ISO/IEC 7816-3:2006 specifies the power and signal structures, and information exchange between an integrated circuit card and an interface device such as a terminal.
It also covers signal rates, voltage levels, current values, parity convention, operating procedure, transmission mechanisms and communication with the card. It does not cover information and instruction content, such as identification of issuers and users, services and limits, security features, journaling and instruction definitions.
This standard was last reviewed and confirmed in 2018. Therefore this version remains current.
The Cloud Security Alliance Cloud Controls Matrix (CCM) is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. The CSA CCM provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains. The foundations of the Cloud Security Alliance Controls Matrix rest on its customized relationship to other industry-accepted security standards, regulations, and controls frameworks such as the ISO 27001/27002, ISACA COBIT, PCI, NIST, Jericho Forum and NERC CIP and will augment or provide internal control direction for service organization control reports attestations provided by cloud providers.
The Cloud Trust Protocol (CTP) is designed to be a mechanism by which cloud service customers can ask for and receive information related to the security of the services they use in the cloud, promoting transparency and trust.
The CTP document focuses on the definition of the CTP Data Model and Application Programming Interface (API), including:
The format of CTP messages exchanged between cloud service customers and providers.
The modelling of concepts such as “security attributes”, “objectives”, “measurement results” and “triggers” in machine readable format.
The means to define the scope of the service to which CTP monitoring queries apply.
However, the document does not provide a specification of the “security attributes” (and associated metrics) that are queried by CTP. Such a specification will be provided by the Cloud Security Alliance in a separate document, and will likely be influenced by upcoming standards such as [ISO_19086]. CTP also offers implementers the choice to define and adopt their own set of security attributes and related metrics. This document is organised as follows.
Section 2 provides some key terms and definitions that are used throughout this document, borrowing from relevant key standards.
Section 3 offers a general introductory overview of CTP.
Section 4 describes the CTP data model, defining the main concepts that are used to represent security information related to cloud services in CTP.
Section 5 specifies the RESTful CTP API that implements the model described in section 4. It also specifies the CTPScript language used in “triggers” and “objectives” and describes when they should be evaluated.
Section 6 provides requirements and recommendations for securing the CTP API.
Privacy Level Agreement - Version 2 is intended to be used as an appendix to a Cloud Services Agreement, and to describe the level of privacy protection that the CSP will provide. While Service Level Agreements (“SLA”) are generally used to provide metrics and other information on the performance of the services, PLAs will address information privacy and personal data protection practices.
The PLA [V2] is based only on EU personal data protection mandatory legal requirements. Coherently, the Working Group has stripped away elements derived from best practices and recommendations from the PLA [V1] (see further the ‘Methodology’ section of the standards document), and further clarifies core mandatory legal requirements.
The Trusted Cloud Initiative helps cloud providers develop industry-recommended, secure and interoperable identity, access and compliance management configurations, and practices. The Trusted Cloud Initiative will develop reference models and education in a vendor-neutral manner, inclusive of all CSA members and affiliates who wish to participate. The Trusted Cloud Initiative Reference Architecture is both a methodology and a set of tools that enable security architects, enterprise architects and risk management professionals to leverage a common set of solutions that fulfill their common needs to be able to assess where their internal IT and their cloud providers are in terms of security capabilities and to plan a roadmap to meet the security needs of their business.
The “Software Defined Perimeter (SDP) protocol,” is designed to provide on-demand, dynamically provisioned, air-gapped networks. Air-gapped networks are trusted networks that are isolated from all unsecured networks and this may allow them to mitigate network-based attacks. The SDP protocol is based on workflows invented by the Department of Defense (DoD) and used by some Federal Agencies. Networks based on these workflows provide a higher level of security, but are thought to be very difficult to use compared to traditional enterprise networks.
The Software Defined Perimeter (SDP) has adapted the generalized DoD workflow but has modified it for commercial use and made it compatible with existing enterprise security controls. Where applicable, SDP has followed NIST guidelines on cryptographic protocols. SDP can be used in government applications such as enabling secure access to FedRAMP certified cloud networks as well as enterprise applications such as enabling secure mobile phone access to public clouds.
This document specifies the nature and characteristics of the fields to be provided for power and bi-directional communications between vicinity coupling devices (VCDs) and vicinity cards (VICCs). This document is intended to be used in conjunction with other parts of the ISO/IEC 15693 series.
ISO/IEC 7816-9:2017 specifies interindustry commands for card, file and other structure management, i.e. data object and security object. These commands cover the entire life cycle of the card and therefore some commands are used before the card has been issued to the cardholder or after the card has expired. For details on record life cycle status, refer to ISO/IEC 7816-4.
ISO/IEC 7816-9:2017 is not applicable to the internal implementation within the card and/or the outside world.
ISO 17839-2:2015 defines the following:
- Dimensions of a Biometric System-on-Card type S1 and type S2;
- Position and size of the biometric capture device;
- Minimum requirements to a Biometric System-on-Card with respect to
mechanical durability, and
man-machine interface and ergonomics.
The standardization of other on-card devices such as an electronic display or a keypad is outside the scope of this part of ISO/IEC 17839.
This document specifies the test methods used for conformity testing, to determine whether an ICC with at least one ICC-managed device is considered to conform with the specifications of ISO/IEC 18328-3, e.g. device management and device handling.
ISO/IEC 24727 specifies a set of programming interfaces and protocols enabling interactions between integrated circuit cards (ICCs) and applications resident on a variety of computer platforms. The ICCs provide generic services for multi-sector use by the applications. The organization and the operation of the ICCs conform to ISO/IEC 7816 4. It is anticipated that some application domains will seek to achieve interoperability through ISO/IEC 24727 facilities even though the applications pre-exist these facilities. To this end, various means of backward compatibility are established through mechanisms specified in ISO/IEC 24727.
ISO/IEC 24727-1:2014 specifies
system architecture and principles of operation,
the means for achieving interoperability among diverse application domains,
the conceptual service and data models that span the relevant application domains, and
the rationale for trusted processes enabled under these models.
This standard was last reviewed and confirmed in 2015. Therefore this version remains current.
