Development and Implementation of Security Standards John P. Hopkinson Payoff
|
|
- Hugo McCoy
- 8 years ago
- Views:
Transcription
1 Development and Implementation of Security Standards John P. Hopkinson Payoff This article describes the groups involved in the process of developing standards for information security. The method by which an international security standard is produced is identified. In addition, the article includes a discussion on how standards are used, a review of recently published security standards, and current standards development programs. Problems with the current standardization process are identified together with potential resolutions. Introduction In today's commercial environment the need to communicate and the pressures to exchange information quickly are increasing.electronic Data Interchange is a significant force in this direction.(in fact, Electronic data interchange is no longer seen as conferring competitive advantage; it is the competitive norm.) It is becoming essential for organizations to possess such technical capabilities if they are to remain competitive. For two or more computers to exchange information, they must either communicate in the same way or they must be able to translate data. To keep the number of options for information exchange and processing within reasonable bounds, some commonly agreed formats (known as standards) are helpful. These standards are important and are becoming more commonplace in information technology, and they can cover many areas. This article addresses standards for information security. It includes: An introduction to the different types of standards development groups. An insight into how standards are produced. A review of the major areas of standards development. Suggested improvements to the standards development process. The suggested improvements stem from discussions with the users of standards. Although some of the statements and assumptions may be applicable to other standards areas, they are primarily directed towards security standards. Standards Development Groups Standards development groups can be divided into the following types: International. Regional. National. Each of these groups has a distinct level of involvement in the IS discipline. These groups are examined in the following sections.
2 International Standards Group The first group of standards-writing bodies identified is the international one. This group consists primarily of these three organizations: The International Organization for Standardization(ISO). The International Electrotechnical Commission (IEC). The International Telecommunications Union (ITU).(previously called The International Telegraph & Telephone Consultative Committee [CCITT]). ISO and ITU have the greatest level of activity in the information security area, and it is important to note that a great deal of cooperation exists between them. Activities are currently under way to enhance and expand this cooperation and make it more efficient. International Standards Organization and IEC have been working together for many years in different, but related areas. An example of ISO and IEC cooperative activities is the Joint Technical Committee 1 (JTC 1). Within International Standards Organization/International Electrotechnical Commission JTC 1, Subcommittee 27is responsible for the development of security techniques. Subcommittee 27 consists of three working groups: Working Group 1, responsible for requirements, security services, and guidelines. Working Group 2, responsible for both cryptographic and noncryptographic techniques. Working Group 3, responsible for evaluation criteria. It should be pointed out that, although ISO develops standards for the use of cryptography, it does not standardize cryptographic algorithms. The other group within JTC 1 that is most heavily involved in security is Subcommittee 21. This group focuses on Open Systems Interconnection, and it concentrates on the modeling and framework aspects of security. Several other committees within ISO have some involvement with security (e.g., Subcommittees 6, 17, 18, 30, and Technical Committee 68), though to a much lesser extent then Subcommittee 27, which is entirely security oriented, and Subcommittee 21. Although it may appear that development of security standards is spread over many different groups, very close liaison exists between all the subcommittees and working groups. In addition, some moves are taking place to concentrate more security activities in Subcommittee 27. Regional Standards Group There is currently only one regional standards group, the European Commission. This body is developing standards for all countries that are part of the European Economic Community. The ultimate goal of this group is to develop a single set of standards for all Europe. This reduces incompatibilities or at least ensures interworking. The European Commission is putting considerable effort into the development of standards and investing heavily in the development of security standards. Although only one regional standards-setting body exists at this time, it is reasonable to expect that others will appear. The development of multicountry free trade blocks can be expected to stimulate the growth in this type of standards- setting body. It may be that the development of a North American free-trade area will lead to the formation of a regional standards body.
3 National Standards Group The majority of nations have one or more standards-writing bodies. Within the national standards group, there tend to be two subgroups, one for the military and national security segments of the government, and one for the remainder of the government and the commercial sector. The differences between the two groups tend to be of degree and focus or direction, rather than fundamental differences of principle. An additional area that should be mentioned is sectorial standards groups. In the national category there are many sectorial standards groups (e.g., banking and medical sector groups). In addition, many sectorial groups have international counterparts, and many are part of other organizations (e.g., the international community Technical Committee 68, mentioned previously, deals with banking standards; Technical Committee 68 is also part of International Standards Organization/International Electrotechnical Commission). Within different countries or communities, standards are used in different ways. In some cases, standards are given the force of law and must be complied with. In other areas, standards may be enforced by regulatory authorities with penalties set for noncompliance. And in other areas, standards are advisory and may be used if desired; although there may be encouragement to use standards, nonuse does not incur penalty. These differences have an impact on the way in which standards are perceived within the different communities and the level of effort and involvement put into the development of standards. Standards Development International standards are usually developed by a process of consensus. (This is the case with International Standards Organization standards particularly.) The majority of parties involved in the development of the standard must agree on the content of the standard and the way in which it is written. This process affects all stages of the development of a standard. This technique may slow the process; however, the result is(hopefully) acceptable to all concerned. In addition, it ensures that no one group influences the standard unduly, thus gaining commercial advantage. Another result of this process is that in many cases there are options available within the standard; two products may comply with the standard and yet not be completely compatible. Although this may be seen as a disadvantage of the standard, it is a natural consequence of the consensus process. To do otherwise would cause some groups to ignore the standards, thus defeating the whole standards-setting process. The standards provide a framework and a metric for obtaining interoperability. The process is by no means ideal; however, until one that is acceptable to all is developed, it is the only available process. In addition, standards groups often try to adapt standards that already exist to their own uses. There can be many sources of input. The initial input may come from such sources as another standards-writing body, defacto standards, commercial product, or in some cases research (although the latter case is unusual). The experts who develop standards, for the most part, do so in their own time and through the auspices of their employers. They are not employed by the standards-writing bodies. The level of support within the community has a dramatic bearing on the number of contributing experts and their level of involvement. The majority of experts are experts in their particular technical field, not in writing standards. In addition, the writing ability of the experts may not be the foremost. Nonetheless, this process ensures that the individuals developing the standards are actively involved in the field, have practical and current experience, and are in tune with the future directions of the area. It also encourages greater participation.
4 Other Standards Groups During the last few years, several other groups have emerged that claim to be developing standards. These groups include commercial vendors or vendor groups, and user groups. The essential differences between these groups and the formal standards organizations are the following: They are not formally constituted. They are not open and they lack formal accrediting authorities. Their standards are not generally produced by consensus. They lack the formal procedures to verify a consensus position. They tend to serve a narrower community or interest. The results produced tend to be narrower in focus. The results tend to be difficult to expand or to apply to broader areas. Although the international standards groups do sometimes make use of the products of these noaccredited groups as a basis for the development of international standards, the standards frequently require considerable rework and modification, and the end result usually bears little resemblance to the original. In general International Standards Organization tends to avoid sectorial issues (with such obvious exceptions as banking), and it produces standards for the general community. This is often not the case with the standards produced by other groups. This gives rise to considerable concerns particularly within the international standards community, because one of the key aims is to reduce fragmentation and barriers to linking systems together. The international community is driving towards truly open systems. Although some of these other groups may have open systems in mind, their results are often sectorial in nature and run counter to this direction. Use of Standards Standards are written with many different users in mind. However, they are primarily written for the use of the implementor of the standard. The implementation group could be the manufacturer of a product (e.g., a cryptographic device) or an organization that wishes to develop a system that includes cryptographic devices. They could also be systems integrators, Value-Added Reseller, and third-party product developers. From the system implementors point of view, standards are most important if they intend to use products from several different manufacturers. Standards are essential to ensure compatibility. Standards also ensure that as products change and evolve, different elements continue to work together. Trends in Development and Implementation There is normally a time lag from the completion of a standard to its implementation in products. Two very important standards from a security perspective are the X400 and X500 standards. These standards have applicability beyond security. X400, originally published in 1984, was enhanced in 1988 as X400(88) and again in 1992 as X400(92). A number of products implementing the X400(88) enhancements are now available, with a few implementing the 92 enhancements as well. Some organizations have implemented
5 mail systems using X400(88) and X500. Although the use of these standards requires careful planning, they provide considerable benefit to the organization. A number of important areas are currently being worked on within several groups in the international community. These areas include: Security frameworks. Security guidelines. Security evaluation criteria. Security mechanisms. Security Frameworks Security frameworks are being developed based on the open systems security architecture, IS They expand on the security services identified within the security architecture. The frameworks do not identify mechanisms to implement a particular service, but they do identify requirements for services and an overall structure. As an example, the cryptographic key management framework provides a general overview, while the supporting parts address such specific mechanisms as key management using symmetric or asymmetric algorithms. The frameworks are being developed by International Standards Organization/International Electrotechnical Commission JTC1/Subcommittee 21 andiso/iec JTC1/Subcommittee 27 in cooperation and are at differing stages of completion. Security Guidelines Security guidelines covering such areas as management, trusted third parties, baseline controls, and the use and selection of security services and mechanisms are in proposal or development stages. One of the most important projects within this area is the Guidelines for the Management of IT Security This guideline identifies the elements critical to security and the processes for their management. The guideline can be of use to the developers of standards to ensure that the elements and data that security requires are available. This assists implementors to ensure that all the elements are appropriately addressed for their environment. Security Evaluation Criteria The security evaluation criteria activity is of considerable importance. Currently there are a number of different sets of evaluation criteria in different countries. Without intergovernmental agreements to accept other governments criteria, an evaluation of a product would have to be repeated. The International Standards Organization evaluation criterion is attempting to resolve this situation with an internationally determined set of functions, dependences, and assurance scales. This work is still in the early stages and is expected to take two to three years to complete. After its completion, this evaluation criterion should make the international purchasing and integration of security products considerably easier. Security Mechanisms The area of security mechanisms covers a considerable number of topics. To an extent, this area relates to the use of cryptographic techniques to address such aspects as the
6 integrity of information, authenticity, repudiation, authentication of entities, and confidentiality. These sets of standards are of considerable importance in a distributed and networked environment. The ability to achieve these functions for electronic commerce is vital. Problems and Potential Resolutions There is wide diversity in the level of knowledge about information security standards. Some organizations are very aware and make extensive use of standards. Others appear to have little knowledge or awareness of standards. Many standards, particularly international ones, are very broad and permit several options. They do not contain an explanation of their intended use. Two products, both compliant with the standard, may not be compatible. As noted, this is a result of the consensus process. In addition, some standards (e.g., the Open Systems Interconnect Security Architecture IS ) are designed to allow the user of the standard to select from among several options. The US and UK governments open systems interconnect profiles (GOSIPs) reduce the number of options available but still allow some selection by the ultimate user of the standard. One partial resolution is to include a section explaining their intended use; another is the development of international standards profiles, which permit fewer options. Standards are often hard to read and very technical. This perhaps stems more from a lack of understanding on the part of the user, because standards, for the most part, are intended for the implementor. Another criticism is that there is a lack of guidelines for the implementation of standards. To develop a guideline for every individual standard would be an enormous task and would considerably slow the standards development process. Producing guidelines for areas of concern or groups of standards is perhaps a more manageable task. It is a requirement that the international and national standards writing bodies have recognized and are moving to address. The process to be followed is still performed by consensus and thus the development may be prolonged. However, the process of developing guidelines is somewhat less formal and, therefore, development should not take as long as that for developing standards. Another comment that is often heard from the commercial sector is that the majority of standards for security are written in language that is more appropriate to the military and high-security disciplines. It should be pointed out that the majority of funds allocated to research and standards writing activities have been provided by military and intelligence groups, directly or indirectly. It is probably inevitable that the results appear to be for those fields. If the commercial areas want standards and research that is more appropriate to their needs, they must invest in the research that is needed. The final comment most frequently heard is that standards development is slow and lags behind industry development. The slow process is recognized by those involved in standards development, and every effort is made to reduce unnecessary delay. Beyond this, the only resolution is to have greater participation and commitment to standards development. As has been discussed, the consensus nature of the process inevitably causes delay. In addition, the voluntary nature of the process means that it is very dependent on the level of commitment to standardization of the participants. Conclusion Standards are necessary to ensure that proper communication occurs between systems. Security standards provide a common basis for protection and management of information exchange. Many groups can be involved in the development of standards, therefore, the development process can be slow. Although trends in improving development and
7 implementation are occuring, all standards development processes have imperfections. In many cases, resolution of the problems can be achieved within the organization implementing the standards by following suggestions presented in this article. To facilitate standards development, it is important that a wide cross-section of the community becomes involved in the process. This ensures that all parties using the standards are properly represented. Author Biographies John P. Hopkinson John P. Hopkinson, ISP, CDRP, is a security architect for T-Base Research and Development Inc. in Ottawa, Canada.
ISO/IEC Information & ICT Security and Governance Standards in practice. Charles Provencher, Nurun Inc; Chair CAC-SC27 & CAC-CGIT
ISO/IEC Information & ICT Security and Governance Standards in practice Charles Provencher, Nurun Inc; Chair CAC-SC27 & CAC-CGIT June 4, 2009 ISO and IEC ISO (the International Organization for Standardization)
More informationRelationship to Software Engineering Standards
Chapter3 Relationship to Software Engineering Standards STANDARDS ORGANIZATIONS Standards organizations are bodies, organizations, and institutions that produce standards. These organizations develop standards
More informationThis document is a preview generated by EVS
INTERNATIONAL STANDARD ISO/IEC 27033-1 Second edition 2015-08-15 Information technology Security techniques Network security Part 1: Overview and concepts Technologies de l information Techniques de sécurité
More informationSERIES Y: GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS Next Generation Networks Security
International Telecommunication Union ITU-T Y.2740 TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (01/2011) SERIES Y: GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS
More informationElectronic Data Interchange (EDI) Messaging Security
Essay 18 Electronic Data Interchange (EDI) Messaging Security Ted Humphreys The modern economy and the future wealth and prosperity of industry and commerce rely increasingly on the exchange of data and
More informationIdentity Management Initiatives in identity management and emerging standards Presented to Fondazione Ugo Bordoni Rome, Italy
Identity Management Initiatives in identity management and emerging standards Presented to Fondazione Ugo Bordoni Rome, Italy November 18, 2008 Teresa Schwarzhoff Computer Security Division Information
More informationRepresentative Organizations
Essay 10 Representative Organizations That Participate in Open Systems Security Standards Development Harold J. Podell This essay presents an introduction to representative organizations that participate
More informationOVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii
The Office of the Auditor General has conducted a procedural review of the State Data Center (Data Center), a part of the Arizona Strategic Enterprise Technology (ASET) Division within the Arizona Department
More informationLicensing Options for Internet Service Providers June 23, 2001 Updated September 25, 2002
Licensing Options for Internet Service Providers June 23, 2001 Updated September 25, 2002 Some countries require Internet Service Providers ( ISPs ) to obtain government- issued licenses before commencing
More informationBasel Committee on Banking Supervision. Working Paper No. 17
Basel Committee on Banking Supervision Working Paper No. 17 Vendor models for credit risk measurement and management Observations from a review of selected models February 2010 The Working Papers of the
More informationIncrease Software Development Productivity:
Increase Software Development Productivity: Equations for Efficiency By Adam Kolawa, Parasoft Co-Founder and CEO Why Productivity Matters In today s economy, software development is a great expense for
More informationINTERNATIONAL STANDARD
INTERNATIONAL STANDARD ISO/IEC 14662 First edition Information Technologies - Open-edi reference model Technologie de l'information - Modèle de référence EDI-ouvert Reference number Page 2 Contents Foreword...
More informationSERIES Y: GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS Next Generation Networks Security
International Telecommunication Union ITU-T Y.2723 TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (11/2013) SERIES Y: GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS
More informationDocumenting Distribution Operations: FDA Validation Beyond the Laboratory and Manufacturing Facility
Documenting Distribution Operations: FDA Validation Beyond the Laboratory and Manufacturing Facility Kellie Wittman, Tompkins Associates September 2009 www.tompkinsinc.com Contents Introduction 3 Why bother
More informationAmerican National Standards. value of the ANS designation
American National Standards value of the ANS designation accreditation and approval The American National Standards Institute (ANSI) coordinates, facilitates, and promotes the development of voluntary
More information-SETTING ORGANIZATIONS
APPENDIX D STANDARD AND S TANDARD-S -SETTING ORGANIZATIONS William Stallings Copyright 2008 D.1 THE IMPORTANCE OF STANDARDS...2 D.2 INTERNET STANDARDS AND THE INTERNET SOCIETY...3 The Internet Organizations
More informationPredicting Medication Compliance and Persistency
Predicting Medication Compliance and Persistency By: Jay Bigelow, President Amanda Rhodes, M.P.H., C.H.E.S., Vice President Behavioral Solutions MicroMass Communications, Inc. Introduction A widely recognized
More informationTELECOMMUNICATION NETWORKS
THE USE OF INFORMATION TECHNOLOGY STANDARDS TO SECURE TELECOMMUNICATION NETWORKS John Snare * Manager Telematic and Security Systems Section Telecom Australia Research Laboratories Victoria TELECOMMUNICATIONS
More informationA Technology Infrastructure for Standards Consortia
A Technology Infrastructure for Standards Consortia Applying Best Practices Introduction The technology industry has come to rely heavily on open standards to bring innovation to market. The industry has
More informationCyber Security Recommendations October 29, 2002
Cyber Security Recommendations October 29, 2002 Leading Co-Chair (Asia/Oceania) Co-Chair (Americas) Co-Chair (Europe/Africa) Dr. Hiroki Arakawa Executive Vice President NTT Data Corporation Richard Brown
More informationFocal points for expanded practical cooperation among standards organizations. The Business Requirement
Focal points for expanded practical cooperation among standards organizations The IEC/ISO/ITU/UNECE MoU on e-business e Standards June 2013 The Business Requirement Global supply networks are increasingly
More informationToday, the Cisco Enterprise B2B team has created automated and standardized processes in the following areas:
How Cisco Enables Electronic Interactions with Sales, Manufacturing, and Service Partners Business-to-business drives productivity, growth, and an improved customer experience. Cisco IT Case Study/Business
More informationOutsourcing in the Financial Services Industry: Finding Opportunities and Managing Risk. New York. OCC and FRB Guidance on Managing Third-Party Risk
March 24, 2014 If you have any questions regarding the matters discussed in this memorandum, please contact the following attorneys or your regular Skadden contact. Stuart D. Levi New York / 212.735.2750
More informationSmart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi
Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi Purpose This paper is intended to describe the benefits of smart card implementation and it combination with Public
More informationThe Next Generation of Security Leaders
The Next Generation of Security Leaders In an increasingly complex cyber world, there is a growing need for information security leaders who possess the breadth and depth of expertise necessary to establish
More informationThe role of standards in driving cloud computing adoption
The role of standards in driving cloud computing adoption The emerging era of cloud computing The world of computing is undergoing a radical shift, from a product focus to a service orientation, as companies
More informationMississippi Department of Archives and History. Reformatting Standards
Mississippi Department of Archives and History Reformatting Standards STANDARDS FOR DIGITAL IMAGING MDAH approves the following standards for reproduction of public records using digital imaging systems:
More informationEuropean Security Standards Reference Implementation Initiative (ESSRII)
European Security Standards Reference Implementation Initiative (ESSRII) A Proposal for Action in Europe on International Information Security Standards Brian Gladman, European Technical Director, Trusted
More informationConsumer Protection Code
Consumer Protection Code Submission by the Society of Actuaries in Ireland May 2005 Introduction The Society of Actuaries in Ireland welcomes the opportunity to make this submission in relation to the
More informationA Guide to Choosing the Right EMR Software. A Guide to Choosing the Right EMR Software
A Guide to Choosing the Right EMR Software A Guide to Choosing the Right EMR Software Eight Important Benchmarks for Community and Critical Access Hospitals Eight Important Benchmarks for Community and
More informationAssociate Prof. Dr. Victor Onomza Waziri
BIG DATA ANALYTICS AND DATA SECURITY IN THE CLOUD VIA FULLY HOMOMORPHIC ENCRYPTION Associate Prof. Dr. Victor Onomza Waziri Department of Cyber Security Science, School of ICT, Federal University of Technology,
More informationRegistration must be carried out by a top executive or a number of executives having the power to commit the whole company in the EU.
Questions and answers 1- What is the purpose of The Initiative? Why are we doing this? The purpose of the Supply Chain Initiative is to promote fair business practices in the food supply chain as a basis
More informationPersonal data and cloud computing, the cloud now has a standard. by Luca Bolognini
Personal data and cloud computing, the cloud now has a standard by Luca Bolognini Lawyer, President of the Italian Institute for Privacy and Data Valorization, founding partner ICT Legal Consulting Last
More informationSecuring Distribution Automation
Securing Distribution Automation Jacques Benoit, Cooper Power Systems Serge Gagnon, Hydro-Québec Luc Tétreault, Hydro-Québec Western Power Delivery Automation Conference Spokane, Washington April 2010
More informationA NEW FRAMEWORK FOR BRIDGING THE GAP BETWEEN IT SERVICE MANAGEMENT AND IT GOVERNANCE FROM A SECURITY PERSPECTIVE
A NEW FRAMEWORK FOR BRIDGING THE GAP BETWEEN IT SERVICE MANAGEMENT AND IT GOVERNANCE FROM A SECURITY PERSPECTIVE E. da Cruz 1 and L. Labuschagne 2 Academy of Information Technology at the University of
More informationStandardising the Internet of Things Is Today s System Adequate?
Standardising the Internet of Things Is Today s System Adequate? Kai Jakobs A Bit of Motivation The IoT represents another paradigm shift in communication initially, communication occurred between humans,
More informationAnnouncement of a new IAEA Co-ordinated Research Programme (CRP)
Announcement of a new IAEA Co-ordinated Research Programme (CRP) 1. Title of Co-ordinated Research Programme Design and engineering aspects of the robustness of digital instrumentation and control (I&C)
More information1918-2008 ANSI: A HISTORICAL OVERVIEW
1918-2008 ANSI: A HISTORICAL OVERVIEW 1918-2008 ANSI: A HISTORICAL OVERVIEW The history of the American National Standards Institute (ANSI) and the U.S. voluntary standards system is dynamic and evocative
More informationAD Management Survey: Reveals Security as Key Challenge
Contents How This Paper Is Organized... 1 Survey Respondent Demographics... 2 AD Management Survey: Reveals Security as Key Challenge White Paper August 2009 Survey Results and Observations... 3 Active
More informationDarshan Institute of Engineering & Technology Unit : 7
1) Explain quality control and also explain cost of quality. Quality Control Quality control involves the series of inspections, reviews, and tests used throughout the software process to ensure each work
More informationWHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK
WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK DATE OF RELEASE: 27 th July 2012 Table of Contents 1. Introduction... 2 2. Need for securing Telecom Networks... 3 3. Security Assessment Techniques...
More informationElectronic Commerce and Competition (October 2000)
Office of Economic Competition Electronic Commerce and Competition (October 2000) 1. Introduction The competition policy approach towards electronic commerce - as the market is in continuous change - is
More informationHow To Protect Your Brand From Harm
Defining a Global Brand Protection Program by an Effective Corporate Strategy and Corresponding Infrastructure Rudy Diaz Chief Operating Officer PICA Corporation September 23, 2010 PICA Corporation 551
More informationDraft WGIG Issues Paper on E-Commerce
Draft WGIG Issues Paper on E-Commerce This paper is a 'draft working paper' reflecting the preliminary findings of the drafting team. It has been subject to review by all WGIG members, but it does not
More informationISO/IEC 90003:2004 covers all aspects
Huge potential user base for ISO/IEC 90003 the state of the art for improving quality in software engineering ISO/IEC 90003:2004, Software engineering Guidelines for the application of ISO 9001: 2000 to
More informationUsing ISO 9001 or ISO 14001 to Gain a Competitive Advantage
Using ISO 9001 or ISO 14001 to Gain a Competitive Advantage Spencer Hutchens Jr. Introduction To be competitive on both a national and a global basis, organizations must adopt a forward-thinking approach
More informationCertification for Information System Security Professional (CISSP)
Certification for Information System Security Professional (CISSP) The Art of Service Copyright Notice of rights All rights reserved. No part of this book may be reproduced or transmitted in any form by
More informationENISA workshop on Security Certification of ICT products in Europe
ENISA workshop on Security Certification of ICT products in Europe Introduction On 16th of March 2016 ENISA organised a workshop aiming at bringing together stakeholders from the ICT security certification
More informationCanadian Anti-Spam Act Survey Bill C-28. May 2012
Canadian Anti-Spam Act Survey Bill C-28 May 2012 Executive Summary On December 22, 2010 the Canadian House of Commons passed Bill C-28, which aims to regulate unsolicited electronic commercial messages,
More informationStandards for Cyber Security
Best Practices in Computer Network Defense: Incident Detection and Response M.E. Hathaway (Ed.) IOS Press, 2014 2014 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-61499-372-8-97 97
More informationThe Business Benefits of Logging
WHITEPAPER The Business Benefits of Logging Copyright 2000-2011 BalaBit IT Security All rights reserved. www.balabit.com 1 Table of Content Introduction 3 The Business Benefits of Logging 4 Security as
More informationFree and Open Source Software Compliance: An Operational Perspective
Free and Open Source Software Compliance: An Operational Perspective 95 Free and Open Source Software Compliance: An Operational Perspective Philip Koltun a Director of Open Compliance Program, The Linux
More informationSupporting FISMA and NIST SP 800-53 with Secure Managed File Transfer
IPSWITCH FILE TRANSFER WHITE PAPER Supporting FISMA and NIST SP 800-53 with Secure Managed File Transfer www.ipswitchft.com Adherence to United States government security standards can be complex to plan
More informationINTERNATIONAL TELECOMMUNICATION UNION
INTERNATIONAL TELECOMMUNICATION UNION ITU-T D.140 TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (07/98) SERIES D: GENERAL TARIFF PRINCIPLES General tariff principles Charging and accounting in the international
More information---Information Technology (IT) Specialist (GS-2210) IT Security Competency Model---
---Information Technology (IT) Specialist (GS-2210) IT Security Model--- TECHNICAL COMPETENCIES Computer Forensics Knowledge of tools and techniques pertaining to legal evidence used in the analysis of
More informationBenchmark of controls over IT activities. 2011 Report. ABC Ltd
www.pwc.com/cy Benchmark of controls over IT activities 2011 Report ABC Ltd... 2012 Scope and approach We wish to provide you with our IT Benchmarking report over IT activities at ABC Ltd (the Company)
More informationEffective Model Risk Management for Financial Institutions: The Six Critical Components
January 2013 Effective Model Risk Management for Financial Institutions: The Six Critical Components A White Paper by Brookton N. Behm, John A. Epperson, and Arjun Kalra Audit Tax Advisory Risk Performance
More informationThis IDC Retail Insights Perspective looks at the growing applicability of business intelligence and analytics for the wholesale industry.
The Growing Use of Business Intelligence and Analytics in Wholesale P E R S P E C T I V E # G R I 2 2 5 6 4 4 Simon D. Ellis Henry D. Morris IN THIS PERSPECTIVE This IDC Retail Insights Perspective looks
More informationThe$Risks$of$Status$Quo$$ in$product$development$
The$Risks$of$Status$Quo$$ in$product$development$ Running$Lean,$Responsive$and$Secure$with$PDM$ Published*by:* $Some$believe$that$product$development$ improvements$have$little$impact$$ It's a perception
More informationTelecom Industry Services. Change Management Process
FINAL 5 / 22 / 98 Telecom Industry Services Change Management Process 1 FINAL 5 / 22 / 98 TABLE OF CONTENTS INTRODUCTION 3 BELL ATLANTIC CHANGE CONTROL ORGANIZATION STRUCTURE 4 TERMS AND DEFINITIONS Overview
More informationTHE IMPACTS OF BREACHES
THE IMPACTS OF BREACHES DR. BRANDEN R. WILLIAMS & MAC A SURVEY OF MAC MEMBERS ON THE REALITIES OF DATA BREACHES CONTENTS INTRODUCTION AND METHODOLOGY... 4 ASSUMPTIONS AND LIMITATIONS... 4 KEY FINDINGS...
More informationCPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS
CPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS MARCH 2011 Acknowledgements This Viewpoint is based upon the Recommended Practice: Configuring and Managing Remote Access
More informationGlobal Business Services and the Global Payroll Function
GLOBAL PAYROLL BENCHMARKING STUDY UPDATE By Karen Beaman, Jeitosa Group International Introduction Shared Services delivery models have continued to expand and mature in recent years as organizations look
More informationThe Benefits of Accreditation for Developing Countries
The Benefits of Accreditation for Developing Countries Background /Context: Nature and Scope of Paper: All or most developed countries currently enjoy the trade benefits which flow from national accreditation
More informationSecuring Internet Payments. The current regulatory state of play
Securing Internet Payments The current regulatory state of play In recent years the European Union (EU) institutions have shown a growing interest on the security of electronic payments. This interest
More informationCOMMUNIQUÉ ON PRINCIPLES FOR INTERNET POLICY-MAKING OECD HIGH LEVEL MEETING ON THE INTERNET ECONOMY,
COMMUNIQUÉ ON PRINCIPLES FOR INTERNET POLICY-MAKING OECD HIGH LEVEL MEETING ON THE INTERNET ECONOMY, 28-29 JUNE 2011 The Seoul Declaration on the Future of the Internet Economy adopted at the 2008 OECD
More informationT1M1: Management Plane Security Standard (T1.276)
T1M1/2003-039 R3 July 9, 2003 T1M1: Management Plane Security Standard (T1.276) Presentation Contributors and Liaison Representatives: Mike Fargano - T1M1 Chair, michael.fargano@qwest.com Jim Stanco -
More informationThis is a preview - click here to buy the full publication TECHNICAL REPORT INFORMATION TECHNOLOGY HOME ELECTRONIC SYSTEM (HES) APPLICATION MODEL
TECHNICAL REPORT ISO/IEC TR 15067-4 First edition 2001-06 INFORMATION TECHNOLOGY HOME ELECTRONIC SYSTEM (HES) APPLICATION MODEL Part 4: Security system for HES ISO/IEC 2001 All rights reserved. Unless
More informationWHITE PAPER APRIL 2012. Leading an Implementation Campaign to Address the Convergence of Healthcare Reform Initiatives
WHITE PAPER APRIL 2012 Leading an Implementation Campaign to Address the Convergence of Healthcare Reform Initiatives New healthcare reforms have created an unprecedented impact on hospital systems operations.
More informationManaging Successful Software Development Projects Mike Thibado 12/28/05
Managing Successful Software Development Projects Mike Thibado 12/28/05 Copyright 2006, Ambient Consulting Table of Contents EXECUTIVE OVERVIEW...3 STATEMENT OF WORK DOCUMENT...4 REQUIREMENTS CHANGE PROCEDURE...5
More informationWhat is ISO 9001 and should i care? SAFER, SMARTER, GREENER
What is ISO 9001 and should i care? SAFER, SMARTER, GREENER 02 THE ROLE OF STANDARDS What is ISO 9001 and should I care? The Role of Standards The objective of any standard, whether it relates to the manufacture
More informationFigure 2: DAMA Publications
Steve Hawtin, Schlumberger Information Solutions 14 th Petroleum Data Integration, Information & Data Management Conference The effective management of Exploration and Production (E&P) data has a major
More informationOutsourcing Life Cycle: Integrating DMAIC Controls. WCQI Concurrent Session: M09 Monday May 21, 1:30 2:30 PM Presenter: Daniel Zrymiak
Outsourcing Life Cycle: Integrating DMAIC Controls WCQI Concurrent Session: M09 Monday May 21, 1:30 2:30 PM Presenter: Daniel Zrymiak Introduction This presentation combines knowledge of an Outsourcing
More informationWhite Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA
White Paper Achieving GLBA Compliance through Security Information Management White Paper / GLBA Contents Executive Summary... 1 Introduction: Brief Overview of GLBA... 1 The GLBA Challenge: Securing Financial
More informationApril 2, 2015. Re: Comments on Connected Health and Care for the Nation. Dear Dr. DeSalvo:
April 2, 2015 Karen DeSalvo M.D. National Coordinator for Health Information Technology Department of Health and Human Services 200 Independence Ave, S.W., Suite 729D Washington, DC 20201 Re: Comments
More informationETNO Reflection Document in reply to the EC consultation on Future networks and the Internet early challenges regarding the Internet of things
ETNO Reflection Document in reply to the EC consultation on Future networks and the Internet early challenges regarding the Internet of things November 2008 Executive Summary The Internet of the future
More informationMSC Security Program Security in the Logistics Supply Chain
Maritime Security Council L MSC Security Program Security in the Logistics Supply Chain First Hemispheric Convention on Port Logistics and Competitiveness Ixtapa-Zihuatanejo November 3-5, 2010 Talking
More informationAn Overview of the ANSI/ASA Standards Program
An Overview of the ANSI/ASA Standards Program Christopher J. Struck a) CJS Labs - San Francisco, CA 94114 - USA Acoustical Society of America - Melville, NY 11747 - USA An overview of the standards program
More informationStrengths and Weaknesses of Cybersecurity Standards
Strengths and Weaknesses of Cybersecurity Standards Bart Preneel COSIC KU Leuven and iminds, Belgium firstname.lastname@esat.kuleuven.be April 7, 2014 Bart Preneel 1 What is cybersecurity? Liddell and
More informationAchieving Security through Compliance
Achieving Security through Compliance Policies, plans, and procedures Table of Contents This white paper was written by: McAfee Foundstone Professional Services Overview...3 The Rock Foundation...3 Governance...3
More informationSECTION.0100 - GENERAL ADMINISTRATION
1 1 1 1 1 1 0 1 0 1 SECTION.00 - GENERAL ADMINISTRATION.01 HOW TO CONTACT THE ELECTRONIC COMMERCE SECTION The North Carolina Department of the Secretary of State administers the Electronic Commerce Act.
More informationGetting a Better Framework Accountability and the objective. Bulletin
Accountability and the objective of financial reporting Bulletin sept 2013 2013 European Financial Reporting Advisory Group (EFRAG), the French Autorité des Normes Comptables (ANC), the Accounting Standards
More informationAN OVERVIEW OF INFORMATION SECURITY STANDARDS
AN OVERVIEW OF INFORMATION SECURITY STANDARDS February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced
More informationPowerKey Conditional Access System Phase 1.0. System Overview. Revision 1.0
PowerKey Conditional Access System Phase 1.0 System Overview Revision 1.0 Scientific-Atlanta, Inc, Unpublished Works of Scientific-Atlanta, Inc. Copyright 1997 Scientific-Atlanta, Inc. All Rights Reserved
More informationThis document is a preview generated by EVS
INTERNATIONAL STANDARD ISO/IEC 29180 First edition 2012-12-01 Information technology Telecommunications and information exchange between systems Security framework for ubiquitous sensor networks Technologies
More informationGAO CRITICAL INFRASTRUCTURE PROTECTION. Significant Challenges in Developing Analysis, Warning, and Response Capabilities.
GAO United States General Accounting Office Testimony Before the Subcommittee on Technology, Terrorism and Government Information, Committee on the Judiciary, U.S. Senate For Release on Delivery Expected
More informationGeneral Terms and Conditions of the Netherlands Association of Interpreters and Translators for Translation Work
General Terms and Conditions of the Netherlands Association of Interpreters and Translators for Translation Work Definitions Client Contract (of Work) Translator 1) The natural or legal person who has
More informationImproving Performance by Breaking Down Organizational Silos. Understanding Organizational Barriers
Select Strategy www.selectstrategy.com 1 877 HR ASSET 1 877 472 7738 Improving Performance by Breaking Down Organizational Silos Understanding Organizational Barriers Restructuring initiatives have become
More informationHow a Cloud Service Provider Can Offer Adequate Security to its Customers
royal holloway s, How a Cloud Service Provider Can Offer Adequate Security to its Customers What security assurances can cloud service providers give their customers? This article examines whether current
More informationICC RESOURCE GUIDE FOR SELF-REGULATION OF ONLINE BEHAVIOURAL ADVERTISING (OBA)
ICC RESOURCE GUIDE FOR SELF-REGULATION OF ONLINE BEHAVIOURAL ADVERTISING (OBA) Highlights Explanation of global framework available for OBA self-regulation Checklist from existing OBA self-regulatory mechanisms
More informationUnderstanding the Software Contracts Process
Understanding the Software Contracts Process By John Seidl, Partner Tompkins Associates More and more often, companies are purchasing supply chain software from commercial software vendors rather than
More informationINTERNATIONAL STANDARD
ISO/IEC 14543-4-2 INTERNATIONAL STANDARD Edition 1.0 2008-05 Information technology Home electronic system (HES) architecture Part 4-2: Communication layers Transport, network and general parts of data
More informationThe Journey to the Cloud for Life Sciences Content Management
The Journey to the Cloud for Life Sciences Content Management Part 1: Industry Forces and Cloud Adoption complies with ISO 20252 Page Table of Contents Executive Summary 2 Industry Forces in Conflict 3
More informationDigital Pathways. Harlow Enterprise Hub, Edinburgh Way, Harlow CM20 2NQ. 0844 586 0040 intouch@digitalpathways.co.uk www.digpath.co.
Harlow Enterprise Hub, Edinburgh Way, Harlow CM20 2NQ 0844 586 0040 intouch@digitalpathways.co.uk Security Services Menu has a full range of Security Services, some of which are also offered as a fully
More informationCorporate Program. Consensus WE BUILD IT. Giving Industry a Direct Voice in the IEEE Standards Association
Corporate Program Giving Industry a Direct Voice in the IEEE Standards Association Consensus WE BUILD IT. 445 Hoes Lane, Piscataway, NJ 08854 USA standards.ieee.org Tel. +1 732-981-0060 Fax +1 732-562-1571
More informationService assurance for communications service providers White paper. Improve service quality and enhance the customer experience.
Service assurance for communications service providers White paper Improve service quality and enhance the customer experience. December 2007 2 Contents 2 Overview 2 Move to a competitive business model
More informationACL WHITEPAPER. Automating Fraud Detection: The Essential Guide. John Verver, CA, CISA, CMC, Vice President, Product Strategy & Alliances
ACL WHITEPAPER Automating Fraud Detection: The Essential Guide John Verver, CA, CISA, CMC, Vice President, Product Strategy & Alliances Contents EXECUTIVE SUMMARY..................................................................3
More information