Welcome to this video on information assurance standards.

Standards are seemingly present in every area of our lives. If you look at the back of a mobile phone, a bottle of detergent or a tin of dog food, you’ll see a variety of kite marks, statements of compliance and attestations to quality, safety and efficiency that, in many cases, are mandatory requirements for manufacturers.

Information assurance has its own standards – at national and international level – which apply to services, systems and products. The Information Security manager is responsible for ensuring the organization has policies and processes in place to meet them.

This video defines the relevant information assurance standards, including those prescribed by the International Organization for Standardization (ISO) and describes how they should be applied within an organization.

It will also guide you on how you can further research the relevance of these standards to your own environment.

Standards are created and maintained by organizations known as standards bodies. These organizations are often staffed by industry representatives and provide a ‘best practice’ view of how the standards should be applied in the target industry.

International organizations, such as the International Organization for Standardization govern a multitude of standards which have been widely adopted by the industries they’ve been created for. This means that a service certified as being ISO compliant in one country, should be as secure, safe or robust as it would be in another country.

Governments will also create their own standards, for example in the military or defence sectors.

Other standards can be jurisdictional, meaning they apply within a specific national legal framework. For example, the Regulation of Investigatory Powers Act, where the UK Government specifies how organizations handle, access and share evidence in a criminal investigation.

Some standards are considered mandatory, such as the PCI-DSS standards for handling payment card transactions. Others are optional, yet highly recommended, such as ISO 27001.

ISO is responsible for publishing and maintaining the largest collection of industrial standards in the world today, with representation and collaboration from over 150 countries. They work closely with two other standards bodies – the International Electrotechnical Commission (IEC) and the International Telecommunication Union (ITU). Together these form the super-standards organization known as the World Standards Co-operation.

In addition to the standards conceived directly by ISO, others have been adopted from national standards bodies, such as the British Standards Institute (BSI). An example from an information security perspective is BS 7799; this was the pre-cursor for the internationally adopted ISO/IEC 27001 and 27002 standards. 

ISO/IEC 27005 provides guidance for information security risk management and is a useful standard for an organization to adopt if a risk management methodology isn’t already in place. Rather than specifying the risk analysis method, it specifies the process for analysing risks, leading to the creation of a risk treatment plan.

This standard works alongside the general security concepts specified in ISO/IEC 27001 and is one of the standards that you should learn more about for the CISMP exam.

Many organizations require their suppliers and trading partners to be certified to specific security standards. In fact, many organizations won’t do business with a potential partner until they can prove they’re secure. Certifications can be applied at the enterprise level, where a whole company gains accreditation, or a system or set of processes can be audited and awarded certification.

The extent to which an organization must go through the certification process is dictated by who they’re trading with. In some cases, government suppliers could be audited by another government department, such as GCHQ, to make sure their information security management system is to the standards required by that department.

Interestingly, the ISO standard 27006 is used to guide the ISO 27001 auditors in how to conduct audits.

The most widely used networking protocol, TCP/IP, is ultimately governed by the Internet Society. 

The Internet Society’s Internet Engineering Task Force publishes new proposed standards in draft format as a Request for Comments for discussion by its members. Each Request for Comments has a number; if it becomes accepted, it changes from being a draft standard to a standard.

Not all Request for Comments are published as standards; some are simply informational documents.

Security related products require a measure of confidence that the security enforcing functions they deliver are implemented properly. For example, it’s little use if a product providing cryptography has flaws in its algorithm coding which make it easily broken.

The industry regulates the claims made by vendors through product certifications. These involve testing by an independent body specialising in security evaluation.

In the past, evaluations have primarily been carried out by, or on behalf of, government agencies. However, this approach meant certifications were at a national level, so products certified in the US needed to be re-certified in the UK. This was a cost that the vendor had to bear so wasn’t often pursued.

The Common Criteria for Information Technology Security Evaluation (CC), based on ISO 15408 is the latest method which moves away from national level certifications to ones that are transferrable across borders.

Each time a product – known as the target of evaluation (or ToE) – is tested under ISO 15408, it’s evaluated against security criteria known as the security target.  After the evaluation it achieves an evaluation assurance level, the EAL, ranging from 1 (the lowest) to 7 (the highest). This specifies how thoroughly the product has been tested.

The highest EAL only applies to products that have been thoroughly tested and evaluated, down to the level of code analysis and mathematical modelling of failure conditions. As EAL 7 is a very expensive process, very few products attain this level of confidence, typically only military grade cryptographic devices.

Government agencies around the world rely heavily on cryptography to protect sensitive information at rest in stored in databases or file systems, and in transit over communications systems.

Increasingly, organizations are also turning to cryptographic services to protect the confidentiality and integrity of the data they handle. For example, organizations who deal in e-commerce, critical infrastructure and other application areas like banking and media. 

In order to ensure that cryptographic products are secure enough to provide the required trust and assurance, government agencies like NIST in the US and GCHQ in the UK, perform tests on the cryptographic services to prove they’re as strong as they claim to be.

Federal Information Processing Standards Publications, known as FIPS PUBS in the US, are used to publish the most pertinent standards for their security industry. NIST will also test products and publishes a directory, similar to the Common Criteria directory, of products that have achieved various levels of security testing.

Many of these FIPS standards are transferable to the UK where the certification of a security product as FIP compliant, means it’s been tested by the US government NIST labs and assured against a specific level of testing. For example, FIPS 140-2 is the certification scheme for Security Requirements for Cryptographic Modules.

Security testing can be to one of four distinct levels, where level 1 provides the lowest level of testing and level 4 provides a rigorous, comprehensive testing regime that can uncover even the most esoteric security flaws. The higher the level of product testing, the higher the cost of testing.

In Europe, the French-based European Telecommunications Standards Institute, or ETSI, has the responsibility for standards relating to information and communications technology in the EU. ETSI is formally recognised by the European Free Trade Association and is primarily responsible for providing technical standards that feed into EU Directives and Regulations.

Product vendors demonstrate their conformance by displaying the ‘CE’ kite mark on the products they produce. The ETSI comprises industry member representation across a range of disciplines including manufacturing, network operations, systems administration, security and research bodies, as well as representation from academia. Most countries in the EU are represented.

It’s generally a good idea for IT managers to use the ISO/IEC 27000 series of standards, even if the organization doesn’t support full certification.

Ancillary standards relating to records retention, business continuity, and project management are also very relevant for information assurance professionals.

Understanding how to integrate information assurance standards alongside other business standards and requirements is a valuable addition to the information assurance professional’s consulting toolkit.

That’s the end of this video on information assurance standards.