement of applicability.

The standard does not mandate specific controls, but provides a checklist of controls.

The second standard, ISO/IEC 27002, provides a comprehensive set of objectives and a set of good practices.