Security Techniques

CategoryCyber Security Standards

Through the use of Information Security techniques, organizations develop and implement a framework for protecting their digital assets, including financial records, intellectual property, employee profiles, and information entrusted to them by customers or business partners.

Standards Overview

Cyber Security Processes and Controls

Information security standards define requirements for cyber security management, provide detailed guidance on how to establish and maintain a cyber security program, and describe security techniques to address specific risks. These standards can also be used by organizations to prepare an independent assessment of their IT systems and processes as it applies to the protection of business and customer private information.

All information held and processed by an organization is subject to threats of cyber attack, errors, natural disasters and vulnerabilities inherent in its use. Protecting information assets through defining, achieving, maintaining, and improving Information Security effectively is essential to enable an organization to achieve its objectives, and maintain and enhance its regulatory compliance and corporate image.

The following publications provide guidance on Information Security best practices and controls:

ISO/IEC IT Security Evaluation

ISO/IEC 15408 — Evaluation Criteria for IT Security
ISO/IEC 18045 — Methodology for IT Security Evaluation
ISO/IEC 21827 — Systems Security Engineering - Capability Maturity Model (SSE-CMM)

ISO/IEC Identity Management

ISO/IEC 24760 — A Framework for Identity Management

ISO/IEC Cryptographic Key Management

ISO/IEC 11770-1 — Key Management - Framework
ISO/IEC 11770-2 — Key Management - Mechanisms Using Symmetric Techniques
ISO/IEC 11770-3 — Key Management - Mechanisms Using Asymmetric Techniques
ISO/IEC 11770-4 — Key Management - Mechanisms Based on Weak Secrets
ISO/IEC 11770-5 — Key Management - Group Key Management
ISO/IEC 11770-6 — Key Management - Key Derivation

ISO/IEC Information Security Management

ISO/IEC 27000 — Information Security Management Systems (ISMS) - Overview and Vocabulary
ISO/IEC 27001 — ISMS - Requirements
ISO/IEC 27002 — ISMS - Code of Practice
ISO/IEC 27003 — ISMS - Implementation Guidance
ISO/IEC 27004 — ISMS - Monitoring, Measurement, Analysis and Evaluation
ISO/IEC 27006 — ISMS - Requirements for Bodies Providing Audit and Certification
ISO/IEC 27007 — Guidelines for Information Security Management Systems Auditing
ISO/IEC 27008 — Guidelines for Auditors on Information Security Controls
ISO/IEC 27010 — Information Security Management for Inter-sector Communications
ISO/IEC 27011 — Information Security Controls for Telecommunications Organizations
ISO/IEC 27014 — Governance of Information Security
ISO/IEC 27019 — Information Security Controls for the Energy Utility Industry
ISO/IEC 27031 — Information and Communication Technology Readiness for Business Continuity
ISO/IEC 27032 — Guidelines for Cybersecurity
ISO/IEC 27033 — Network Security
ISO/IEC 27034 — Application Security
ISO/IEC 27035 — Information Security Incident Management
ISO/IEC 27036 — Information Security for Supplier Relationships
ISO/IEC 27037 — Identification, Collection, Acquisition and Preservation of Digital Evidence
ISO/IEC 27038 — Specification for Digital Redaction
ISO/IEC 27039 — Intrusion Detection and Prevention Systems (IDPS)
ISO/IEC 27040 — Storage Security
ISO/IEC 27041 — Guidance on Assuring Suitability and Adequacy of Incident Investigative Method
ISO/IEC 27042 — Guidelines for the Analysis and Interpretation of Digital Evidence
ISO/IEC 27043 — Incident Investigation Principles and Processes
ISO/IEC 27050 — Electronic Discovery

ISO/IEC Vulnerability Disclosure

ISO/IEC 29147 — Vulnerability Disclosure

ISO/IEC Risk Management

ISO/IEC 27005 — Information Security Risk Management
ISO/IEC 31000 — Risk Management - Guidelines
ISO/IEC 31010 — Risk Management - Risk Assessment Techniques

IETF Identity Management

RFC 7642 — SCIM 2.0: Definitions
RFC 7643 — SCIM 2.0: Core Schema
RFC 7644 — SCIM 2.0: Protocol

IETF One-time Passwords

RFC 2289 — One-Time Password System
RFC 2243 — One-time Password Extended Responses
RFC 4226 — HOTP: HMAC-Based One-time Password Algorithm
RFC 6238 — TOTP: Time-Based One-Time Password Algorithm
RFC 2104 — HMAC: Keyed-Hashing for Message Authentication

IETF Public Key Infrastructure

RFC 3820 — Internet X.509 PKI: Proxy Certificate Profile
RFC 6960 — Internet X.509 PKI: Online Certificate Status Protocol (OCSP)
RFC 3647 — Internet X.509 PKI: Certificate Policy and Certification Practices Framework
RFC 4211 — Internet X.509 PKI: Certificate Request Message Format (CRMF)
RFC 5272 — Internet X.509 PKI: Certificate Management over CMS (CMC)
RFC 3739 — Internet X.509 PKI: Qualified Certificates Profile
RFC 3161 — Internet X.509 PKI: Time-Stamp Protocol (TSP)
RFC 5755 — Internet X.509 PKI: Attribute Certificate Profile for Authorization
RFC 4210 — Internet X.509 PKI: Certificate Management Protocol (CMP)
RFC 2585 — Internet X.509 PKI: Operational Protocols - FTP and HTTP
RFC 4107 — Internet X.509 PKI: Guidelines for Cryptographic Key Management
RFC 3779 — Internet X.509 PKI: X.509 Extensions for IP Addresses and AS Identifiers
RFC 3628 — Internet X.509 PKI: Policy Requirements for Time-Stamping Authorities (TSAs)
RFC 3379 — Internet X.509 PKI: Delegated Path Validation and Discovery Protocol
RFC 5280 — Internet X.509 PKI: Certificate and Certificate Revocation List (CRL) Profile
RFC 3279 — Internet X.509 PKI: Algorithms and Identifiers for CRL
RFC 5753 — Internet X.509 PKI: Use of Elliptic Curve Cryptography (ECC) Algorithms in CMS
RFC 3029 — Internet X.509 PKI: Data Validation and Certification Server Protocols
RFC 2528 — Internet X.509 PKI: Representation of Key Exchange Algorithm (KEA) Keys
RFC 2104 — HMAC: Keyed-Hashing for Message Authentication
RFC 1321 — MD5 Message-Digest Algorithm

IETF Public Key Cryptography

RFC 8017 — PKCS #1: RSA Cryptography Specifications 2.2
RFC 2631 — PKCS #3: Diffie-Hellman Key Agreement Method
RFC 8018 — PKCS #5: Password-based Cryptography 2.1
RFC 2315 — PKCS #7: Cryptographic Message Syntax 1.7
RFC 5208 — PKCS #8: Private-Key Information Syntax 1.2
RFC 2985 — PKCS #9: Selected Object Classes and Attribute Types 2.0
RFC 5967 — PKCS #10: The application/pkcs10 Media Type
RFC 7512 — PKCS #11: Uniform Resource Identifier (URI) Scheme
RFC 7292 — PKCS #12: Personal Information Exchange 1.1

OASIS Cryptographic Key Management

KMIP 1.4 — Key Management Interoperability Protocol 1.4
KMIP-Profiles 1.4 — Key Management Interoperability Protocol Profiles 1.4

OASIS Public Key Cryptography

NIST Cyber Security Framework

NIST Risk Management Framework

NIST SP800-37 — Risk Management Framework for Information Systems and Organizations

security

Information is an asset that is essential to the business, and needs to be suitably protected.

Information security ensures availability, confidentiality and integrity of digital assets.

Coordinated activities directing the implementation of adequate controls and treating unacceptable security risks are generally known as Information Security management.

Organizations need to identify the emerging risks, monitor and evaluate the effectiveness of the implemented controls and procedures, and improve them as needed.

To interrelate cyber security activities, an organization needs to establish policies and standards for Information Security, and achieve compliance by using a management program.

There is an ever-increasing need in IT to use cryptographic mechanisms for the protection of data against unauthorized disclosure or manipulation, for entity authentication, and for non-repudiation.