Information Security Standard & Organizations

 Information Security Standards Organizations

Standardization bodies are organizations that exist specifically for developing, coordinating, promoting, and interpreting technical standards.

1. NIST - National Institute of Standards - The U.S government organization responsible for defining standards to protect and assure the security of sensitive but unclassified data within government agencies. 
1. Computer Security Resource Center (CSRC)
2. Guide to NIST Information Security Docs
3. Guide for Developing Security Plans 
2. OWASP - 
3. HITRUST
4. BSi - British Standards Institute - 
5. CIS - Center for Internet Security. - The CIS releases free security benchmarks that come with tools to measure compliance. These benchmarks and tools are widely adopted and have become important of DHS- sponsored public/private partnerships. 
6. ISO/IEC - International Organization for Standardization - is a non-governmental worldwide federation established in 1947 and made up of the national standards organizations from 145 countries. 
7. American National Standards
8. ISACA 

Every security professional should at least know the followings industry security standards:

1) NIST - 

NIST is a measurement standards laboratory and a non-regulatory agency of the United States Department of Commerce. Its mission is to promote innovation and industrial competitiveness. 

Among several freely available special publications, including the SP 800 (Computer security), SP 1800 (Cybersecurity practice guides), and SP 500 The NIST Cybersecurity Framework (NIST CSF) is a policy framework that provides guidance on how private-sector organizations in the US can assess and improve their ability regarding computer security. 

Another great publication is NIST's special publication 800-30, a guide for conducting risk assessments that shares more than a few similarities with ISO/IEC 27005 - Information security risk management, but has the advantage of being completely free. 

2) Bsi - 

BSI is United Kingdom's national standardization body. BSI produces several technical standards on a wide range of products and services, and also supplies certification and standards-related services to businesses. 

In 1995, the BSI was responsible for the publications of the British Standard 7799, which later became ISO/IEC 27001, the most internationally recognized and widely used information security management standard. 

With a deep ISO/IEC 27001 knowledge, BSI not only helps improving it but also provides services that train and certify countless organizations around the world to embed an effective ISO/IEC 27001 ISMS.

3) IETF - is an open standards organization with no formal membership or membership requirements. The IETF creates and promotes voluntary Internet standards, in particular, the standards for the Internet suite (TCP/IP).

The IETF is organized in several workshop groups, focused on areas by subject matter. The current areas include applications, the Internet, operations and management, real-time applications and infrastructure, routing, transport, and, quite obviously, security. 

4) PCI SSC - 

PCI SSC is a global, open body responsible for creating, improving, disseminating, and helping with the understanding of the security standards for payment account security. 

The payment Card Industry Data Security Standard (PCI DSS) was devised as a means of increasing security controls over cardholder data and reducing the risk of credit card fraud. It requires an annual compliance validation, conducted either by an external qualified security assessor (QSA) or by a company-specific internal security assessor that creates a compliance report for organizations handling large amounts of transactions. For handling smaller volumes, it's also possible to perform a self-assessment questionnaire. 

5) ISO The International Organization for Standardization, 

ISO is an international standardization body composed of representatives from multiple national standards organizations. ISO is responsible for the principal information security standards series, the ISO 27000 family. 

Composed of more than a dozen published standards, the 27000 family helps organizations manage the security of assets such as financial information, intellectual property, employee details, or information entrusted to you by third parties. 

ISO/IEC 27001 is the best-known standard in the family. It provides the requirements for an information security management system (ISMS) a must-read for any security engineer.