ANSI - American National Standards Institute
 Print this article  Previous Next 

International Standards Take Aim at Cyber Crime

New York, Jan 09, 2007

A recent rash of media reports reveals a sharp escalation in the number and sophistication of “botnet” attacks on home and office computers worldwide. A species of malware that hijacks Internet-connected computers for large-scale, network-based attacks, botnets infiltrate thousands of computers at a time to commit coordinated acts of cyber fraud and theft, denial-of-service and spam attacks.

Several standards from the Joint Technical Committee 1 (JTC 1) of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) take aim at combating cyber threats like botnets that menace network infrastructure security and the integrity of corporate, financial and personal data. The InterNational Committee for Information Technology Standards (INCITS) is the ANSI-accredited Technical Advisory Group (TAG) to JTC 1 and helps to coordinate U.S. involvement in the committee’s work. INCITS’ technical committee on cyber security (CS1) serves as the U.S. TAG for JTC 1’s subcommittee on IT security techniques.

The ISO/IEC 13335 series of standards take an organizational approach to IT security management. Used together, the standards can help organizations identify and manage all aspects of information and communication technology (ICT).

The widely used ISO/IEC 17799 provides organizations of all types and sizes with a high-level guide to cyber security. ISO/IEC 17799:2005, Information technology -- Security techniques -- Code of practice for information security management, outlines guidelines and general principles for implementing improved security management policies that minimize the number and impact of cyber attacks. Contained in the document are best practices for controls in eleven key areas, including security policy; business continuity management; access control; physical and environmental security and information security incident management.

ISO/IEC 27001:2005, Information technology -- Security techniques -- Information security management systems – Requirements, is a certification standard intended to be used with ISO/IEC 17799. The document details requirements for the implementation of security controls within the context of an organization's overall business risks and is the first in what is to be the ISO/IEC 27000 series of standards on information security. ISO/IEC 17799:2005 is expected to be reissued as part of the 27000 family under the document number ISO/IEC 27002 later this year.

All of the ISO/IEC standards have been adopted by INCITS as national standards for the United States.

ANSI Membership