Standards Help to Limit Hackers in Gaining Access to Critical Infrastructure, by Ron McFarland, Ph.D.

There are many industry standards to prevent hackers from accessing critical information in an organization. Various security standards act as a framework to assist the network administrator, the security administrator, and/or the development team to circumvent the impingement into Information Systems by attackers.

Several noted standards include the NIST (National Institute of Standards and Technology), the OWASP (Open Web Application Security Project), IEEE (Institute of Electrical and Electronics Engineers Standards Association), and ISO (International Standards Organization), which are a few of the important standards that guide the Information Technology field. This brief article focuses on the ISO standards, as a recap of an important set of standards.

The ISO series is developed, maintained, and published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). In particular, the ISO 27000 series of standards, also known as the IDO 27001, sets out requirements for an organization’s information security management system (ISMS). Moreover, the ISO 27000 series of standards is a set of mutually supporting Information Security standards that provide an internationally recognized framework for best practices in Information Security management. The IDO 270001 sets up the framework whereby the organization can audit their information systems to determine compliance and apply for certification. The individual published standards in the ISO 27000 family are (get ready, the list is long, but provides you with an ‘index’ of sorts to start with):

ISO/IEC 27000

ISO/IEC 27001

ISO/IEC 27002

ISO/IEC 27003

ISO/IEC 27004

ISO/IEC 27005

ISO/IEC 27006

ISO/IEC 27007

ISO/IEC 27008

ISO/IEC 27009

ISO/IEC 27010

ISO/IEC 27011

ISO/IEC 27013

ISO/IEC 27014

ISO/IEC 27016

ISO/IEC 27017

ISO/IEC 27018

ISO/IEC 27023

ISO/IEC 27031

ISO/IEC 27032

ISO/IEC 27033

ISO/IEC 27034

ISO/IEC 27035

ISO/IEC 27036

ISO/IEC 27037

ISO/IEC 27038

ISO/IEC 27039

ISO/IEC 27040

ISO/IEC 27041

ISO/IEC 27042

ISO/IEC 27043

ISO/IEC 27050

ISO/IEC 273013

Aside from the ISO standards, there are emerging standards based on evolving technology (some which will be supported by the aforementioned ISO, IEEE, OWASP, and NIST standards. There are over two dozen standards moving through the vetting process. In order for a standard to become accepted and published, a six-step development process occurs. This process involves a preliminary stage where the initial feasibility of the standard is assessed. Then, it moves to the proposal stage where the standard is formally described in scope. Next, a working draft of the standard is developed in the preparatory stage. The standard then moves to the committee stage, where it is examined for quality control. The standard then becomes ready for final approval; international organizations vote on the standard and submit any pertinent comments. The standard, if approved, is then published (IT Governance UK, 2018).

The bottom line with standards is that we need to set up a security infrastructure that make it very difficult for hackers to take advantage of our information resources. When designing and implementing a security infrastructure, security frameworks, such as ISO and several others, are useful because they act as a blueprint, providing policies and standards — best practices (Whitman & Mattord, 2016).

Works Cited

IT Governance UK. (2017, November 20). What is the ISO 27000 series of standards? Retrieved from IT Governance Blog: https://www.itgovernance.co.uk/blog/what-is-the-iso-27000-series-of-standards/

IT Governance UK. (2018). The ISO/IEC 27000 Family of Information Security Standards. Retrieved from IT Governance: https://www.itgovernance.co.uk/iso27000-family

Whitman, M. E., & Mattord, H. J. (2018). Principles of Information Security. Boston: Cengage Learning.

About the Author

Ron McFarland is a technologist at heart works happily with students and as a consultant. Demonstrating his love for the field, he received his Ph.D. in from the College of Engineering and Computer Science and a post-doc in Cybersecurity Technologies. He is a guest blogger at Wrinkled Brain Net (http://www.wrinkledbrain.net), a blog dedicated to Cyber Security and Computer Forensics. Dr. McFarland can be reached at his UMUC email: ronald.mcfarland@faculty.umuc.edu

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store