Cybersecurity

ISO/IEC 18033-2:2006 specifies encryption systems (ciphers) for the purpose of data confidentiality.

This document provides guidance for:
— selecting and specifying security functional requirements (SFRs) from ISO/IEC 15408-2 to protect Personally Identifiable Information (PII);
— the procedure to define both privacy and security functional requirements in a coordinated manner; and
— developing privacy functional requirements as extended components based on the privacy principles defined in ISO/IEC 29100 through the paradigm described in ISO/IEC 15408-2.

In information technology there is an ever-increasing need to use cryptographic mechanisms for the protection of data against unauthorised disclosure or manipulation, for entity authentication, and for non-repudiation functions. The security and reliability of such mechanisms are directly dependent on the management and protection afforded to a security parameter, the key.
This part of ISO/IEC 11770:

a) establishes the general model on which key management mechanisms are based.

b) defines the basic concepts of key management which are common to all the parts of ISO/IEC 11770.

c) specifies the characteristics of key management services.

d) establishes general principles on the management of keying material during its life cycle.

e) establishes the conceptual model of key distribution.

Source: https://www.iso.org/obp/ui/#iso:std:iso-iec:11770:-1:ed-2:v1:en

This part of IEC 80001 creates a framework for the disclosure of security-related capabilities and risks necessary for managing the risk in connecting medical devices to IT-networks and for the security dialog that surrounds the IEC 80001-1 risk management of IT-network connection. This security report presents an informative set of common, high-level security-related capabilities useful in understanding the user needs, the type of security controls to be considered and the risks that lead to the controls. Intended use and local factors determine which exact capabilities will be useful in the dialog about risk.

The capability descriptions in this report are intended to supply:

a) health delivery organizations (HDOs),

b) medical device manufacturers (MDMs), and

c) IT vendors

Source: https://www.iso.org/standard/57939.html

This document provides guidance on how to leverage existing standards in a cybersecurity framework.
The concepts behind information security can be used to assess and manage cybersecurity risks. The key question is how to manage cybersecurity risk in a comprehensive and structured manner, and ensure that processes, governance and controls exist and are fit for purpose. This can be done through a management systems approach. An Information Security Management System (ISMS) as described in ISO/IEC 27001 is a well proven way for any organization to implement a risk-based approach to cybersecurity.

This document demonstrates how a cybersecurity framework can utilize current information security standards to achieve a well-controlled approach to cybersecurity management.

Source: https://www.iso.org/standard/72437.html

In the contexts of information technology and cybersecurity, a vulnerability is a behaviour or set of conditions present in a system, product, component, or service that violates an implicit or explicit security policy
Attackers exploit vulnerabilities to compromise confidentiality, integrity, availability, operation, or some other security property.
This document provides requirements and recommendations to vendors on the disclosure of vulnerabilities in products and services. Vulnerability disclosure enables users to perform technical vulnerability management as specified in ISO/IEC 27002:2013, 12.6.1.
Vulnerability disclosure helps users protect their systems and data, prioritize defensive investments, and better assess risk. The goal of vulnerability disclosure is to reduce the risk associated with exploiting vulnerabilities. Coordinated vulnerability disclosure is especially important when multiple vendors are affected.

Source: https://www.iso.org/standard/72311.html

Effective information security in the process control domain of the energy utility sector can be achieved by establishing, implementing, monitoring, reviewing and, if necessary, improving the applicable measures set forth in this document, in order to attain the specific security and business objectives of the organization.
Ultimately, the overall success of the cybersecurity of energy industries is based on collaborative efforts by all stakeholders (vendors, suppliers, customers, etc.).
This document provides guidance based on ISO/IEC 27002:2013 applied to process control systems used by the energy utility industry for controlling and monitoring the production or generation, transmission, storage and distribution of electric power, gas, oil and heat, and for the control of associated supporting processes.
For example this includes in particular the following:
- central and distributed process control, monitoring and automation technology as well as information systems used for their operation, such as programming and parameterization devices.
- all further supporting information systems used in the process control domain, e.g. for supplementary data visualization tasks and for controlling, monitoring, data archiving, historian logging, reporting and documentation purposes.

Source: https://www.iso.org/standard/68091.html

This document provides the specialized requirements to demonstrate competence of individuals in performing IT product security evaluations in accordance with ISO/IEC 15408 (all parts) and 
ISO/IEC 18045.
This document includes knowledge and skills especially in the following areas.
      — Information security

Knowledge: Information security principles, information security properties, information security threats and vulnerabilities
Skills: Understand information security requirements, understand the context

— Information security evaluation

Knowledge: Knowledge of ISO/IEC 15408 (all parts) and ISO/IEC 18045, laboratory management system
Skills: Basic evaluation skills, core evaluation skills, skills required when evaluating specific security assurance classes, skills required when evaluating specific security functional requirements classes

— Information systems architecture

Knowledge: Technology being evaluated
Skills: Understand the interaction of security components and information

— Information security testing

Knowledge: Information security testing techniques, information security testing tools, product development lifecycle, test types
Skills: Create and manage an information security test plan, design information security tests, prepare and conduct information security tests

Source: https://www.iso.org/standard/71122.html

This part of ISO/IEC 9797 specifies three MAC algorithms that use a secret key and a hash-function (or its round-function) with an n-bit result to calculate an m-bit MAC. These mechanisms can be used as data integrity mechanisms to verify that data has not been altered in an unauthorized manner. They can also be used as message authentication mechanisms to provide assurance that a message has been originated by an entity in possession of the secret key.

Source: https://www.iso.org/obp/ui/#iso:std:iso-iec:9797:-2:ed-2:v2:en
 

This part of ISO/IEC 9797 specifies the following MAC algorithms that use a secret key and a universal hash-function with an n-bit result to calculate an m-bit MAC based on the block ciphers specified in ISO/IEC 18033-3 and the stream ciphers specified in ISO/IEC 18033-4:

a) UMAC;

b) Badger;

c) Poly1305-AES;

d) GMAC.

Source: https://www.iso.org/obp/ui/#iso:std:iso-iec:9797:-3:ed-1:v1:en

This part of ISO/IEC 9798 specifies an authentication model and general requirements and constraints for entity authentication mechanisms which use security techniques. These mechanisms are used to corroborate that an entity is the one that is claimed. An entity to be authenticated proves its identity by showing its knowledge of a secret. The mechanisms are defined as exchanges of information between entities and, where required, exchanges with a trusted third party.

Source:  https://www.iso.org/obp/ui/#iso:std:53634:en

This part of ISO/IEC 9798 specifies entity authentication mechanisms using symmetric encipherment algorithms. Four of the mechanisms provide entity authentication between two entities where no trusted third party is involved; two of these are mechanisms to unilaterally authenticate one entity to another, while the other two are mechanisms for mutual authentication of two entities. The remaining mechanisms require a trusted third party for the establishment of a common secret key, and realize mutual or unilateral entity authentication.

Source: https://www.iso.org/obp/ui/#iso:std:iso-iec:9798:-2:ed-3:v1:en