The History Of Information Security Standards

Published Date: 02 Nov 2017

The current Information Security Standards in place at the Department of Veterans Affairs is comprehensive and inclusive across the organization. The scope and design of the standard defined by VA utilizes FIPS (Federal Information Processing Standards) and NIST (National Institute of Standards & Technology) in order to format the Information Security standards for their organization.

Several standards are used from FIPS & NIST sources in order to complete the full scope of an Information Security program. However, as well as the standards referenced other Information Security standards could also be utilized by an organization to devise and construct such a program. The most obvious alternative standards would be as below:

ISO 270001 – provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System

ISO 270005 – supporting the requirements of an information security management system defined by ISO 27001. (ISO 27000 Directory, 2009)

Additional ISO standards as defined through ISO2002:ISO2005 would also be referenced with an alternative but the core framework of an Information Security standard would be created through the application of ISO27001 and ISO 27005.

In order to best determine the various differences between such standards, it is possible to compare and contrast both standards from the context of Information Security and their requirements. For the VA we can compare the stated NIST standard with the equivalent ISO standard:

NIST 800-14 – Generally Accepted Principles and Practices for Securing Information Technology Systems

ISO 27002 – code of practice for information security. It basically outlines hundreds of potential controls and control mechanisms, which may be implemented, in theory, subject to the guidance provided within ISO 27001. (ISO 27000 Directory, 2009)

The NIST standard provides 8 principles and 14 practices to be applied in an Information Security Standard, while the ISO standard denotes guidelines and practices to be followed but is less rigidly structured.

NIST 800-14

Principles:

Computer Security Supports the Mission of the Organization

Computer Security is an Integral Element of Sound Management

Computer Security should be Cost-Effective

System Owners have Security Responsibilities outside their own Organizations

Computer Security Responsibilities and Accountability should be made Explicit

Computer Security requires a Comprehensive and Integrated Approach

Computer Security should be Periodically Re-Assessed

Computer Security is constrained by Societal Factors

Practices:

Policy

Program Management

Risk Management

Life-Cycle Planning

Personnel/User Issues

Preparing for Contingencies & Disasters

Computer Security Incident Handling

Awareness & Training

Security Considerations in Computer Support & Operations

Physical & Environmental Security

Identification & Authentication

Logical Access Control

Audit Trails

Cryptography

ISO 27002

Common best practices:

0.  Introduction

1.  Scope

2.  Terms and definitions

3.  Structure of this standard

4.  Risk assessment and treatment

5.  Security policy

6.  Organization of information security

7.  Asset management

8.  Human resources security

9.  Physical and environmental security

10. Communications and operations management

11. Access control

12. Information systems acquisition, development and maintenance

13. Information security incident management

14. Business continuity management

15. Compliance

While both standards are broken down into several sub-categories the impression given is that the ISO standard is more of an all-encompassing standard. If we examine the following specific areas we can understand more the variances between them.

Awareness & Training (AT – Operational Class)

NIST specifies the scope of any awareness initiative or training program that is to be implemented for Information Security along with identification of the target audience and those who will administer the training. Crucially, the support of operational management along with the employees in general is required for the training to be successfully implemented. Having implemented a program, there should be a continual review as to the appropriateness of the technologies outlined given the changing circumstances. ISO covers this topic under Human Resources security with a general overview of the need for staff training but this is left a lot more open-ended than the NIST equivalent.

Policy

NIST explicitly defines the need and objective for an Information Security standard. Policy is senior management's directives to create a computer security program, establish its goals, and assign responsibilities (NIST, 1996) and is such a policy should further be defined with a Program Policy, Issue-Specific Policy and System Specific Policy. Similarly ISO defines the requirements of a Security policy and the role that is to be played by management in its creation and administration. Management should define a policy to clarify their direction of, and support for, information security. (ISO 27000 Directory, 2009) This would then be supported through more detailed organizational Information Security policies which create an all-inclusive manual.

Risk Management (RA – Management Class)

NIST comprehensively underlines the importance of appraising and assessing risks along with the necessary steps that should be undertaken to minimize and prevent risk. This also includes controls to evaluate the effectiveness of such measures as and when implemented. ISO allows for the identification of such risks and the evaluation of their potential impact but it doesn’t offer the scope or input as to the ways in which such risks can be mitigated or such processes quantified.

The difference between Operational and Management class as defined by NIST Security Controls catalog SP-800-53 relates to whether the responsibility for such an Information Security Standard rests with operational employees or at the management level.