Standards

TechSecure Holdings Inc. – Standards

Public and Private businesses that adopt standards for information security establish a level of transparency and trust with consumers and partners for their products and services. This gives business a great competitive advantage. In addition these businesses also establish a consistent process and outcomes with their own external suppliers who assist with the development of secure products and services. While local standards are very helpful they are generally applicable to local markets only, which minimizes their potential business value. International standards are more widely accepted within specialized industries like finance, pharmaceutical and manufacturing. Therefore, businesses who adopt international standards can more effectively compete in the global market place.

Benefits of adopting international standards include:

  • For service provider’s international standards for terminology, compatibility and information security specifications for information, software, hardware, and telecommunications speed up the time that it takes products from development to marketable products.
  • For customers, the worldwide compatibility of technology which is achieved when products and services are based on international standards maintains a higher level of integrity. The conformity of private and public sector business’s products and services to international standards provides assurance to consumers about the quality, security and reliability of their products and services.
  • For governments, international standards provide the technological and scientific bases for designing, implementing and maintaining information systems that handle sensitive information and ensure that they are secure.
  • For everyone, international standards contribute to the quality of life in general by ensuring that companies that we rely on like banks, health authorities, government, telephone/internet service providers are secure.


ISO/IEC 27001

ISO/IEC 27001 formally specifies a management system that is intended to bring information security under explicit management control. Being a formal specification means that it mandates specific requirements. Organizations that claim to have adopted ISO/IEC 27001 can therefore be formally audited and certified compliant with the standard.

ISO/IEC 27001 requires that management:

  • Systematically examine the organization's information security risks, taking account of the threats, vulnerabilities and impacts;
  • Design and implement a coherent and comprehensive set of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and
  • Adopt an overarching management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis.

Published standards include the following:

  • ISO/IEC 27000 — Information security management systems — Overview and vocabulary
  • ISO/IEC 27001 — Information security management systems — Requirements
  • ISO/IEC 27002 — Code of practice for information security management
  • ISO/IEC 27003 — Information security management system implementation guidance
  • ISO/IEC 27004 — Information security management — Measurement
  • ISO/IEC 27005 — Information security risk management
  • ISO/IEC 27006 — Requirements for bodies providing audit and certification of information security management systems
  • ISO/IEC 27011 — Information security management guidelines for telecommunications organizations based on ISO/IEC 27002
  • ISO/IEC 27033-1 - Network security overview and concepts
  • ISO 27799 - Information security management in health using ISO/IEC 27002 [standard produced by the Health Informatics group within ISO, independently of ISO/IEC JTC1/SC27]

Under development

  • ISO/IEC 27007 - Guidelines for information security management systems auditing (focused on the management system)
  • ISO/IEC 27008 - Guidance for auditors on ISMS controls (focused on the information security controls)
  • ISO/IEC 27013 - Guideline on the integrated implementation of ISO/IEC 20000-1 and ISO/IEC 27001
  • ISO/IEC 27014 - Information security governance framework
  • ISO/IEC 27015 - Information security management guidelines for the finance and insurance sectors
  • ISO/IEC 27031 - Guideline for ICT readiness for business continuity (essentially the ICT continuity component within business continuity management)
  • ISO/IEC 27032 - Guideline for cyber-security (essentially, 'being a good neighbour' on the Internet)
  • ISO/IEC 27033 - IT network security, a multi-part standard based on ISO/IEC 18028:2006 (part 1 is published already)
  • ISO/IEC 27034 - Guideline for application security
  • ISO/IEC 27035 - Security incident management
  • ISO/IEC 27036 - Guidelines for security of outsourcing
  • ISO/IEC 27037 - Guidelines for identification, collection and/or acquisition and preservation of digital evidence

 

Top of Page

 

ISO/IEC 31000

ISO 31000 is the standard for risk management its purpose is to provide principles and generic guidelines on risk management. This standard establishes an internationally recognized framework for risk management professionals and companies establishing risk management programs based on existing standards, methodologies and frameworks.

The Risk Management Standard is comprised of the following processes:

  • Framework
    • Mandate and commitment
    • Design of framework for managing risk
    • Understanding of the organization and its context
    • Establishing risk management policy
    • Accountability
    • Integration into organizational processes
    • Resources
    • Establishing internal communication and reporting mechanisms
    • Establishing external communication and reporting mechanisms
    • Implementing risk management
    • Implementing the framework for managing risk
    • Implementing the risk management process
    • Monitoring and review of the framework
    • Continual improvement of the framework

 

  • Process
    • Communication and consultation
    • Establishing the context
    • Establishing the external context
    • Establishing the internal context
    • Establishing the context of the risk management process
    • Defining risk criteria
    • Risk assessment
    • Risk identification
    • Risk analysis
    • Risk evaluation
    • Risk treatment
    • Selection of risk treatment options
    • Preparing and implementing risk treatment plans
    • Monitoring and review
    • Recording the risk management process

Top of Page

 

ISO/IEC 20000

ISO/IEC 20000 is the first international standard for IT Service Management. It was developed in 2005, by ISO/IEC JTC1 SC7. It is based on and intended to supersede the earlier BS 15000 that was developed by BSI Group. This standard for service management promotes the adoption of an integrated process approach to effectively deliver managed services to meet the business and customer requirements.

ISO/IEC 20000 is made up of eleven processes which are as follows:

  • Service Support
    • Incident Management
    • Problem Management
    • Change Management
    • Release Management
    • Configuration Management

 

 

  • Service Delivery
    • Service Desk
    • Service Level Management
    • Availability Management
    • Capacity Management
    • IT Service Continuity Management
    • Financial Management for IT
    • Services

Top of Page

 

ISO/IEC 9001

ISO 9001 is a quality management standard that can easily be adopted by any business regardless of industry. This quality management standard can help both product and service providers by establishing a proven reputable management system that identifies opportunities for improvement through continuous improvement cycles of plan-do-check-act.

Furthermore, businesses that adopt ISO 9001 have been found to outperform their competitors during post implementation period. The benefits of adopting a quality management system lead to business benefits such as customer satisfaction, improved inter-departmental communications, improved work flows, and new customers, partnerships and shareholders.

ISO/IEC 9001 is comprised of the following domains:

  • Quality management system
  • General requirements
  • Documentation requirements
  • Management responsibility
  • Management commitment
  • Customer focus
  • Quality policy
  • Planning
  • Responsibility, authority and communication
  • Management review
  • Resource management
  • Provision of resources
  • Human resources
  • Infrastructure
  • Work environment
  • Product realization
  • Planning of product realization
  • Customer-related processes
  • Design and development
  • Acquisition
  • Production and service provision
  • Control of monitoring and measuring equipment
  • Measurement, analysis and improvement
  • Monitoring and measurement
  • Control of nonconforming product
  • Analysis of data
  • Improvement

 

Top of Page

 

COBiT

The Control Objectives for Information and related Technology (COBIT) is a standard for information technology management, created by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI) in 1996. COBIT provides managers, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices, to assist them in maximizing the benefits derived through the use of information technology, and developing appropriate IT governance and control in a company.

The following domains make up COBIT 4.1:

  • Planning and Organization
  • Acquisition and Implementation
  • Delivery and Support
  • Monitoring and Evaluation


Top of Page



NIST Standards

The National Institute of Standards and Technology is a non-regulatory agency of the United States Department of Commerce. The institute's official mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve quality of life.


NIST published standards include the following:

  • SP 800-142 Oct. 2010 Practical Combinatorial Testing
  • SP 800-135 Aug 30, 2010 DRAFT Recommendation for Existing Application-Specific Key Derivation Functions
  • SP 800-132 Jun. 24, 2010 DRAFT Recommendation for Password-Based Key Derivation - Part 1: Storage Applications
  • SP 800-131 Jun. 16, 2010 DRAFT Recommendation for the Transitioning of Cryptographic Algorithms and Key Sizes
  • SP 800-130 Jun. 16, 2010 DRAFT A Framework for Designing Cryptographic Key Management Systems
  • SP 800-128 Mar. 18, 2010 DRAFT Guide for Security Configuration Management of Information Systems
  • SP 800-127 Sept. 2010 Guide to Securing WiMAX Wireless Communications
  • SP 800-126 Rev. 1 May 27, 2010 DRAFT The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.1
  • SP 800-126 Nov. 2009 The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.0
  • SP 800-125 July 7, 2010 DRAFT Guide to Security for Full Virtualization Technologies
  • SP 800-124 Oct 2008 Guidelines on Cell Phone and PDA Security
  • SP 800-123 Jul 2008 Guide to General Server Security
  • SP 800-122 Apr. 2010 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
  • SP 800-121 Sept 2008 Guide to Bluetooth Security
  • SP 800-120 Sept. 2009 Recommendation for EAP Methods Used in Wireless Network Access Authentication
  • SP 800-119 Feb. 22, 2010 DRAFT Guidelines for the Secure Deployment of IPv6
  • SP 800-118 Apr. 21, 2009 DRAFT Guide to Enterprise Password Management
  • SP 800-117 July 2010 Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1.0
  • SP 800-116 Nov 2008 A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS)
  • SP 800-115 Sept 2008 Technical Guide to Information Security Testing and Assessment
  • SP 800-114 Nov 2007 User's Guide to Securing External Devices for Telework and Remote Access
  • SP 800-113 Jul 2008 Guide to SSL VPNs
  • SP 800-111 Nov 2007 Guide to Storage Encryption Technologies for End User Devices
  • SP 800-108 Oct. 2009 Recommendation for Key Derivation Using Pseudorandom Functions
  • SP 800-107 Feb. 2009 Recommendation for Applications Using Approved Hash Algorithms
  • SP 800-106 Feb. 2009 Randomized Hashing for Digital Signatures
  • SP 800-104 Jun 2007 A Scheme for PIV Visual Card Topography
  • SP 800-103 Oct 6, 2006 DRAFT An Ontology of Identity Credentials, Part I: Background and Formulation
  • SP 800-102 Sept. 2009 Recommendation for Digital Signature Timeliness
  • SP 800-101 May 2007 Guidelines on Cell Phone Forensics
  • SP 800-100 Oct 2006 Information Security Handbook: A Guide for Managers
  • SP 800-98 Apr 2007 Guidelines for Securing Radio Frequency Identification (RFID) Systems
  • SP 800-97 Feb 2007 Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i
  • SP 800-96 Sep 2006 PIV Card to Reader Interoperability Guidelines
  • SP 800-95 Aug 2007 Guide to Secure Web Services
  • SP 800-94 Feb 2007 Guide to Intrusion Detection and Prevention Systems (IDPS)
  • SP 800-92 Sep 2006 Guide to Computer Security Log Management
  • SP 800-90 Mar 2007 Recommendation for Random Number Generation Using Deterministic Random Bit Generators
  • SP 800-89 Nov 2006 Recommendation for Obtaining Assurances for Digital Signature Applications
  • SP 800-88 Sep 2006 Guidelines for Media Sanitization
  • SP 800-87 Rev 1 Apr 2008 Codes for Identification of Federal and Federally-Assisted Organizations
  • SP 800-86 Aug 2006 Guide to Integrating Forensic Techniques into Incident Response
  • SP 800-85 B-1 Sept. 11, 2009 DRAFT PIV Data Model Conformance Test Guidelines draft-sp800-85B-1.pdf
  • SP 800-85 B Jul 2006 PIV Data Model Test Guidelines
  • SP 800-85 A-2 July 2010 PIV Card Application and Middleware Interface Test Guidelines (SP800-73-3 Compliance)
  • SP 800-84 Sep 2006 Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities
  • SP 800-83 Nov 2005 Guide to Malware Incident Prevention and Handling
  • SP 800-82 Sep 29, 2008 DRAFT Guide to Industrial Control Systems (ICS) Security
  • SP 800-81 Rev. 1 Apr. 2010 Secure Domain Name System (DNS) Deployment Guide
  • SP 800-79 -1 Jun 2008 Guidelines for the Accreditation of Personal Identity Verification (PIV) Card Issuers (PCI's)
  • SP 800-78 -3 Nov. 19, 2010 DRAFT Cryptographic Algorithms and Key Sizes for PIV
  • SP 800-78 -2 Feb. 2010 Cryptographic Algorithms and Key Sizes for Personal Identification Verification (PIV)
  • SP 800-77 Dec 2005 Guide to IPsec VPNs
  • SP 800-76 -1 Jan 2007 Biometric Data Specification for Personal Identity Verification
  • SP800-76-1_012407.pdf
  • SP 800-73 -3 Feb. 2010 Interfaces for Personal Identity Verification (4 Parts)
  • SP 800-72 Nov 2004 Guidelines on PDA Forensics
  • SP 800-70 Rev. 1 Sept. 2009 National Checklist Program for IT Products--Guidelines for Checklist Users and Developers
  • SP 800-69 Sep 2006 Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist
  • SP 800-68 Rev. 1 Oct. 2008 Guide to Securing Microsoft Windows XP Systems for IT Professionals
  • SP 800-67 1.1 May 2008 Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher
  • SP 800-66 Rev 1 Oct 2008 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule
  • SP 800-65 Rev. 1 July 14, 2009 DRAFT Recommendations for Integrating Information Security into the Capital Planning and Investment Control Process (CPIC)
  • SP 800-65 Jan 2005 Integrating IT Security into the Capital Planning and Investment Control Process
  • SP 800-64 Rev. 2 Oct 2008 Security Considerations in the System Development Life Cycle
  • SP 800-63 Rev. 1 Dec. 12, 2008 DRAFT Electronic Authentication Guideline
  • SP 800-63 Version 1.0.2 Apr 2006 Electronic Authentication Guideline
  • SP 800-61 Rev. 1 Mar 2008 Computer Security Incident Handling Guide
  • SP 800-60 Rev. 1 Aug 2008 Guide for Mapping Types of Information and Information Systems to Security Categories: (2 Volumes) - Volume 1: Guide Volume 2: Appendices
  • SP 800-59 Aug 2003 Guideline for Identifying an Information System as a National Security System
  • SP 800-58 Jan 2005 Security Considerations for Voice Over IP Systems
  • SP 800-57 Mar 2007 Recommendation for Key Management
  • sp800-57_PART3_key-management_Dec2009.pdf
  • SP 800-56 C Sept 23, 2010 DRAFT Recommendation for Key Derivation through Extraction-then-Expansion
  • SP 800-56 B Aug. 2009 Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography
  • SP 800-56 A Mar 2007 Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography
  • SP 800-55 Rev. 1 Jul 2008 Performance Measurement Guide for Information Security
  • SP 800-54 Jul 2007 Border Gateway Protocol Security
  • SP 800-53 Rev. 3 Aug 2009 Recommended Security Controls for Federal Information Systems and Organizations
  • SP_800-53_Rev-3_database-R1.4.1-BETA.zip
  • SP 800-53 Rev. 2 Dec 2007 Recommended Security Controls for Federal Information Systems
  • SP 800-53 A Rev. 1 Jun. 2010 Guide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans
  • SP 800-53 A Jul 2008 Guide for Assessing the Security Controls in Federal Information Systems
  • SP 800-52 Jun 2005 Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations
  • SP 800-51 Sep 2002 Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme
  • SP 800-50 Oct 2003 Building an Information Technology Security Awareness and Training Program
  • SP 800-49 Nov 2002 Federal S/MIME V3 Client Profile
  • SP 800-48 Rev. 1 Jul 2008 Guide to Securing Legacy IEEE 802.11 Wireless Networks
  • SP 800-47 Aug 2002 Security Guide for Interconnecting Information Technology Systems
  • SP 800-46 Rev. 1 Jun. 2009 Guide to Enterprise Telework and Remote Access Security
  • SP 800-45 Version 2 Feb 2007 Guidelines on Electronic Mail Security
  • SP 800-44 Version 2 Sep 2007 Guidelines on Securing Public Web Servers
  • SP 800-43 Nov 2002 Systems Administration Guidance for Windows 2000 Professional System
  • SP 800-41 Rev. 1 Sept. 2009 Guidelines on Firewalls and Firewall Policy
  • SP 800-40 Version 2.0 Nov 2005 Creating a Patch and Vulnerability Management Program
  • SP 800-39 April 3, 2008 DRAFT Managing Risk from Information Systems: An Organizational Perspective
  • SP 800-38 A Dec 2001 Recommendation for Block Cipher Modes of Operation - Methods and Techniques
  • SP 800-38 A - Addendum Oct. 2010 Recommendation for Block Cipher Modes of Operation: Three Variants of Ciphertext Stealing for CBC Mode
  • SP 800-38 B May 2005 Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication
  • SP 800-38 C May 2004 Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality
  • SP 800-38 D Nov 2007 Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC
  • SP 800-38 E Jan. 2010 Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode for Confidentiality on Storage Devices
  • SP 800-37 Rev. 1 Feb. 2010 Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
  • SP 800-36 Oct 2003 Guide to Selecting Information Technology Security Products
  • SP 800-35 Oct 2003 Guide to Information Technology Security Services
  • SP 800-34 Rev. 1 May 2010 Contingency Planning Guide for Federal Information Systems
  • SP 800-33 Dec 2001 Underlying Technical Models for Information Technology Security
  • SP 800-32 Feb 2001 Introduction to Public Key Technology and the Federal PKI Infrastructure
  • SP 800-30 Jul 2002 Risk Management Guide for Information Technology Systems
  • SP 800-29 Jun 2001 A Comparison of the Security Requirements for Cryptographic Modules in FIPS 140-1 and FIPS 140-2
  • SP 800-28 Version 2 Mar 2008 Guidelines on Active Content and Mobile Code
  • SP 800-27 Rev. A Jun 2004 Engineering Principles for Information Technology Security (A Baseline for Achieving Security)
  • SP 800-25 Oct 2000 Federal Agency Use of Public Key Technology for Digital Signatures and Authentication
  • SP 800-24 Aug 2000 PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else Does
  • SP 800-23 Aug 2000 Guidelines to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products
  • SP 800-22 Rev. 1a Apr. 2010 A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications
  • SP 800-21 2nd edition Dec 2005 Guideline for Implementing Cryptography in the Federal Government
  • SP 800-20 Oct 1999 Modes of Operation Validation System for the Triple Data Encryption Algorithm (TMOVS): Requirements and Procedures
  • SP 800-19 Oct 1999 Mobile Agent Security
  • SP 800-18 Rev.1 Feb 2006 Guide for Developing Security Plans for Federal Information Systems
  • SP 800-17 Feb 1998 Modes of Operation Validation System (MOVS): Requirements and Procedures
  • SP 800-16 Rev. 1 Mar. 20, 2009 DRAFT Information Security Training Requirements: A Role- and Performance-Based Model
  • Draft-SP800-16-Rev1.pdf
  • SP 800-16 Apr 1998 Information Technology Security Training Requirements: A Role- and Performance-Based Model
  • SP 800-15 Version 1 Sep 1997 MISPC Minimum Interoperability Specification for PKI Components
  • SP 800-14 Sep 1996 Generally Accepted Principles and Practices for Securing Information Technology Systems
  • SP 800-13 Oct 1995 Telecommunications Security Guidelines for Telecommunications Management Network
  • SP 800-12 Oct 1995 An Introduction to Computer Security: The NIST Handbook

 

Top of Page

 

For more information please contact us. Click here!


Quick Contact