Standards Help to Limit Hackers in Gaining Access to Critical Infrastructure

There are many industry standards to prevent hackers from accessing critical information in an organization. Various security standards act as a framework to assist the network administrator, the security administrator, and/or the development team to circumvent the impingement into Information Systems by attackers.

Several noted standards include the NIST (National Institute of Standards and Technology), the OWASP (Open Web Application Security Project), IEEE (Institute of Electrical and Electronics Engineers Standards Association), and ISO (International Standards Organization), which are a few of the important standards that guide the Information Technology field. This brief article focuses on the ISO standards, as a recap of an important set of standards.

The ISO series is developed, maintained, and published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). In particular, the ISO 27000 series of standards, also known as the IDO 27001, sets out requirements for an organization’s information security management system (ISMS). Moreover, the ISO 27000 series of standards is a set of mutually supporting Information Security standards that provide an internationally recognized framework for best practices in Information Security management. The IDO 270001 sets up the framework whereby the organization can audit their information systems to determine compliance and apply for certification. The individual published standards in the ISO 27000 family are (get ready, the list is long, but provides you with an ‘index’ of sorts to start with):

ISO/IEC 27000

  • ISO/IEC 27000:2018 (ISO 27000) Information technology – Security techniques – Information security management systems – Overview and vocabulary (IT Governance UK, 2018).

ISO/IEC 27001

  • ISO/IEC 27001:2013 (ISO27001) Information technology – Security techniques – Information security management systems – Requirements. The latest version of the ISO 27001 Standard (IT Governance UK, 2018).
  • ISO/IEC 27001:2013/Cor 1:2014 (ISO27001) (ISO27001) Information technology – Security techniques – Information security management (IT Governance UK, 2018).
  • ISO/IEC 27001:2013/Cor 2:2015 (ISO27001) Information technology – Security techniques – Information security management systems – Requirements. The latest version of the ISO 27001 Standard (IT Governance UK, 2018).

ISO/IEC 27002

  • ISO/IEC 27002:2013 (ISO 27002) Information technology – Security techniques – Code of practice for information security controls. The latest version of the code of practice for information security controls (IT Governance UK, 2018).
  • ISO/IEC 27002:2013/Cor 1:2014 (ISO 27002) Information technology – Security techniques – Code of practice for information security controls. The latest version of the code of practice for information security controls (IT Governance UK, 2018).
  • ISO/IEC 27002:2013/Cor 2:2015 (ISO 27002) Information technology – Security techniques – Code of practice for information security controls. The latest version of the code of practice for information security controls (IT Governance UK, 2018).

ISO/IEC 27003

  • ISO/IEC 27003:2017 (ISO 27003) Information technology – Security techniques – Information security management system implementation guidance (IT Governance UK, 2018).

ISO/IEC 27004

  • ISO/IEC 27004:2016 (ISO 27004) Information technology – Security techniques – Information security management – Monitoring, measurement, analysis and evaluation (IT Governance UK, 2018).

ISO/IEC 27005

  • ISO/IEC 27005:2018 (ISO 27005) Information technology – Security techniques – Information security risk management (IT Governance UK, 2018).

ISO/IEC 27006

  • ISO/IEC 27006:2015 (ISO 27006) Information technology – Security techniques – Requirements for bodies providing audit and certification of information security management systems (IT Governance UK, 2018).

ISO/IEC 27007

  • ISO/IEC 27007:2017 (ISO 27007) Information technology – Security techniques – Guidelines for information security management systems auditing (IT Governance UK, 2018).

ISO/IEC 27008

  • ISO/IEC TR 27008:2011 (ISO 27008) Information technology – Security techniques – Guidelines for auditors on information security controls (IT Governance UK, 2018).

ISO/IEC 27009

  • ISO/IEC 27009:2016 (ISO 27009) Information technology — Security techniques — Sector-specific application of ISO/IEC 27001 – Requirements (IT Governance UK, 2018).

ISO/IEC 27010

  • ISO/IEC 27010:2015 (ISO 27010) Information technology – Security techniques – Information security management for inter-sector and inter-organizational communications (IT Governance UK, 2018).

ISO/IEC 27011

  • ISO/IEC 27011:2016 (ISO 27011) Information technology – Security techniques – Information security management guidelines for telecommunications organizations based on ISO/IEC 27002 (IT Governance UK, 2018).

ISO/IEC 27013

  • ISO/IEC 27013:2015 (ISO 27013) Information technology – Security techniques – Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 (IT Governance UK, 2018).

ISO/IEC 27014

  • ISO/IEC 27014:2013 (ISO 27014) Information technology – Security techniques – Governance of information security (IT Governance UK, 2018).

ISO/IEC 27016

  • ISO/IEC TR 27016:2014 (ISO 27016) Information technology – Security techniques – Information security management – Organizational economics (IT Governance UK, 2018).

ISO/IEC 27017

  • ISO/IEC 27017:2015 (ISO 27017) Information technology – Security techniques – Code of practice for information security controls based on ISO/IEC 27002 for cloud services (IT Governance UK, 2018).

ISO/IEC 27018

  • ISO/IEC 27018:2014 (ISO27018) Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors (IT Governance UK, 2018).

ISO/IEC 27023

  • ISO/IEC 27023:2015 (ISO 27023) Information technology – Security techniques – Mapping the revised editions of ISO/IEC 27001 and ISO/IEC 27002 (IT Governance UK, 2018).

ISO/IEC 27031

  • ISO/IEC 27031:2011 (ISO 27031) Information technology – Security techniques – Guidelines for information and communication technology readiness for business continuity (IT Governance UK, 2018).

ISO/IEC 27032

  • ISO/IEC 27032:2012 (ISO 27032) Information technology – Security techniques – Guidelines for cybersecurity (IT Governance UK, 2018).

ISO/IEC 27033

  • ISO/IEC 27033-1:2015 (ISO 27033-1) Information technology – Security techniques – Network security – Part 1: Overview and concepts (IT Governance UK, 2018).
  • ISO/IEC 27033-2:2012 (ISO 27033-2) Information technology – Security techniques – Network security – Part 2: Guidelines for the design and implementation of network security (IT Governance UK, 2018).
  • ISO/IEC 27033-3:2010 (ISO27033-3) Information security – Security techniques – Network security – Part 3: Reference networking scenarios – Threats, design techniques and control issues (IT Governance UK, 2018).
  • ISO/IEC 27033-4:2014 (ISO 27033-4) Information technology – Security techniques – Network security – Part 4: Securing communications between networks using security gateways (IT Governance UK, 2018).
  • ISO/IEC 27033-5:2013 (ISO 27033-5) Information technology – Security techniques – Network security – Part 5: Securing communications across networks using Virtual Private Networks (VPNs) (IT Governance UK, 2018).
  • ISO/IEC 27033-6:2016 (ISO 27033-5) Information technology — Security techniques — Network security — Part 6: Securing wireless IP network access (IT Governance UK, 2018).

ISO/IEC 27034

  • ISO/IEC 27034-1:2011 (ISO 27034-1) Information technology – Security techniques – Application security – Part 1: Overview and concepts (IT Governance UK, 2018).
  • ISO/IEC 27034-1:2011/Cor 1:2014 (ISO 27034-1) Information technology – Security techniques – Application security – Part 1: Overview and concepts (IT Governance UK, 2018).
  • ISO/IEC 27034-2:2015 (ISO 27034-2) Information technology – Security techniques – Application security – Part 2: Organization normative framework for application security (IT Governance UK, 2018).
  • ISO/IEC 27034-5 Information technology – Security techniques – Application security – Part 5: Protocols and application security controls data structure – XML schemas (IT Governance UK, 2018). 

ISO/IEC 27035

  • ISO/IEC 27035-1 2016 (ISO 27035) Information technology — Security techniques — Information security incident management — Part 1: Principles of incident management (IT Governance UK, 2018).
  • ISO/IEC 27035:2016-2 (ISO 27035) Information technology — Security techniques — Information security incident management — Part 2: Guidelines to plan and prepare for incident response (IT Governance UK, 2018).

ISO/IEC 27036

  • ISO/IEC 27036-1:2014 (ISO 27036-1) Information technology – Security techniques – Information security for supplier relationships – Part 1: Overview and concepts (IT Governance UK, 2018).
  • ISO/IEC 27036-2:2014 (ISO 27036-2) Information technology – Security techniques – Information security for supplier relationships – Part 2: Requirements (IT Governance UK, 2018).
  • ISO/IEC 27036-3:2013 (ISO 27036-3) Information technology – Security techniques – Information security for supplier relationships – Part 3: Guidelines for information and communication technology supply chain security (IT Governance UK, 2018).
  • ISO/IEC 27036-4:2016 (ISO 27036-4) Information technology – Security techniques – Information security for supplier relationships – Part 4: Guidelines for security of cloud services (IT Governance UK, 2018).

ISO/IEC 27037

  • ISO/IEC 27037:2012 (ISO 27037) Information technology — Security techniques — Guidelines for identification, collection, acquisition and preservation of digital evidence (IT Governance UK, 2018).

ISO/IEC 27038

  • ISO/IEC 27038:2014 (ISO 27038) Information technology – Security techniques – Specification for digital redaction (IT Governance UK, 2018).

ISO/IEC 27039

  • ISO/IEC 27039:2015 (ISO 27039) Information technology – Security techniques – Selection, deployment and operations of intrusion detection systems (IDPS) (IT Governance UK, 2018).

ISO/IEC 27040

  • ISO/IEC 27040:2015 (ISO 27040) Information technology – Security techniques – Storage security (IT Governance UK, 2018).

ISO/IEC 27041

  • ISO/IEC 27041:2015 (ISO 27041) Information technology – Security techniques – Guidance on assuring suitability and adequacy of incident investigative methods (IT Governance UK, 2018).

ISO/IEC 27042

  • ISO/IEC 27042:2015 (ISO 27042) Information technology – Security techniques – Guidelines for the analysis and interpretation of digital evidence (IT Governance UK, 2018).

ISO/IEC 27043

  • ISO/IEC 27043:2015 (ISO 27043) Information technology – Information technology – Security techniques – Incident investigation principles and processes (IT Governance UK, 2018).

ISO/IEC 27050

  • ISO/IEC 27050-1:2016 (ISO 27050) Information technology — Security techniques — Electronic discovery — Part 1: Overview and concepts (IT Governance UK, 2018).
  • ISO/IEC 27050-3 Information technology – Security techniques – Electronic discovery – Part 3: Code of Practice for electronic discovery (IT Governance UK, 2018).

ISO/IEC 273013

  • ISO/IEC TR 27103:2018 (ISO 27103) Information technology — Security techniques — Electronic discovery — Part 1: Overview and concepts (IT Governance UK, 2018).

Aside from the ISO standards, there are emerging standards based on evolving technology (some which will be supported by the aforementioned ISO, IEEE, OWASP, and NIST standards. There are over two dozen standards moving through the vetting process. In order for a standard to become accepted and published, a six-step development process occurs. This process involves a preliminary stage where the initial feasibility of the standard is assessed. Then, it moves to the proposal stage where the standard is formally described in scope. Next, a working draft of the standard is developed in the preparatory stage. The standard then moves to the committee stage, where it is examined for quality control. The standard then becomes ready for final approval; international organizations vote on the standard and submit any pertinent comments. The standard, if approved, is then published (IT Governance UK, 2018).

The bottom line with standards is that we need to set up a security infrastructure that make it very difficult for hackers to take advantage of our information resources. When designing and implementing a security infrastructure, security frameworks, such as ISO and several others, are useful because they act as a blueprint, providing policies and standards – best practices (Whitman & Mattord, 2016).

Works Cited

IT Governance UK. (2017, November 20). What is the ISO 27000 series of standards? Retrieved from IT Governance Blog: https://www.itgovernance.co.uk/blog/what-is-the-iso-27000-series-of-standards/

IT Governance UK. (2018). The ISO/IEC 27000 Family of Information Security Standards. Retrieved from IT Governance: https://www.itgovernance.co.uk/iso27000-family

Whitman, M. E., & Mattord, H. J. (2018). Principles of Information Security. Boston: Cengage Learning.

About the Author

Ron McFarland is a technologist at heart works happily with students and as a consultant. Demonstrating his love for the field, he received his Ph.D. in from the College of Engineering and Computer Science and a post-doc in Cybersecurity Technologies. He is a guest blogger at Wrinkled Brain Net (http://www.wrinkledbrain.net), a blog dedicated to Cyber Security and Computer Forensics. Dr. McFarland can be reached at his UMUC email: ronald.mcfarland@faculty.umuc.edu or @DODDFARS

Leave a Reply

Your email address will not be published. Required fields are marked *