Security Standards
The standards detailed here were developed to help evaluate and establish system assurance and measure and assess security. Trust gives us some assurance that these systems will operate in a given and predictable manner and that our IT infrastructure is secure.
Common Criteria (CC) for IT Security Evaluation
The CC is used for evaluation of Information Technology (IT) security systems. IT contains both functional requirements and assurance requirements.
The three links that follow are for sites in the United States, Canada, and the United Kingdom. Each provides more information about Common Criteria and its application.
http://csrc.nist.gov/cc/
http://www.cse-cst.gc.ca/en/services/common_criteria/common_criteria.html
http://www.cesg.gov.uk/site/iacs/index.cfm?menuSelected=1&displayPage=1
FIPS PUB 140-1 and 140-2
FIPS 140-1 describes security requirements for U.S. federal government purchases. FIPS 140-2 specifies security requirements to be satisfied by a cryptographic modules used within security systems. These publications are sponsored by the U.S. Department of Commerce and the National Institute of Science and Technology.
ISO17799
ISO17799 is a comprehensive set of controls comprising best practices in information security. Its predecessor was British Standard for Information Security Management (BS 7799). Read more about it at
www.iso-17799.com
GAO Risk Assessment Process
The document, Basic Elements of the Risk Assessment Process GAO 00-33, is available at the following link:
http://www.gao.gov/cgi-bin/getrpt?GAO/AIMD-00-33
OSSTMM
Open Source Security Testing Methodology Manual. To learn more about the OSSTMM, visit the following link:
http://www.isecom.org/osstmm/
DoD Rainbow Series
Although most have been superceded by the CC, the Rainbow series of documents still offer some useful information. These standards can be found at
http://csrc.nist.gov/secpubs/rainbow
NIST
The following is a list of security-related National Institute of Standards and Technology (NIST) documents that can be obtained by accessing the NIST website at
http://csrc.nist.gov/publications/nistpubs
SP 800-2 Public-Key Cryptography
SP 800-3 Establishing a Computer Security Incident Response Capability (CSIRC)
SP 800-4 Computer Security Considerations in Federal Procurements: A Guide for Procurement Initiators, Contracting Officers, and Computer Security Officials
SP 800-5 A Guide to the Selection of Anti-Virus Tools and Techniques
SP 800-6 Automated Tools for Testing Computer System Vulnerability
SP 800-7 Security in Open Systems
SP 800-8 Security Issues in the Database Language SQL
SP 800-9 Good Security Practices for Electronic Commerce, Including Electronic Data Interchange
SP 800-10 Keeping Your Site Comfortably Secure: An Introduction to Internet Firewalls
SP 800-11 The Impact of the FCC's Open Network Architecture on NS/EP Telecommunications Security
SP 800-12 An Introduction to Computer Security: The NIST Handbook
SP 800-13 Telecommunications Security Guidelines for Telecommunications Management Network
SP 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems
SP 800-15 Minimum Interoperability Specification for PKI Components (MISPC), Version 1
SP 800-16 Information Technology Security Training Requirements: A Role- and Performance-Based Model (supersedes NIST Spec. Pub. 500172)
SP 800-17 Modes of Operation Validation System (MOVS): Requirements and Procedures
SP 800-18 Guide for Developing Security Plans for Information Technology Systems
SP 800-19 Mobile Agent Security
SP 800-20 Modes of Operation Validation System for the Triple Data Encryption Algorithm (TMOVS): Requirements and Procedures
SP 800-21 Guideline for Implementing Cryptography in the Federal Government
SP 800-22 A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications
SP 800-23 Guideline to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products
SP 800-24 PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else Does
SP 800-25 Federal Agency Use of Public Key Technology for Digital Signatures and Authentication
SP 800-26 Security Self-Assessment Guide for Information Technology Systems
SP 800-27 Engineering Principles for Information Technology Security (A Baseline for Achieving Security)
SP 800-28 Guidelines on Active Content and Mobile Code October 2001
SP 800-29 A Comparison of the Security Requirements for Cryptographic Modules in FIPS 140-1 and FIPS 140-2
SP 800-30 Risk Management Guide for Information Technology Systems
SP 800-31 Intrusion Detection Systems (IDS)
SP 800-32 Introduction to Public Key Technology and the Federal PKI Infrastructure
SP 800-33 Underlying Technical Models for Information Technology Security
SP 800-32 Introduction to Public Key Technology and the Federal PKI Infrastructure
SP 800-33 Underlying Technical Models for Information Technology Security
SP 800-34 Contingency Planning Guide for Information Technology Systems
SP 800-38A Recommendation for Block Cipher Modes of OperationMethods and Techniques
SP 800-40 Procedures for Handling Security Patches
SP 800-41 Guidelines on Firewalls and Firewall Policy
SP 800-44 Guidelines on Securing Public Web Servers
SP 800-45 Guidelines on Electronic Mail Security
SP 800-46 Security for Telecommuting and Broadband Communication
SP 800-47 Security Guide for Interconnecting Information Technology Systems
SP 800-51 Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme
SP 800-55 Security Metrics Guide for Information Technology Systems
SP 800-58 Security Considerations for Voice Over IP Systems
SP 800-61 Computer Security Incident Handling Guide
SP 800-78 Cryptographic Algorithms and Key Sizes for Personal Identity Verification