2. Standards Crosswalk – CyberWar, CyberTerror, CyberCrime: A Guide to the Role of Standards in an Environment of Change and Danger

Appendix 2. Standards Crosswalk

The table below provides a high-level crosswalk of standards by the broad cybersecurity topic areas of governance, strategy, operations, and technology.

It is not intended to be all inclusive, but rather, representative of the most useful standards for designing, implementing, and maintaining a cybersecurity programme.

For additional information on each of these standards, as well as references to other standards not listed here, please visit the following sites:

International Telecommunications Union (ITU) provides a comprehensive database of approved standards from ISO, IEEE, and several others at www.itu.int/ITUT/studygroups/com17/ict/part02.html.

The National Institute of Standards and Technology (NIST) provides access to its free standards at http://ts.nist.gov/Standards/ssd.cfm. Note that NIST security standards are all published under NIST SP 800-XX.

The American National Standards Institute (ANSI) has a standards store at http://webstore.ansi.org/ for standards from multiple sources.

The Information Systems Audit and Control Association (ISACA) provides several free downloads of standards information related to COBIT at www.isaca.org/template.cfm?section=home.

Cybersecurity Topic Area

 

Governance

 

ISO

ISO/IEC27000, Information Security Management Systems – Fundamentals and vocabulary (See also ISO/IEC17799)

ISO/IEC27001, Information Security Management Systems – Requirements

NIST

Most of the NIST Special Publications are focused on programme execution, rather than governance.

Other

COBIT, Control Objectives for Information and Related Technologies

ITGI, Information Security Governance: Guidance for Boards of Directors and Executive Management

Committee of Sponsoring Organization of the Treadway Commission located at www.coso.org/

Strategy

 

ISO

ISO/IEC27002, Code of Practice for Information Security Management

ISO/IEC27003, Information Technology – Security Techniques – Information Security Management System Implementation Guidance

NIST

NIST SP 800-65, Integrating IT Security into the Capital Planning and Investment Control Process

NIST SP 800-55, Security Metrics Guide for Information Technology Systems

NIST SP 800-53, Recommended Security Controls for Federal Information Systems

NIST SP 800-39 (Draft), Managing Risk from Information Systems: An Organizational Perspective

NIST SP 800-18, Guide to Developing Security Plans for Federal Information Systems

Other

ITIL, Information Technology Infrastructure Library

Information Security Forum, Standard of Good Practice for Information Security located at www.isfsecuritystandard.com

Operations

 

ISO

ISO/IEC13335, Parts 1-5, Guidelines for the Management of IT Security

ISO/IEC27004, Information Security Management Measurements

ISO/IEC27005, Management of Information and Communications Technology Security (MICTS) Part 2: Techniques for information and communications technology security risk management

ISO/IEC12207, Information Technology – Software Life Cycle Processes

ISO/IEC15288, Systems Engineering – System Life Cycle Processes

NIST

NIST SP 800-100, Information Security Handbook: A Guide for Managers

NIST SP 800-80 (Draft), Guide for Developing Performance Metrics for Information Security

NIST SP 800-64, Security Considerations in the Information System Development Life Cycle

NIST SP 800-61, Computer Security Incident Handling Guide

NIST SP 800-53A (Draft), Guide for Assessing the Security Controls in Federal Information Systems

NIST SP 800-50, Building an Information Technology Security Training and Awareness Program

NIST SP 800-34, Contingency Planning for Information Technology Systems

Other

Generally Accepted Information Security Principles (GAISP)

CMU-SEI, Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)

Technical

 

ISO

ISO/IEC15408, Parts 1-3, Evaluation Criteria for IT Security (Common Criteria)

NIST

NIST SP 800-42, Guideline on Network Security Testing

NIST SP 800-42, Creating a Patch and Vulnerability Management Program

NIST SP 800-33, Underlying Technical Models for Information Technology Security

NIST SP 800-27, Engineering Principles for Information Technology Security (A Baseline for Achieving Security)

NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems

Other

Center for Internet Security (CIS) Benchmark/Scoring Tools

US Department of Homeland Security (DHS) Information Security Automation Program (ISAP) and the Security Content Automation Program (SCAP), http://nvd.nist.gov/nvd.cfm

Vigilant Software Ltd www.vigilantsoftware.co.uk for ISO27001 Information Security Risk Assessment tools