Standards

(OBJ 5.1)

Standards

• Provides a framework for implementing security measures, ensuring that all aspects of an organization's security posture are addressed
• Integral part of an organization's governance framework

Password Standards

• Define password complexity and management
  • The firs line of defense against unauthorized access.
• Defined to ensure robustness and resistance against Brute Force Attacks
• Include length, character types, regular changes, and password reuse rules
• Emphasize password Hashing (OBJ 1.4) and salting for security and other techniques

Access Control Standards

• Determine who has access to what resources within an organization
• Include access control models like
  • Discretionary Access Control (DAC)
    • Allows the owner of the information or resource to decide who can access it.
  • Mandatory Access Control (MAC)
    • Uses labels or classifiers to determine access, often used in government or military settings.
  • Role Based Access Control (RBAC)
    • Assigns access based on roles within an organization, ensuring that users only have access to the resources necessary for their job functions.
• Enforce principles of least privilege and separation of duties
  • Least privilege: Users only have the minimum levels of access required to perform their duties.
  • Separation of duties: Prevents any single individual from having complete control over a critical process, reducing the risk of insider threats.

Physical Security Standards

• Just as important as their digital counterpart
• Cover physical measures to protect assets and information
• Include physical security controls like perimeter security (Fencing and Bollards), Surveillance systems, and access control mechanisms.
• Also covers environmental controls such as fire suppression systems, HVAC controls, and power redundancy systems.
  • See Environment Monitoring.
• Address environmental controls and secure areas for sensitive information and systems
  • Server rooms
  • Data centers
  • (Areas which should have additional security measures)

Encryption Standards

• Ensure data remains secure and unreadable even if accessed without authorization
• Include enforcing use of encryption algorithms like AES, RSA, and SHA-2
• Widely recognize standards and used in various applications from encrypting data at risk, storage devices to data in transit over networks.
• Choice of encryption standard depends on the use case and balance between security and performance
• Example:
  • AES is often used for data at rest due to its strong security and efficient performance
  • RSA is commonly used for secure communication due to its Public Key Infrastructure (PKI) nature.