Categories Topics
Information Security Standards

Information security standards are more detailed security requirements and guidelines that will help organizations meet information security policies.

To make policies more effective, the security organization should document and implement standards that also leverage industry best practices (e.g. NIST or PCI).  Standards and accompanying procedures document in more detail how information security policies must be met.  Examples include hardening standards for Windows/UNIX system platforms or standards for vulnerability identification and remediation, to name a few.  Standards should include detailed settings that can be measured periodically to show effectiveness of controls.

Industry best practice guidelines, such as NIST, DISA-STIG or Microsoft hardening guides, should be used to create a baseline of security settings on systems.  The baseline would be used to deploy security settings consistently across multiple systems and also measure deviations to the standard proactively.  Standards should be created for other platforms, to include mobile devices, application security, and others to help the organization meet the organization's security policies.

Please see Securezoo's "Standards" site that includes detailed standards that include ISO, NIST, PCI, HIPAA and more.  Many of these standards have been developed by subject matter experts in each field, to include feedback from government and private sectors.  These standards also rely on lessons learned by other organizations and best practices obtained through years of practical experience.

Topic Category
Information Security Program
News Articles
UK infrastructure failing to meet the most basic cybersecurity
NIST publishes massive report on IoT cybersecurity needswww.scmagazine.com11/15/2016
NIST issues 'don't be stupid' security guidelines for
Survey: 75 percent of companies have significant risk exposurewww.scmagazine.com6/11/2015
New rules aim to prevent IoT devices from taking down mobile networkswww.computerworld.com10/14/2014
Congress divorces NIST and
Regulators Planning Cybersecurity Assessments for Banksthreatpost.com5/12/2014
PCI Security Standards Council announces new Point-to-Point Encryption Solutionswww.pcisecuritystandards.org10/31/2013
US government releases draft cybersecurity frameworknews.cnet.com10/22/2013
Study: 73 percent believe SANS controls guidance worth adoptingwww.scmagazine.com7/10/2013
NERC CIP Version 5: One Giant Leapwww.tripwire.com6/20/2013
Cisco hints at possible new security
PCI Security Standards Council Updates Standard for PIN Transaction Securitywww.pcisecuritystandards.org6/7/2013
The PCI Security Standards Council (PCI SSC) Publishes Card Production Security Requirementswww.pcisecuritystandards.org5/9/2013
Obama executive order redefines critical infrastructurewww.computerworld.com2/14/2013
The Elephant In The Security Monitoring Roomwww.darkreading.com10/21/2012
NIST Offers Guidelines for Securing BIOSthreatpost.com8/24/2012
NIST Updates Computer Security Guideswww.informationweek.com7/30/2012
NIST fills some gaps in smart-grid standardsgcn.com3/5/2012
Federal Cybersecurity Guidelines Now Cover Cloud, Mobilitywww.informationweek.com2/29/2012
Centers for Medicare & Medicaid Services’ Office of E-Health Standards and Services Announces 90-Day Period of Enforcement Discretion for Compliance with New HIPAA Transaction Standardswww.cms.gov11/17/2011
GAO: Federal data at cyber riskwww.politico.com10/3/2011
White Papers
Radio Frequency Wireless Technology in Medical Deviceswww.fda.gov8/14/2013
NERC Critical Infrastructure Protection (CIP) StandardsNERC5/9/2012
FFIEC Information Security BookletFFIEC7/28/2006
NISTIR 7298 Revision 2 Glossary of Key Information Security TermsNIST6/21/2013
PA DSS (Payment Application Data Security Standard)PCI5/27/2016
PCI Card Production Logical Security Requirements v1.0PCI5/9/2013
PCI Card Production Physical Security Requirements v1.0PCI5/9/2013
Information Supplement: PCI DSS eCommerce Security GuidelinesPCI1/31/2013
PCI DSS (PCI Data Security Standard)PCI4/28/2016
NIST SP 800-12 Revision 1, An Introduction to Information SecurityNIST6/1/2017
NIST Security and Privacy Controls for Federal Information Systems and OrganizationsNIST4/30/2013
NIST SP 800-82 Revision 2 Guide to Industrial Control Systems (ICS) SecurityNIST8/12/2015
NIST SP 800-161 Supply Chain Risk Management Practices for Federal Information Systems and OrganizationsNIST4/9/2015