INFORMATION SECURITY

POLICIES, PROCEDURES,
STANDARDS AND GUIDELINES
Policies, Procedures, Standards and Guidelines
• Information security policies to describe how the organization wants to protect
its information assets.
• After policies are outlined, standards are defined to set the mandatory rules that
will be used to implement the policies.
• Procedures are implementation details;
• Policy is a statement of the goals to be achieved by procedures.
• Some policies can have multiple Guidelines, which are recommendations as to
how the policies can be implemented.
• Finally, information security management, administrators, and engineers create
procedures from the standards and guidelines that follow the policies
 Information Security Policies
• foundation of security infrastructure
• Without them, cannot protect
• company from possible lawsuits, lost revenue and bad publicity, not to mention basic security
attacks.
• A security policy is a document or set of documents that describes, at a high level,
the security controls that will be implemented by the company.
• Policies are not technology specific and do three things for an organization
• Reduce or eliminate legal liability to employees and third parties.
• Protect confidential, proprietary information from theft, misuse, unauthorized disclosure or
modification.
• Prevent waste of company computing resources.
 Security Policies
• Types
• Technical Security policies: how technology should be configured and used.
• Administrative Security policies: how people (both end users and management) should behave/
respond to security.

• Persons responsible for the implementation of the security policies are:

• Director of Information Security
• Chief Security Officer
• Director of Information Technology
• Chief Information Officer

• To find the level of security measures that need to be applied, a risk assessment is
mandatory.
 Security Policies
• Define what is expected from employees within an organisation w.r.t. information
systems.
• Guide or control the use of systems to reduce the risk to information assets.
• Gives the staff who are dealing with information systems an acceptable use policy,
explaining what is allowed and what not.
 SP - Rules and Regulations
• Encryption mechanisms
• Access control devices
• Authentication systems
• Firewalls
• Anti-virus systems
• Websites
• Gateways
• Routers and switches
• Necessity of a security policy
 Encryption Mechanisms

Encryption- Data @rest – Google Oracle framework

cloud
Access Control Devices
Authentication Systems
Firewalls
Anti-Virus Systems
 Security Policy
• Plan, provides the consistent application of security principles throughout
company. After implementation, it becomes a reference guide when matters of
security arise.
• Indicates senior management’s commitment to maintain a secure network,
• Allows the IT staff to do a more effective job of securing the company’s information assets.
• Reduce the risk of a damaging security incident.
• Incident Response Policy may limit company’s exposure and reduce the scope of the incident.
• Provides legal protection.
• By specifying users exactly how they can and cannot use the network,
• how they should treat confidential information, and the proper use of encryption, you are
reducing your liability and exposure in the event of an incident.
• Provides a written record of company’s policies if there is ever a question about
what is and is not an approved act.
 Security Policy
• Required by third parties that do business with your company as part of their due
diligence process.
• auditors, customers, partners and investors.
• Companies that do business with your company, particularly those that will be sharing
confidential data or connectivity to electronic systems, will be concerned about your security
policy.
• Fulfill regulations and meet standards that relate to security of digital information.
• Need to be reviewed whenever there is an organizational change, environmental
change (progress).
• Updates should be communicated with all.
• Policies can be monitored by depending on any monitoring solutions like SIEM
and the violation of security policies can be seriously dealt with.
• Mechanism to report any violations to the policy.
List of Security Policies
Prudent Policy
provides maximum security while allowing known but
necessary dangers. Blocks all services and only
safe/necessary services are enabled individually.
Everything is logged.
Paranoid Policy
Forbids everything. No Internet connection or severely
restricted Internet usage is allowed.
Network Connection Policy
Defines who can install new resources on the network,
approve the installation of new devices, document
network changes etc.
User Account Policy
Defines the account creation process, authority, rights and
responsibility of user accounts.
Information Protection Policy
Defines the sensitivity levels of information, who may have
access, how it is stored and transmitted, and how it should
be deleted from storage media etc.
Special Access Policy
Defines the terms and conditions of granting special
access to system resources.
 Acceptable Usage Policy
• one should adhere to while accessing the network.
• Some of the assets that this policy covers are mobile, wireless, desktop, laptop and tablet
computers, email, servers, internet etc.
• For each asset, need to look at how can protect it, manage it, authorised persons to
use and administer the asset, accepted methods of communication in these assets
etc.
• A template for AUP is published in SANS
http://www.sans.org/securityresources/policies/Acceptable_Use_Policy.pdf
• Some of the regulatory compliances mandate that a user should accept the AUP
before getting access to network devices.
• Implementing these controls makes the organization a bit more risk free, even
though it is very costly.
 Security Policy
• an engineer has to look at the country’s laws,
• Ex: use of encryption to create a secure channel between two entities. Some encryption
algorithms and their levels (128,192) will not be allowed by the government for a standard use.
• Some of the laws, regulation and standards used for policy definition include:
• The PCI Data Security Standard (PCIDSS)
• The Health Insurance Portability and Accountability Act (HIPAA)
• The Sarbanes-Oxley Act (SOX)
• The ISO family of security standards
• The Graham-Leach-Bliley Act (GLBA)
 Key Elements of Security Policy
A policy should contain:
• Overview – background information of what issue the policy addresses.

• Purpose – why the policy is created.

• Scope – what areas this policy covers.

• Targeted audience – whom the policy is applicable for.

• Policy – a detailed description of the policy.

• Definitions – a brief introduction of the technical jargon used in the policy.

• Version – number to control the changes made to the document.

Policy Content - create an actionable security plan
Guidelines to successful IT security policies:
• A security policy should be no longer than absolutely necessary.
• Quantity does not equal quality, and it is the sheer amount of information in those policies that makes them useless.
• Brevity is of utmost importance.

• A security policy should be written in “plain English.”

• While, by nature, technical topics will be covered, it is important that the policy be clear and understood by the target
audience for that particular policy.
• Clarity must be a priority in security policies so that a policy isn’t misunderstood during a crisis or otherwise
misapplied, which could lead to a critical vulnerability.
• A security policy must be consistent with applicable laws and regulations.
• In some countries there are laws that apply to a company’s security practices, such as those covering the use of
encryption.
• Some states have specific disclosure laws or regulations governing the protection of citizens’ personal information
• some industries have regulations governing security policies.
Policy Content - create an actionable security plan
• A security policy should be reasonable.
• The point of this process is to create a policy that you can actually use rather than one that makes
your company secure on paper but is impossible to implement.
• Keep in mind that the more secure a policy is, the greater the burden it places on your users and
IT staff to comply with.
• Find a middle ground in the balance between security and usability that will work for you.

• A security policy must be enforceable.

• A policy should clearly state which actions are permitted and which of those are in violation of
the policy.
 Security Policy Implementation
• security policy must be backed by the company’s senior management team.
• security policy must be officially adopted as company policy.
• go through each policy and think about how it will be applied within the
organization.
• discover something impractical, create a plan to make appropriate changes to
either the network or the policy.
• policies differ from processes and procedures.
• User education is critical to a successful security policy implementation.
• After some period, from three months to a year, the company’s information
security controls should be audited against the applicable policies.
• If discrepancies are found or the policies are no longer applicable as written, they
must be changed to fit company’s current requirements.
 Security Policy Implementation
• After the initial review process, Create a process to review periodically by the
appropriate persons.
• both at certain intervals (i.e. once per year), and
• when certain business changes occur (i.e. the company opens in a new location). This will ensure
that the policy does not get “stale”, and will continue to be a useful management tool for years to
come.
• When changes need to be made, be sure to: update the revision history section of
the document to differentiate the new document from past versions
• Distribute any modified user level policies to users. Clearly communicate the
policy changes to any affected parties.
Technology: Standards Procedures and Guidelines
Knowing what processes and controls need to be in place
Implementing the technology and procedures that allow the control to
work as intended

Penetration testing, configuration review and architecture review

Standards and best practices can help the auditor distinguish good security designs from
bad and provide reference architectures to compare
ISO 27000 Series of Standards
• Internationally recognized security control standards for the creation and operations of an
Information Security Management System (ISMS). ISO 17799
• ISO 27001:2005 Information Technology Techniques Information Security Management
Systems.
• Provides the requirements for a security management system in accordance with ISO 27002 best practices.
• ISO 27001 identifies generic technological controls and processes that must be in place if a business wants
to be certified as compliant with the ISO standard.
• The contents of ISO 27001 are:
• ISMS: Establish the ISM, implement and operate, monitor and review, maintain and improve documentation
requirements, control documents and records.
• Management responsibility: Involves commitment, provision of resources and training for awareness and
competence.
• Internal audits: Requirements for conducting audits.
• ISMS improvements: Corrective and preventative actions.
• Annex A: Objectives and controls and checklist.
• Annex B: Organization for economic cooperation, development principles and international standard.
• Annex C: Correspondence between ISO 9001, SIO 14001 and standard.
• Key concept is the Deming Cycle process improvement approach: Plan, Do, Check and Act.
• Continuous improvement cycle was made famous by Dr. W. Edwards Deming whose quality control
techniques methodology is a way to show that a process can be continually improved by learning from
mistakes and monitoring the things done correctly to further refine the capabilities of the system.
The Deming Cycle
• Step 1. Plan: Establish the ISM according to the policies, processes and
objectives of the organization to manage risk.
• Step 2. Do: Implement and operate the ISM.
• Step 3. Check: Audit, assess and review the ISM against policies, objectives
and experiences.
• Step 4. Act: Take action to correct deficiencies identified for continuous
improvement.
ISO 27002:2005 Security Techniques Code of Practice
• Consists of
• international best practices for securing systems.
• provides best practice information about everything from Human Resources security needs to physical security an
• represents the detailed implementation requirements for ISO 27001.
• consists of security controls across all forms of data communication, including electronic, paper and voice.

• The twelve areas covered in ISO 27002:2005 are:

• Intro to information security management
• Risk assessment and treatment
• Security policy
• Organization of information security
• Asset management
• Human Resources security
• Physical security
• Communications and ops management
• Access control
• Information systems acquisition, development and maintenance
• Information security incident management
• Business continuity
• Compliance
• NIST - The National Institute of Standards and Technologies (NIST)
• a federal agency of the United States government
• helping commerce in the U.S. by providing weights and measurements, materials
references and technology standards.
• Configure computer to use an atomic clock source from the internet to synchronize time
• Provides reference samples of over 1,300 items, including peanut butter and oysters.
• The division within NIST is the Computer Security Resource Centre (CSRC),
• Division tasked with creating information security standards.
• Create standards for Info Sec in response to laws such as IT Reform Act (1996), Federal Information
Sec Management Act of 2002 (FISMA) and HIPAA.
• Federal Information Processing Standards Publications (FIPS) standards
• series of standards that government agencies must follow by law.
• Include encryption standards, information categorization and other requirements.
• Mandates standards for technology through a certification program. Hardware and software involved in
encrypting data via AES for example, must be FIPS 140-2 (level 2) compliant to be used by the federal
government.
• The NIST Special Publications (800 series documents) are a treasure of good
information for auditors, systems administrators and security practitioners of any size
company.
• documents give guidance and provide specific recommendations about how to address a wide range
of security requirements.
• documents are created by academic researchers, security consultants and government scientists.
• reviewed by the security community through a draft process that allows anyone to provide comments
and feedback on the documents before they are made standards.
• revised on a regular basis as new technologies become adopted.
• Table below provides a list of some of the most widely used NIST 800 series
documents
NIST 800 series
Cont.
 Centre for Internet Security (www.cisecurity.org)
• Not-for-profit group dedicated to creating security best practices and configuration
guidance.
• Provides peer-reviewed configuration guides and templates.
• Guides are well written and provide a sufficient level of detail down to the actual
configuration level to use as a checklist while also explaining why the particular
configuration option needs to be implemented.
• CIS refers to its best practice documents as benchmarks and has two categories:
• Level 1 benchmarks consist of the minimum level of security that needs to be configured that
any skilled administrator can implement.
• Level 2 benchmarks focus on particular applications of security based on the type of system or
manner in which the system is used.
• Proper security depends on understanding risk, which determines at what level you need to protect an
asset.
• Laptops, for example, have a different risk profile than servers, which are explored in the Level 2
benchmark section in detail.
National Security Agency (NSA) – 1952 - www.nsa.gov/ia/index.cfm
• Responsible for securing information and information assurance.
• NSA is known for its cryptology research and cryptanalysis of encrypted
communications.
• The NSA created the DES encryption standard that was (still used in the form of
3DES) the most commonly deployed encryption technique until it was replaced by
AES.
• Through research conducted by the Information Assurance Department of the NSA, a
series of security configuration guides have been posted to help the public better
secure computers and networks.
• These guides cover:
• Applications, Database servers, Operating systems, Routers Supporting documents, Switches,
VoIP and IP telephony, Vulnerability reports, Web servers and browsers and Wireless.
• Auditors are free to use these configuration guidelines when examining security
controls
• DISA - The Defense Information Security Agency (DISA) is a part of the U.S.
Department of Defense and is responsible of protecting military networks and creating
configuration standards for military network deployments.
• DISA provides a number of useful configuration checklists for a wide variety of
information system technologies.
• Security Technical Implementation Guides (STIG) are great source material for security
configuration assessments and recommended as a tool for any auditor for configuration
recommendations.
• They are easy to read and include justification for the configuration requirements and
what threats are mitigated.
• SANS - The SANS (SysAdmin, Audit, Network, Security) Institute is the best sources of
free security information available on the Internet today.
• It has become a source of training and knowledge that shares information about
security for hundreds of thousands of individuals across the globe.
• The SANS website has something for everyone involved in information security, from
the CIO to the hard-core security technologists and researchers.
• SANS is in the business of security education and delivers training events,
conferences, and webcasts and it offers an extensive array of technical security and
management tracks covering everything from incident handling and hacking to creating
security policies.
• Each of these courses also offers an opportunity to test for certification through the
GIAC organization (a separate entity that governs the certification and testing process
for SANS).
SANS offers the following free services and
resources
• SANS reading room
• SANS Top 20
• SANS security policy samples
• SANS newsletters
• Internet Storm Center
• SCORE
• Intrusion Detection FAQ
Information Systems Audit and Control Association (ISACA)
• ISACA is the largest association of IT auditors in existence with over 65,000
members across the world.

• Over 50,000 - Certified Information Systems Auditor certification (CISA),

• The Certified Information Systems Manager (CISM) is also offered to test IT
governance and management expertise.

• Created a Defacto standard guide for assessing and auditing IT controls

• The IS standards, guidelines and procedures for auditing and control

professionals are regularly updated and reviewed to provide the auditing
community with standards, guidelines and procedures for conducting audits.
The auditing guide includes:

• Standards of IS auditing: code of conduct for professional auditors, auditing

process from planning to follow up and various other standards
• Auditing G: information on how to conduct audits while following the
standards of IS auditing
• Auditing procedures: details on how to audit various types of systems and
processes, providing a sample approach to testing controls such as firewalls
and intrusion detection systems
• The IT Assurance Guide to using COBIT is another excellent resource for how
to conduct an audit using COBIT as the governance framework
ISO 27003
• ISO/IEC 27003:2010 focuses on the critical aspects needed for successful
design and implementation of an Information Security Management System
(ISMS) in accordance with ISO/IEC 27001:2005
• Describes the process of ISMS specification and design from inception to the
production of implementation plans
• Describes the process of obtaining management approval to implement an
ISMS
• Defines a project to implement an ISMS (referred to in ISO/IEC 27003:2010 as
the ISMS project)
• Provides guidance on how to plan the ISMS project, resulting in a final ISMS
project implementation plan.
ISO 27004
• concerns measurements relating to information security management
• commonly known as ‗security metrics‘
• intended to help organizations measure, report on and systematically improve
the effectiveness of their ISMS
• provides guidance on the development and use of measures and
measurement in order to assess the effectiveness of an implemented ISMS
and controls or groups of controls, as specified in ISO/IEC 27001.
• includes policy, information security risk management, control objectives,
controls, processes and procedures
• supports the process of its revision, helping to determine whether any of the
ISMS processes or controls need to be changed or improved.
ISO 15408 : Evaluation Common Criteria Evaluation for
Security
• ISO/IEC 15408-1:2009 establishes the general concepts and principles of IT security
evaluation
• specifies the general model of evaluation
• used as the basis for evaluation of security properties of IT products
• provides an overview & describes all parts of ISO/IEC 15408
• defines the terms and abbreviations
• establishes the core concept of a Target of Evaluation (TOE), the evaluation context and
describes the audience to which the evaluation criteria are addressed
• defines the various operations by which the functional and assurance components given in 3
may be tailored through the use of permitted operations.
• Protection Profiles (PP), packages of security requirements and the topic of conformance are
specified and the consequences of evaluation and evaluation results are described
• gives guidelines for the specification of Security Targets (ST) and provides a description of the
• organization of components throughout the model.
ISO/IEC 13335 (IT Security Management)
• focused on Information and Communication Technologies (ICT)
• presents the concepts and models fundamental to a basic understanding of ICT
security, and addresses the general management issues that are essential to the
successful planning, implementation and operation of ICT security
• Part 2 of ISO/IEC 13335 provides operational guidance on ICT security
• Together, these parts can be used to help identify and manage all aspects of ICT
security created to help businesses improve their information and communication
security
• designed to create an IT management framework, including information security
policies, internal controls, company approved practices and configuration
management of hardware and software components
• No one changes information and communication technologies without formal review
and approval after thorough testing was completed
• created to improve business continuity, the continuation of business operations in
case of a massive technical failure, natural disaster or hack attack
ISO 13335 versions
• ISO 13335-1 - focused on technical security controls over administrative
procedures and internal corporate rules

• ISO 13335-2 - contained the ISO‘s guidance on ICT security

• ISO 13335-3 - guidelines for managing IT security
• ISO 13335-4 - outlined the ISO recommended practices of selecting technical
security controls or IT safeguards
• ISO 13335-5 - set of guidelines on network security
ISO 27005
• describes how organizations define their context, the areas for which they are
responsible
• Risks are identified and the estimation of the severity of the risk are set during
risk analysis
• During risk treatment, the organization decides whether to accept the risk,
mitigate its effects or work to prevent the risk from occurring
• During risk monitoring, the group monitors the risks to the network
• Some risks may disappear as more security hardware is installed while others
may grow due to user complacency or evolving security threats
ISO 24762 for Technical Disaster Recovery
• requirements for implementing, operating, monitoring and maintaining ICT DR
services and facilities
• capabilities which outsourced ICT DR service providers should possess and
the practices they should follow so as to provide basic secure operating
environments and facilitate organizations‗ recovery efforts
• guidance for selection of recovery site
• guidance for ICT DR service providers to continuously improve their ICT DR
services
ISO 22301 - for BCM
• Suggests a structure or framework (actually a set of methods and processes)

for any organization – private, governmental and non-governmental.

• Identifies and specifies all relevant aspects including performance criteria,

design and implementation

• details for improving ICT readiness as part of the organization‘s ISMS, helping

to ensure business continuity.

• Enables an organization to measure its ICT continuity, security and hence

readiness to survive a disaster in a consistent and recognized manner.

IEEE Standards
• IEEE has standardization activities in the network and information security
space and in anti-malware technologies,
• including in the encryption,
• fixed and removable storage and
• hard copy devices areas
• applications of these technologies in smart grids
ISO/IEC 17799:2005

• establishes guidelines and general principles for initiating, implementing,

maintaining and improving information security management in an
organization.
• general guidance on the commonly accepted goals of information security
management.
• ISO 17799: The key components of the Standard – divided into 2 parts.
• ISO 7799 Code of Practice for Information Security Management
• BS 7799 Part II Specifies requirements for establishing, implementing and documenting
Information Security Management System (ISMS
The standard has 10 domains - address key areas of Information Security Management

1. Information security policy for the organization

• involves a thorough understanding of the organization business goals and its dependence on
information security
• entire exercise begins with creation of the IT security policy
• should convey total commitment of top management and it should reflect the needs of the actual users
• should be implementable, easy to understand and must balance the level of protection with
productivity
• should cover all the important areas like personnel, physical, procedural and technical
2. Creation of information security infrastructure
• A management framework needs to be established to initiate, implement and control information
security within the organization.
• needs proper procedures for approval of the information security policy, assigning of the security roles
and coordination of security across the organization.
3. Asset classification and control
• manage inventory of all the IT assets, which could be information assets, software assets, physical

assets or other similar services.

• assets need to be classified to indicate degree of protection.

• classification should result into an information labelling to indicate whether it is sensitive or critical and

what procedure, which is appropriate for copy, store, transmit or destruction of the information asset.

4. Personnel security
• Human errors, negligence and greed are responsible for most thefts, frauds or misuse of facilities.

• Various proactive measures to be taken are: creation of personnel screening policies, confidentiality

agreements, terms and conditions of employment and information security education and training.

• Alert and well-trained employees who are aware of what to look for can prevent future security

breaches.
5. Physical and environmental security

• Designing a secure physical environment to prevent unauthorized access, damage and interference to

business premises and information is usually the beginning point of any security plan.

• Involves creating physical security perimeter and entry control, secure offices; rooms; facilities,

providing physical access controls and protection devices to minimize risks ranging from fire to
electromagnetic radiation and providing adequate protection to power supplies and data cables are
some of the activities.

• Cost effective design and constant monitoring are two key aspects to maintain adequate physical

security control.
6. Communications and operations management

• Includes operating instructions, incident response procedures

• Network management needs controls to achieve and maintain security in computer networks and this
also includes establishing procedures for remote equipment including equipment in user areas
• Special controls should be established to safeguard the confidentiality and integrity of data passing
over public networks and special controls may also be required to maintain the availability of the
network services
• Exchange of information and software between external organizations be controlled and be compliant
with legislation
• There should be proper information, software exchange agreements
• The media in transit need to be secured and should not be vulnerable to unauthorized access, misuse
or corruption
• Electronic commerce involves electronic data interchange, electronic mail and online transactions
across public networks such as Internet
• Controls are applied to protect electronic commerce from threats
7. Access control

• Access to information and business processes should be controlled on the business and security

requirements

• include defining

• access control policy and rules; user access management; user registration; privilege management; user
password use and management; review of user access rights; network access controls; enforcing path from
user terminal to computer; user authentication; node authentication; segregation of networks; network
connection control; network routing control; operating system access control; user identification and
authentication; use of system utilities; application access control; monitoring system access and use and
ensuring information security when using mobile computing and tele-working facilities.
8. System development and maintenance

• Security is to be built at the time of inception of a system

• security requirements should be identified and agreed prior to the development of information
systems
• begins with security requirements analysis and specification and providing controls at every stage
i.e. data input; data processing; data storage and retrieval and data output
• Necessary to build applications with cryptographic controls
• There should be a defined policy on the use of such controls, which may involve encryption; digital
signature; use of digital certificates; protection of cryptographic keys and standards to be used for
cryptography
• A strict change control procedure to facilitate tracking of changes
• Any changes to operating system changes, software packages should be strictly controlled
• Special precaution must be taken to ensure that no covert channels, back doors or Trojans are left in
the application system for later exploitation
9. Business Continuity Management
• A business continuity management process should be designed, implemented and periodically
tested to reduce the disruption caused by disasters and security failures.
• This begins by identifying all events that could cause interruptions to business processes and
depending on the risk assessment, preparation of a strategy plan.
• The plan needs to be periodically tested, maintained and re-assessed based on changing
circumstances.

10. Compliance
• It is essential that strict adherence is observed to the provision of national and international IT laws,
pertaining to Intellectual Property Rights (IPR), software copyrights, safeguarding of organizational
records, data protection and privacy of personal information, prevention of misuse of information
processing facilities, regulation of cryptographic controls and collection of evidence.
BS 7799 (ISO 17799) and "It’s" relevance to Indian
Companies
• Attacks and theft that happen on corporate websites are high and is usually kept
under "strict" secrecy to avoid embarrassment from business partners, investors,
media and customers.
• Huge losses are sometimes un-audited and the only solution is to involve a model
where one can see a long run business led approach to Information Security
Management.
• BS 7799 (ISO 17799) consists of 127 best security practices (covering 10 Domains
which was discussed above) which Indian companies can adopt to build their Security
Infrastructure.
• Even if a company decides not go in for the certification, BS 7799 (ISO 17799) model
helps companies maintain IT security through ongoing, integrated management of
policies and procedures, personnel training, selecting and implementing effective
controls, reviewing their effectiveness and improvement.
• Additional benefits of an ISMS are improved customer confidence, a competitive
edge, better personnel motivation and involvement, and reduced incident impact.
• Ultimately leads to increased profitability
Security Standards Organizations
Internet Corporation for Assigned Names and Numbers (ICANN)
• To reach another person on the Internet you have to type an address into your
computer - a name or a number.
• That address has to be unique so computers know where to find each other.
• ICANN coordinates these unique identifiers across the world.
• It promotes competition and develops policy on the Internet‘s unique
identifiers.
• This is commonly termed ―universal resolvability‖ and means that wherever we
are on the network – and hence the world – that we receive the same
predictable results when we access the network.
International Organization for Standardization (ISO)

• ISO is an independent, non-governmental membership organization and the

world's largest developer of voluntary International Standards.
• They are made up of 162 member countries.
• International Standards make things work.
• They give world-class specifications for products, services and systems, to
ensure quality, safety and efficiency.
• They are instrumental in facilitating international trade.
• ISO has published more than 19 500 International Standards covering almost
every industry, from technology, to food safety, to agriculture and healthcare.
• ISO International Standards impact everyone, everywhere.
• Consultative Committee For Telephone and Telegraphy (CCITT)
• The CCITT, now known as the ITU-T (for Telecommunication Standardization Sector of the
International Telecommunications Union), is the primary international body for standards of
telecommunications equipment and systems.

• American National Standards Institute(ANSI)

• American National Standards Institute (ANSI) oversees the creation, promulgation and use of
thousands of norms and guidelines that directly impact businesses in America in nearly every sector:
from acoustical devices to construction equipment, from dairy and livestock production to energy
distribution, and many more.
• ANSI is also actively engaged in accreditation - assessing the competence of organizations
determining conformance to standards.
• Institute Of Electronics and Electrical Engineers (IEEE)
• IEEE is the world's largest professional association dedicated to advancing technological
innovation and excellence for the benefit of humanity.
• IEEE and its members inspire a global community through IEEE's highly cited publications,
conferences, technology standards, and professional and educational activities.

• Electronic Industries Association (EIA)

• comprises individual organizations that together have agreed on certain data transmission
standards such as EIA/TIA-232 (formerly known as RS-232).
• An alliance of trade organizations that lobby in the interest of companies engaged in the
manufacture of electronics-related products.
National Center for Standards and Certification
Information (NIST)
• NIST measurements support the smallest of technologies—nanoscale devices
so tiny that tens of thousands can fit on the end of a single human hair—to the
largest and most complex of human made creations, from earthquake-
resistant skyscrapers to wide-body jetliners to global communication networks.
• The National Centre for Standards and Certification Information provides
research services on standards, technical regulations and conformity
assessment procedures for non-agricultural products.
• It is a repository for standards-related information in U.S and has access to
U.S., foreign and international documents and contact points under the World
Trade Organization Agreement on Technical Barriers to Trade.
• The Program maintains a database on NIST and Department of Commerce
staff participation in standards developing activities.
World Wide Web Consortium (W3C)
• W3C is an international community where Member organizations, a full-time staff, and
the public work together to develop Web standards.
• W3C's vision for the Web involves participation, sharing knowledge, and
thereby building trust on a global scale.
• Web for All
• The social value of the Web is that it enables human communication, commerce, and
opportunities to share knowledge.
• One of W3C's primary goals is to make these benefits available to all people,
whatever their hardware, software, network infrastructure, native language, culture,
geographical location, or physical or mental ability.
• Web on Everything
• The number of different kinds of devices that can access the Web has grown
immensely.
• Mobile phones, smart phones, personal digital assistants, interactive television
systems, voice response systems, kiosks and even certain domestic appliances can
all access the Web.
• Web for Rich Interaction
• The Web was invented as a communications tool to allow anyone, anywhere to share information.
• For many years, the Web was a "read-only" tool for many.
• Blogs and wikis brought more authors to the Web, and social networking emerged from the flourishing
market for content and personalized Web experiences.
• W3C standards have supported this evolution thanks to strong architecture and design principles.
• Some view Web as a giant repository of linked data while others as a giant set of services that
exchange messages.
• Web of Trust
• Web has transformed the way we communicate with each other.
• It has also modified the nature of our social relationships.
• People now "meet on the Web" and carry out commercial and personal relationships, in some cases
without ever meeting in person.
• W3C feels that technology design can foster trust and confidence.
Web Application Security Consortium (WASC)
• non-profit -made up of an international group of experts, industry practitioners,
and organizational representatives who produce open source and widely
agreed upon best-practice security standards for the World Wide Web
• WASC facilitates the exchange of ideas and organizes several industry
projects
• WASC consistently releases technical information, contributed articles,
security guidelines, and other useful documentation
• Businesses, educational institutions, governments, application developers,
security professionals, and software vendors all over the world utilize our
materials to assist with the challenges presented by web application security
 Information Security Laws, Regulations & Guidelines

• India‘s Ministry of Communications and Information Technology has implemented the

Information Technology Rules, 2011 (―Privacy Rules‖).
• Centre for Internet and Society was presented a new Privacy (Protection) Bill, 2013
(Bill), on September 30, 2013.
• The Bill has a focus on protection of personal data through limitations on use and
requirements for notice.
• The collection of personal data would be prohibited unless ―necessary for the
achievement of a purpose of the person seeking its collection,‖ and ―no personal data
may be collected under this Act prior to the data subject being given notice, in such
form and manner as may be prescribed, of the collection.‖
• The Bill talks about regulation of personal data storage, processing, transfer, and
security
Protected Personal Data
• Personal information is defined as any information that relates to a natural
person, which, either directly or indirectly, in combination with other
information available or likely to be available with a corporate entity, is capable
of identifying such person.
• Sensitive personal data or information is defined as ―personal information‖
which consists of information relating to any of the following: passwords;
financial information such as bank account or credit card or debit card or other
payment instrument details;
• physical, physiological and mental health condition; sexual orientation;
medical records and history; biometric information; any detail relating to any of
the above as provided to a corporate entity for providing service; and any of
the information received under the above by a corporate entity for processing,
stored or processed under lawful contract or otherwise
Data Collection and Processing
• The Privacy Rules apply to data collection, but do not define processing.
• The Privacy Rules requires a Body Corporate that collects, receives,
possesses, stores, deals, or handles sensitive or personal data to provide a
privacy policy for handling of such data and ensure that the policies are
available for view by the data subjects who have provided the information
under contract.
• The policy shall provide for:
• clear and easily accessible statements of its practices and policies;
• the type of personal or sensitive personal data or information collected;
• the purpose of collection and usage of such information;
• the disclosure of information including sensitive personal data or information;
and reasonable security practices and procedures.
Data Collection and Processing
• Data may be collected and processed when all following conditions are met:
• the data subject has provided written consent and is aware at the time of
collection that the information is being collected, the purpose of collection, the
intended recipients of the information; and the name and address of the
agency that is collecting and will retain the information;
• the data subject has been provided with the option not to provide its sensitive
personal data or information;
• the data subject is permitted to withdraw his/her consent, in writing, at any
time;
• the information is collected for a lawful purpose connected with a function or
activity of the body corporate or any person on its behalf; and the collection of
the sensitive personal data or information is considered necessary for that
lawful purpose.
Data Transfer
• Disclosure of data to a third party requires prior permission of the data subject,
whether the information is provided under contract or otherwise, except in the
following situations:
• the disclosure has already been agreed to in a contract;
• the disclosure is necessary for compliance with a legal obligation;
• the data is shared with government agencies with the authority to obtain the data for
the purpose of verification of identity, or for the prevention, detection, investigation,
prosecution, and punishment of offenses, including cyber incidents; or
• Data may be transferred domestically or internationally to any person or Body
Corporate that ensures the same level of data protection that is adhered to by the
Body corporate, but the transfer is allowed only if:
• the data subject consents; or
• the transfer is necessary for the performance of the lawful contract between the body
corporate or any person on its behalf and the data subject.
• Data Security
• A Body Corporate is required to implement reasonable security practices and procedures.
• The Privacy Rules indicate that reasonable practice methodologies include IS/ISO/EIC 27001 or other
measures that have been pre-approved by the central government and are subject to annual audits by
a central government approved auditor.
• Breach Notification
• There is no mandatory requirement to report data security breach incidents under the Privacy Rules.
• Other Considerations
• Data retention rules state that information should not be retained longer than is required for the
purposes for which the information may lawfully be used or is otherwise required under any other law.
• Outsourcing service providers in India should be exempt from obtaining consent from the individuals
whose data they process.
• Enforcement & Penalties
• A corporate entity may be liable for up to Rs. 50,000,000 for the negligent failure to implement and
maintain reasonable practices and procedures, causing wrongful loss or gain.
• International Directory of laws

• This directory includes laws, regulations and industry guidelines with

significant security and privacy impact and requirements.
• This is largely USA focused but used by International agencies as a reference
point.
{KUa, KRa)} –
(Private, Public) EKUA [M]