Requirements Flashcards
Data Classification - Impact Analysis NIST FIPS 199
Provides a framework for classifying data based on impacts across the three standard dimensions: confidentiality, integrity, and availability.
Data Classification - Impact Analysis NIST SP 800 - 18
Provides a framework for classifying data based on impacts across the three standard dimensions: confidentiality, integrity, and availability.
Data Classification - Impact Analysis - First Step
Identify High, Medium, Low impact data. Maybe based on impacts to people, customers or financial loss.
ISO 2700X Series
This series defines the relevant vocabulary, a code of practice, management system implementation guidance, metrics, and risk management principles.
- More than 20 standards in place.
- Is what ISO 900X is for Quality.
- Broad in scope, it is designed to be applicable to all shapes and sizes of organizations.
ISO/ IEC 15408 Common Criteria
A framework where security functional and assurance requirements can be specified in precise terms, allowing vendors to implement and/ or make claims about the security attributes of their products.
- Target of Evaluation
- Protection Profiles: set of security requirements for OS, firewalls etc.
- Evaluation Assurance Level : 7 levels
ISO/ IEC 9126: Software Engineering – Product Quality
This four-part standard addresses some of the critical issues that adversely affect the outcome of a software development project.
- defines six quality characteristics that can be used to measure the quality of software: Functionality, Reliability, Usability, Efficiency Maintainability and Portability.
ISO/ IEC/ IEEE 12207: Systems and Software Engineering – Software Life Cycle Processes
Establishes a set of processes covering the lifecycle of the software. Each process has a defined set of activities, tasks, and outcomes associated with it. It acts to provide a common structure so all parties associated with the software development effort can communicate through a common vocabulary.
ISO/ IEC 33001: 2015 Information Technology – Process Assessment
Process assessment is also known as SPICE. Updated to Software Process Improvement and Capability Determination.
- used for process capability determination and process improvement efforts related to software development.
- Six levels 0 to 5
Federal Information Security Management Act (FISMA)
Federal Information Security Management Act of 2002 (FISMA) is a federal law that requires each federal agency to implement an agency-wide information security program.
NIST developed Risk Management Framework detailed in NIST SP 800-39
Federal Information Processing Standards (FIPS)
Are mandatory sets of requirements on federal agencies and specific contractors.
Developed by NIST.
FIPS 140 Series
Security Requirements for cryptographic modules
FIPS 186-3
Digital Signature Standard (DSS)
FIPS 190-4
Secure Hash Standard (SHS)
FIPS 197
Advanced Encryption Standard (AES)
FIPS 200
Minimum security requirements for Federal Information and Information Systems
SAFECode
SAFECode is dedicated to communicating best practices that have been used successfully by member firms.
- industry backed org.
NIST SP 800-39
Risk Management Framework as six steps guidelines.
1. Categorize Security systems
2. Select Security Controls
3. Implement Security Controls
4. Assess Security Controls
5. Authorize Information Systems
6. Monitor Security Controls
NIST SP 800 152
A profile for US Federal cryptographic key management system
NIST SP 800 107
Recommendations for Applications using approved hash algorithms
NIST SP 800 100
Information Security Handbook, a guide for managers
NIST SP 800 63
Digital Identity Guidelines
NIST SP 800 53
Security and privacy controls for Information systems and organizations.
NIST SP 800 30
Guide for conducting risk assessments
Sarbanes-Oxley Act of 2002
The information systems used for financial accounting must have some form of security control over integrity so that all may have confidence in the numbers being reported by the system.
- Was a reaction to several major accounting and corporate scandals, costing investors billions and shaking public confidence in the stock markets.