Security Standards

The standards detailed here were developed to help evaluate and establish system assurance and measure and assess security. Trust gives us some assurance that these systems will operate in a given and predictable manner and that our IT infrastructure is secure.

Common Criteria (CC) for IT Security Evaluation

The CC is used for evaluation of Information Technology (IT) security systems. IT contains both functional requirements and assurance requirements.

The three links that follow are for sites in the United States, Canada, and the United Kingdom. Each provides more information about Common Criteria and its application.

http://csrc.nist.gov/cc/

http://www.cse-cst.gc.ca/en/services/common_criteria/common_criteria.html

http://www.cesg.gov.uk/site/iacs/index.cfm?menuSelected=1&displayPage=1

FIPS PUB 140-1 and 140-2

FIPS 140-1 describes security requirements for U.S. federal government purchases. FIPS 140-2 specifies security requirements to be satisfied by a cryptographic modules used within security systems. These publications are sponsored by the U.S. Department of Commerce and the National Institute of Science and Technology.

ISO17799

ISO17799 is a comprehensive set of controls comprising best practices in information security. Its predecessor was British Standard for Information Security Management (BS 7799). Read more about it at

www.iso-17799.com

GAO Risk Assessment Process

The document, Basic Elements of the Risk Assessment Process GAO 00-33, is available at the following link:

http://www.gao.gov/cgi-bin/getrpt?GAO/AIMD-00-33

OSSTMM

Open Source Security Testing Methodology Manual. To learn more about the OSSTMM, visit the following link:

http://www.isecom.org/osstmm/

DoD Rainbow Series

Although most have been superceded by the CC, the Rainbow series of documents still offer some useful information. These standards can be found at

http://csrc.nist.gov/secpubs/rainbow

NIST

The following is a list of security-related National Institute of Standards and Technology (NIST) documents that can be obtained by accessing the NIST website at

http://csrc.nist.gov/publications/nistpubs

SP 800-2 Public-Key Cryptography

SP 800-3 Establishing a Computer Security Incident Response Capability (CSIRC)

SP 800-4 Computer Security Considerations in Federal Procurements: A Guide for Procurement Initiators, Contracting Officers, and Computer Security Officials

SP 800-5 A Guide to the Selection of Anti-Virus Tools and Techniques

SP 800-6 Automated Tools for Testing Computer System Vulnerability

SP 800-7 Security in Open Systems

SP 800-8 Security Issues in the Database Language SQL

SP 800-9 Good Security Practices for Electronic Commerce, Including Electronic Data Interchange

SP 800-10 Keeping Your Site Comfortably Secure: An Introduction to Internet Firewalls

SP 800-11 The Impact of the FCC's Open Network Architecture on NS/EP Telecommunications Security

SP 800-12 An Introduction to Computer Security: The NIST Handbook

SP 800-13 Telecommunications Security Guidelines for Telecommunications Management Network

SP 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems

SP 800-15 Minimum Interoperability Specification for PKI Components (MISPC), Version 1

SP 800-16 Information Technology Security Training Requirements: A Role- and Performance-Based Model (supersedes NIST Spec. Pub. 500172)

SP 800-17 Modes of Operation Validation System (MOVS): Requirements and Procedures

SP 800-18 Guide for Developing Security Plans for Information Technology Systems

SP 800-19 Mobile Agent Security

SP 800-20 Modes of Operation Validation System for the Triple Data Encryption Algorithm (TMOVS): Requirements and Procedures

SP 800-21 Guideline for Implementing Cryptography in the Federal Government

SP 800-22 A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications

SP 800-23 Guideline to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products

SP 800-24 PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else Does

SP 800-25 Federal Agency Use of Public Key Technology for Digital Signatures and Authentication

SP 800-26 Security Self-Assessment Guide for Information Technology Systems

SP 800-27 Engineering Principles for Information Technology Security (A Baseline for Achieving Security)

SP 800-28 Guidelines on Active Content and Mobile Code October 2001

SP 800-29 A Comparison of the Security Requirements for Cryptographic Modules in FIPS 140-1 and FIPS 140-2

SP 800-30 Risk Management Guide for Information Technology Systems

SP 800-31 Intrusion Detection Systems (IDS)

SP 800-32 Introduction to Public Key Technology and the Federal PKI Infrastructure

SP 800-33 Underlying Technical Models for Information Technology Security

SP 800-32 Introduction to Public Key Technology and the Federal PKI Infrastructure

SP 800-33 Underlying Technical Models for Information Technology Security

SP 800-34 Contingency Planning Guide for Information Technology Systems

SP 800-38A Recommendation for Block Cipher Modes of OperationMethods and Techniques

SP 800-40 Procedures for Handling Security Patches

SP 800-41 Guidelines on Firewalls and Firewall Policy

SP 800-44 Guidelines on Securing Public Web Servers

SP 800-45 Guidelines on Electronic Mail Security

SP 800-46 Security for Telecommuting and Broadband Communication

SP 800-47 Security Guide for Interconnecting Information Technology Systems

SP 800-51 Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme

SP 800-55 Security Metrics Guide for Information Technology Systems

SP 800-58 Security Considerations for Voice Over IP Systems

SP 800-61 Computer Security Incident Handling Guide

SP 800-78 Cryptographic Algorithms and Key Sizes for Personal Identity Verification