Information Security:
Standards Organizations
- American National Standards Institute (ANSI)
[www.ansi.org] — A private, non-profit organization
that administers and coordinates the U.S. voluntary standardization and conformity
assessment system. Note that the standards are not free.
- Global Engineering Documents [global.ihs.com] —
The company that sells electronic and paper copies of all ANSI, ISO, as well as numerous
government standards. Hundreds of standards on "Security" are available.
The Department of Defense Index of Specifications and Standards (Alpha and Numerical
Listing) (DODISS), Revision 2, dated 7/01/2002, is 1592 pages long and is priced in
hardcopy form at $285.00.
- British Standards Institute (BSi)
[www.bsi-global.com] — Over a century old, BSi pioneered
the development of the first recognized standards for quality management systems. Today BSi
has a staff of over 4,900 operating in 110 countries.
- British Standard 7799 (BS7799)
[www.securityauditor.net] —
An internationally recognized set of recommendations for developing security policies and
conducting audits. Divided into ten sections to cover each aspect of an organization's
information security program. An updated Part II of BS7799 defines the requirements
for achieving certification under the Information Security Management System standard.
- Center for Internet Security (CIS)
[www.cisecurity.org] —
The CIS releases free security benchmarks that come with tools to measure compliance.
These benchmarks and tools are widely adopted and have become important products of DHS-sponsored
public/private partnerships.
- Institute of Electrical and Electronic Engineers (IEEE)
[www.ieee.org] — The IEEE Standards Association is a membership
organization that produces standards that are developed and used internationally.
- IEEE standards that relate to Security
[http://odysseus.ieee.org]
— This online site provides over 140 security-related standards to members who
subscribe to this service.
- International Information Systems Security Certification Consortium, Inc. (ISC)2
[www.isc2.org] —
The organization that sponsors and grants Certified Information Systems Security
Professional (CISSP) status to qualified individuals.
- International Organization for Standardization (ISO)
[www.iso.ch] — A non-governmental worldwide federation
established in 1947 and made up of the national standards organizations from 145 countries.
- Internet Architecture Board (IAB)
[www.iab.org/] —
The responsibilities of this committee of the Internet Engineering Task Force (IETF)
include oversight of the process used to create Internet standards, editorial management
and publication of the Request for Comments (RFC) document series, and
administration of the Internet Assigned Numbers Authority (IANA).
- Internet Assigned Numbers Authority (IANA) index to numbers
[www.iana.org/numbers.html] —
This IANA site houses the protocol standards necessary for the operation of the
Internet and its future development.
- National Institute of Standards and Technology (NIST)
[csrc.nist.gov/] —
The U.S. government organization responsible for defining standards to protect and assure
the security of sensitive but unclassified data within government agencies. The
Computer Security Division (CSD) is one of eight divisions within NIST's Information
Technology Laboratory.
- Computer Security Resource Center (CSRC)
[csrc.nist.gov/publications/nistpubs/index.html] —
This NIST CSD web site provides a long list of available NIST security publications.
Most of these are online and in NIST's Special Publications 800 (SP 800-nn) series.
- Guide to NIST Information Security Documents
[csrc.nist.gov/publications/CSD_DocsGuide.pdf] —
This Guide is to make NIST IS documents more accessible, especially to newcomers.
It lists documents by type, number, family, and legal requirement. May 2007
- Federal Information Processing Standard 200 (FIPS 200)
[csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf]
— In support of Title III (FISMA) of the E-Government
Act (P.L. 107-347), this standard specifies the minimum security requirements
for federal information and information systems. March 2006
- Federal Information Processing Standard 201 (FIPS 201-1)
[csrc.nist.gov/publications/fips/fips201-1/FIPS-201-1-chng1.pdf]
— A 2004 Homeland-Security Presidential Directive requires U.S. government-wide adoption
of smart cards for physical and IT systems access as specified in this NIST FIPS publication.
Agencies must have processes established for Personal Identity Verification (PIV), registration,
and the issuing of ID cards by October 27, 2005. Agencies must start using the cards, which
must support two-factor authentication and be interoperable across all agencies, by October 2006
- Guide for Developing Security Plans for Federal Information Systems, Revision 1 (SP 800-18)
[csrc.nist.gov/publications/nistpubs/800-18-Rev1/sp800-18-Rev1-final.pdf]
— Considered to be an improvement over the earlier version, this version nevertheless may
lack some specifics federal agencies need to write adequate security plans. February 2006
- Guidelines for Securing Radio Frequency Identification (RFID) Systems (SP 800-98)
[csrc.nist.gov/publications/nistpubs/800-98/SP800-98_RFID-2007.pdf]
— Provides an overview of RFID technology and focuses on security controls that are
commercially available today. Directed at government and other organizations, such as hospitals,
these guidelines will help them review and improve privacy and while reducing security risks
associated with RFID technology. April 2007
- Guide for Securing Microsoft Windows XP Systems for IT Professionals
[csrc.nist.gov/itsec/download_WinXP.html]
— Provides recommended security settings and was developed at the NIST, which collaborated with
NSA, DISA, USAF, CIS, and Microsoft to produce Windows XP security templates. Downloads now
include Draft SP 800-68 Revision 1 of the Guide. Agencies with Windows XP or with plans to
upgrade to XP must adopt these standard security configurations. July 2008
- Guide for Securing Microsoft Windows Vista
[csrc.nist.gov/itsec/guidance_vista.html"]
— This guide was developed by Microsoft through
collaboration with NIST, DISA, and NSA to produce Windows Vista baseline security settings for
Enterprise (EC) and Specialized Security/Limited Functionality (SSLF) environments.
NIST produced XML versions of the recommended profiles in Extensible Configuration Checklist
Description Format (XCCDF) and the Open Vulnerability and Assessment Language (OVAL). Agencies
with Windows Vista or with plans to upgrade to Vista must adopt these standard security configurations
by February 1, 2008. March 2007
- Federal Desktop Core Configuration (FDCC)
[csrc.nist.gov/fdcc/]
— As directed by OMB and in collaboration with DHS, DISA, NSA, USAF, and Microsoft,
NIST provides resources to help agencies test, implement, and deploy the Microsoft Windows
XP and the FDCC baseline. August 2007
- Other Federal Information Processing Standards
[csrc.nist.gov/publications/fips/index.html]
— See this index for other FIPS documents.
- NIST Interagency Reports (NIST IR)
[csrc.nist.gov/publications/nistir/]
— See this index for NIST interagency reports related to security.
- National Security Agency (NSA)
[www.nsa.gov] — The U.S. government agency responsible
for protecting classified data within government agencies. NSA provides the solutions,
products, and services to achieve information assurance for information infrastructures
critical to U.S. national security interests.
Copyright © 2002 - 2008, 2010 by Daniel W. Hancock. All Rights Reserved.
Home Page