Other standards relevant to your organisation  

Your own organisation will have procedures in place specific to them and their operations, so on top of the global standards you’ll have to guide you, there’s information in place to support you in your day-to-day tasks.

But, you’re not just protected by the guidance in place. Can you think of how else your systems might be protected? 

Security products and evaluations  

The security products you use have to go through strict measures, ensuring they receive certifications, meet the common standards set by the ISO and others, and complete their security level testing. Not only are there standards for you to follow, but the tools you use too. Time for a little more detail on this… 

Security products and certification 

Security related products require a measure of confidence that the security enforcing functions they deliver are implemented properly. The industry regulates the claims made by vendors through product certifications. These involve testing by an independent body specialising in security evaluation. 

In the past, evaluations have primarily been carried out by, or on behalf of, government agencies. However, this approach meant certifications were at a national level, so products certified in the US needed to be re-certified in the UK. This was a cost that the vendor had to bear so wasn’t often pursued. 

The common criteria  

The Common Criteria for Information Technology Security Evaluation (CC), based on ISO 15408 is the latest method which moves away from national level certifications to ones that are transferrable across borders. 

Each time a product – known as the target of evaluation (or ToE) – is tested under ISO 15408, it’s evaluated against security criteria known as the security target. After the evaluation it achieves an evaluation assurance level, the EAL, ranging from 1 (the lowest) to 7 (the highest). This specifies how thoroughly the product has been tested. 

Security testing and EAL   

Evaluation Assurance Level is a category ranking assigned to an IT product that indicates to what level it was tested. The highest EAL only applies to products that have been thoroughly tested and evaluated, down to the level of code analysis and mathematical modelling of failure conditions. As EAL 7 is a very expensive process, very few products attain this level of confidence, typically only military grade cryptographic devices.  

The NCSC, CPA and CTAS 

The National Cyber Security Centre is an organisation of the United Kingdom Government that provides advice and support for the public and private sector in how to avoid computer security threats. Included in this, the NCSC provides Commercial Product Assurance (CPA) on Smart Meters and smart metering products. THE NCSC also have approved test laboratories (such as the British Standards Institute) who can carry out services such as the Tailored Assurance Services (CTAS) do where they evaluate the IT security attributes of a system. For more from NCSC on product testing click here

Another Essential Partner for the NCSC is the Information Assurance for Small and Medium Enterprises Consortium, who manage Cyber Essentials schemes to ensure the very basic cyber security controls are in place and effective. If you want to work with MOD, you’ll need to meet these MOD standards which build on cyber essentials foundation but are more robust depending on the cyber risk profile.

Other standards

Federal Information Processing Standards Publications (FIPS)

Federal Information Processing Standards Publications, known as FIPS PUBS in the US, are used to publish the most pertinent standards for their security industry. NIST will also test products and publishes a directory, similar to the Common Criteria directory, of products that have achieved various levels of security testing.

Many of these FIPS standards are transferable to the UK where the certification of a security product as FIP compliant, means it’s been tested by the US government NIST labs and assured against a specific level of testing. For example, FIPS 140-3 is the certification scheme for Security Requirements for Cryptographic Modules.

Capability Maturity Model (CMM)

What’s next?  

So, now that you have a better understanding of what goes into the software you use, as well as the guidance provided for you, you should feel assured that a great deal of effort goes into ensuring that our information is protected on a global scale. It would be naive though, to assume that nothing ever goes wrong, so, time to read more on Security Incident Management and gather the tools necessary to deal with disruptions.