ANSI - American National Standards Institute
 Print this article  Previous Next 

As Cyber-threats Evolve, Standardization Organizations Resolve to Provide Updated Solutions


12/30/2016

As we enter the new year, cybersecurity will undoubtedly continue to be a critical priority for organizations, companies, and governments around the world, and standardization organizations are committed to developing solutions that can help in this ongoing battle. The American National Standards Institute (ANSI) is proud to highlight a few recent activities from its members and partners, both international and domestic, that leverage standardization as a tool to combat cyber-threats.

A recently updated standard jointly developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), ISO/IEC 27004:2016, Information technology – Security techniques – Information security management – Monitoring, measurement, analysis and evaluation, provides guidance on how to assess the performance of ISO/IEC 27001. ISO/IEC 27001 is a global standard establishing requirements for an information security management system (ISMS). In support of effective implementation of ISO/IEC 27001, the newly revised ISO/IEC 27004 shows how to construct an information security measurement program, how to select what to measure, and how to operate the necessary measurement processes. It includes extensive examples of different types of measures, and how the effectiveness of these measures can be assessed.

According to ISO, security metrics can provide insights regarding the effectiveness of an ISMS and, as such, have taken center stage. “Cyber-attacks are among the greatest risks an organization can face,” said Edward Humphreys, convenor of the working group that developed the standard. “Organizations need help to address the question of whether the organization’s investment in information security management is effective, fit for purpose to react, defend, and respond to the continually changing cyber-risk environment. This is where ISO/IEC 27004 can provide numerous advantages.”

ISO/IEC 27004:2016 was developed by ISO/IEC Joint Technical Committee (JTC) 1, Information technology, Subcommittee (SC) 27, IT security techniques, under the leadership of DIN (Germany) with the participation of 53 countries. The U.S. holds TC-level leadership of ISO/IEC JTC 1, with Karen Higginbottom of HP Inc. serving her third term as chair, and ANSI as secretariat. ANSI is the U.S. member body to ISO and, via the U.S. National Committee, to the IEC. The ANSI-accredited U.S. Technical Advisory Group administrator to ISO/IEC JTC 1 and its SCs is the InterNational Committee for Information Technology Standards (INCITS), an ANSI member and accredited standards developer.

On the domestic front, the National Institute of Standards and Technology (NIST), an ANSI government member, has just published a free Guide for Cybersecurity Event Recovery to help organizations develop a game plan to contain a cyber-attack and restore affected systems quickly. As the number of cybersecurity incidents climbs, and the variety of types of attacks grows, “It’s no longer if you are going to have a cybersecurity event, it is when,” said computer scientist Murugiah Souppaya, one of the guide’s authors.

The new guide consolidates existing NIST cyber-attack recovery guidance, including publications on incident handling and contingency planning. It also provides a process that each organization can use to create its own comprehensive recovery plan, and presents additional information related to the “recover” function in the previously released Framework for Improving Critical Infrastructure Cybersecurity (known as the “Cybersecurity Framework”).

ANSI has a strong record of developing, leading, and supporting collaborative cybersecurity initiatives that respond to the ever-changing threat landscape, including the following recent activities:

For more information on ANSI’s work in cybersecurity, visit www.ansi.org/cyber.

Keywords

Standards Portal