posted Mar 8, 2016, 8:28 AM by Sami Lehtinen
updated Mar 8, 2016, 8:28 AM
- Cyber Security Standards and Standard of Good Practice @ Wikipedia
- Critical Infrastructure Protection (CIP). Critical Information Infrastructure Protection (CIIP) Political, economical and technical aspects. Yet I'm usually thinking about the technical aspects. History of CIP, background. Civil COmmunications Planning Committee (CCPC). Information Assurance (IA). INFOSEC. OPSEC. ENISA. Cyber Security Task Force (CSTF). CERT. European Program for Critical Infrastructure Protection (EPCIP). 2008/114/EY. Critical Infrastructure Warning Information Network (CIWIN). Kansallinen turvallisuusauditointikriteeristö (KATAKRI) Tasot IV, III, II. VAHTI. ISO27001 PCI DSS. Facility Security Clearance (FSC). Top Secret, Secret, Confidential, Restricted
- All of the systems I'm administering naturally easily pass basic level (IV) and enhanced level (III) configuration requirements for restricted and confidential information.
- I'm also naturally following all CERT announcements as well as have reported a few incidents to CERT which luckily have been related to my hobbies and systems run by friends.
- Principle of least privilege.
- More security related generic stuff. Legal security requirements and directives. Documenting secure processes and methods. Subcontractor agreements about data confidentiality. Internal data processing processes and security considerations, risk management and documentation. Incident reporting and management procedures and documentation. Operational Security training for Staff. Automated system security and configuration monitoring and alerting. Risk assessment. Intrusion Detection System (IDS). Intrusion Prevention System (IPS). Software safe exception handling and secure fail procedure. Secure Firewall (FW) configuration and change management. Physical security, access control and isolation based on security clearance & level. Information Technology Business Continuity and Disaster Recovery Plan documentation. SANS/CWE Top 25. Administrative Security Controls. Personnel Security Audit & Clearance. Telecom legalization about secure internet communication, log information and how long logs should be kept as well as what are the basis for actually accessing those logs. Security Plan and Documentation review and audit. Chief Security Officer. On need to know basis. Data erasure. Tracking and monitoring audit results, tasks and successful confirmed completion. System hardware & software configuration documentation & update procedures. Update system integrity, configuration and signature management. Secure networking, partition and zoning, encryption, VPN tunnelling, access management. Security management outsourcing, change management and updated documentation. Identity Management (IM), Integrated Identity Management (IDM), Two-factor Authentication (2FA). Software Internal Architecture and Trust Bondaries. Strong passwords. Extensive logging. Externalized logging or separate logging systems. Credentials management, access control management. Role based access control lists (ACL). Physical security. Support system recovery plan, backup operation plan and procedures, if key primary systems can't be used. Staging and production environment test and quality assurance. Security strategy and organization. Regular checks and meetings according project and maintenance and administration. HAVARO. Computer Emergency Response Team. Information Security Team. Security information and event management (SIEM) and Global Security Operation Center (GSOC). Data center environmental control and protection. Cryptographic password & data protection. OWASP. Data scrubbing. Asset protection. TC CYBER. BYOD. ETSI. European Cybersecurity Implementation. Standard of Good Practice (SoGP). IETF RFC 2196. EU General Data Protection Regulation (GDPR).
- KATAKRI III - "Katakri is the authorities’ auditing tool, which an authority can use in assessing the target organisation's ability to protect an authority’s classified information."