Cyber Security standard may be defined as the set of rules that an organization has to comply in order to gain right for some particular things like for accepting online payment, for storing patient data and so on. To make cybersecurity measures explicit, the written norms are required. These norms are known as cybersecurity standards. the generic sets of prescriptions for an ideal execution of certain measures. The standards may involve methods, guidelines, reference frameworks, etc. It ensures efficiency of security, facilitates integration and interoperability, enables meaningful comparison of measures, reduces complexity, and provide the structure for new developments. A security standard is “a published specification that establishes a common language, and contains a technical specification or other precise criteria and is designed to be used consistently, as a rule, a guideline, or a definition.” The goal of security standards is to improve the security of information technology (IT) systems, networks, and critical infrastructures. The Well-Written cybersecurity standards enable consistency among product developers and serve as a reliable standard for purchasing security products.
What are the level of standards?
Once an organization can articulate why a particular device is used, it becomes easier to identify where the device should be used. Standards can be written in such a way that there are minimum standards that can be expanded as necessary to ensure quality.
By implementing minimum or baseline security standards, end users can expand the minimum standards based on size and budget. For these reasons, minimum standards should be designed in a progressive format. This format can allow for a more effective approach in addressing differences in a facility’s size or use. For example, locations with similar size and function – let’s call them Level One – may have the minimum standards. Due to an increased size or type of operation, a Level Two site will have all of the Level One standards as well as additional minimum requirements. An example of this could be exterior perimeter cameras at Level One but additional internal cameras at Level Two.
Security standards are generally provided for all organizations regardless of their size or the industry and sector in which they operate. This section includes information about each standard that is usually recognized as an essential component of any cybersecurity strategy.
ISO standard is officially established On 23 February 1947. It is an independent, non-governmental international organization. Today, it has a membership of 162 national standards bodies and 784 technical committees and subcommittees to take care of standards development. ISO has published over 22336 International Standards and its related documents which covers almost every industry, from information technology, to food safety, to agriculture and healthcare.
ISO 27000 Series
It is the family of information security standards which is developed by the International Organization for Standardization and the International Electrotechnical Commission to provide a globally recognized framework for best information security management. It helps the organization to keep their information assets secure such as employee details, financial information, and intellectual property. The need of ISO 27000 series arises because of the risk of cyber-attacks which the organization face. The cyber-attacks are growing day by day making hackers a constant threat to any industry that uses technology. The ISO 27000 series can be categorized into many types. They are-
ISO 27001– This standard allows us to prove the clients and stakeholders of any organization to managing the best security of their confidential data and information. This standard involves a process-based approach for establishing, implementing, operating, monitoring, maintaining, and improving our ISMS.
ISO 27000– This standard provides an explanation of terminologies used in ISO 27001.
ISO 27002– This standard provides guidelines for organizational information security standards and information security management practices. It includes the selection, implementation, operating and management of controls taking into consideration the organization’s information security risk environment(s).
ISO 27005– This standard supports the general concepts specified in 27001. It is designed to provide the guidelines for implementation of information security based on a risk management approach. To completely understand the ISO/IEC 27005, the knowledge of the concepts, models, processes, and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is required. This standard is capable for all kind of organizations such as non-government organization, government agencies, and commercial enterprises.
ISO 27032– It is the international Standard which focuses explicitly on cybersecurity. This Standard includes guidelines for protecting the information beyond the borders of an organization such as in collaborations, partnerships or other information sharing arrangements with clients and suppliers.
2. IT Act
The Information Technology Act also known as ITA-2000, or the IT Act main aims is to provide the legal infrastructure in India which deal with cybercrime and e-commerce. The IT Act is based on the United Nations Model Law on E-Commerce 1996 recommended by the General Assembly of United Nations. This act is also used to check misuse of cyber network and computer in India. It was officially passed in 2000 and amended in 2008. It has been designed to give the boost to Electronic commerce, e-transactions and related activities associated with commerce and trade. It also facilitate electronic governance by means of reliable electronic records.
IT Act 2000 has 13 chapters, 94 sections and 4 schedules. The first 14 sections concerning digital signatures and other sections deal with the certifying authorities who are licensed to issue digital signature certificates, sections 43 to 47 provides penalties and compensation, section 48 to 64 deal with appeal to high court, sections 65 to 79 deal with offences, and the remaining section 80 to 94 deal with miscellaneous of the act.
3. Copyright Act
The Copyright Act 1957 amended by the Copyright Amendment Act 2012 governs the subject of copyright law in India. This Act is applicable from 21 January 1958. Copyright is a legal term which describes the ownership of control of the rights to the authors of “original works of authorship” that are fixed in a tangible form of expression. An original work of authorship is a distribution of certain works of creative expression including books, video, movies, music, and computer programs. The copyright law has been enacted to balance the use and reuse of creative works against the desire of the creators of art, literature, music and monetize their work by controlling who can make and sell copies of the work. The copyright act covers the following-
- Rights of copyright owners
- Works eligible for protection
- Duration of copyright
- Who can claim copyright
The copyright act does not covers the following-
- Ideas, procedures, methods, processes, concepts, systems, principles, or discoveries
- Works that are not fixed in a tangible form (such as a choreographic work that has not been notated or recorded or an improvisational speech that has not been written down)
- Familiar symbols or designs
- Titles, names, short phrases, and slogans
- Mere variations of typographic ornamentation, lettering, or coloring
4. Patent Law
Patent law is a law that deals with new inventions. Traditional patent law protect tangible scientific inventions, such as circuit boards, heating coils, car engines, or zippers. As time increases patent law have been used to protect a broader variety of inventions such as business practices, coding algorithms, or genetically modified organisms. It is the right to exclude others from making, using, selling, importing, inducing others to infringe, and offering a product specially adapted for practice of the patent. In general, a patent is a right that can be granted if an invention is:
- Not a natural object or process
- Not obvious.
Intellectual property rights is a right that allow creators, or owners of patents, trademarks or copyrighted works to benefit from their own plans, ideas, or other intangible assets or investment in a creation. These IPR rights are outlined in the Article 27 of the Universal Declaration of Human Rights. It provides for the right to benefit from the protection of moral and material interests resulting from authorship of scientific, literary or artistic productions. These property rights allow the holder to exercise a monopoly on the use of the item for a specified period.
What about building codes?
Many end users believe that national standards and local building codes provide enough guidance for integrators to install systems appropriately. At a high level, this is true. The system may function as intended, but have the devices, panels, and other parts been installed in an acceptable manner? Do cables and wiring look like a bowl of spaghetti or an installation completed with good workmanship and pride? Good cable management and installation practices can lead to more effective troubleshooting and faster repair when there is a problem. Eventually there will be a problem. There may be requirements depending on the AHJ, but typically there is no code that requires an installer to remove old cable or coax. However, it is considered a best practice. If it is a standard the installer knows that it must be done.
What are some other benefits to having standards?
Developing standards that define the preferred location of where certain devices should be located can make the installation much easier. For example, card readers should typically be installed on the latch side of a door. The reader will work on the hinge side, but it makes more sense on the latch side. A person can present their credential with one hand and open the door with the other.
Standards that correspond with the security systems implemented are very important to an organization. These policies aid managers and staff in overall goals when implementing and using various types of electronic security systems. For example, an organization could institute a standard that all IT closets doors are equipped with access control which requires a valid card read to enter. This will allow the organization to track who and what time an individual entered the room. Another example would be a standard that any high security area, such as an IDF or MDF room, have a camera that provides a field of view that includes entry into the space.
Security standards enhance the physical security of an organization and contribute to the overall risk management in several ways. Security standards also allows the sharing of knowledge and best practices by helping to ensure common understanding of conditions, terms, and definitions, which can prevent costly errors. Written standards offer a way to measure installation practices and services against criteria that is objective, which can result in improvements to the quality of an installation.
In an enterprise-wide security program, one must first evaluate existing security features at the various locations. As mentioned, minimum standards can be expanded as necessary to ensure quality and efficiency. By developing progressive security standards, differences in facilities can be addressed more effectively.
What Are Specification ?
Security standards can work in conjunction with specifications. A specification is a type of technical standard describing precise requirements and performance expectations. Specifications are seen most often in the world of construction but are essential to the design of security device installation. Specifications can cover everything in a detailed narrative, starting with a general overview of the project, the description of the system being used and the scope of work. The specifications can provide information including the location of device installation, routes for cabling, make and model of devices, and the expected documentation or training for the integrator to provide the end user.
The cybersecurity standards work as the set of policies that define the methods or approaches that have to be followed in order to keep the system protected. There are several cybersecurity standards available in the market and some of the new standards are expected to be introduced by this year. Almost all of the organization that operates at a higher level are bound to comply with the standards as it is the factors that ensure the security of the organization.