Standard

Big data based on cloud computing provides the capabilities to collect, store, analyze, visualize and handle varieties of large volume datasets, which cannot be rapidly transferred and analyzed using traditional technologies. e.g. Big Data as a Service (as defined in [ITU-T Y.3600], big data as a service (BDaaS) is a cloud service category in which the capabilities provided to the cloud service customer are the ability to collect, store, analyse, visualize and manage data using big data.). Data storage, analysis, calculation and other data services based on the big data platform, are developing rapidly in recent years.

This recommendation aims to specify security protection measures of big data platform, regulate security protection measures in the construction and operation process of big data platform, and promote the development of big data services. These measures in the framework will take into account on the national legal and regulatory obligations in individual member states in which the big data platforms operate. The work will proceed using the methodology standardized in clause 10 of Recommendation ITU-T X.1601.

This Recommendation is security guidelines of lifecycle management for telecom Big Data. This recommendation covers as follows:

- Introduction the use cases in telecom Big Data;

- Analyze the security risks of lifecycle management for telecom Big Data;

- Specify the security guidelines of lifecycle management for telecom Big Data.

This International Standard provides guidance for improving the state of Cybersecurity.
It provides:

— an overview of Cybersecurity,

— an explanation of the relationship between Cybersecurity and other types of security (information, network, and internet security)

— a definition of stakeholders and a description of their roles in Cybersecurity.

— guidance for addressing common Cybersecurity issues.

— a framework to enable stakeholders to collaborate on resolving Cybersecurity issues.

Source: https://www.iso.org/standard/44375.html

This part of IEC 80001 creates a framework for the disclosure of security-related capabilities and risks necessary for managing the risk in connecting medical devices to IT-networks and for the security dialog that surrounds the IEC 80001-1 risk management of IT-network connection. This security report presents an informative set of common, high-level security-related capabilities useful in understanding the user needs, the type of security controls to be considered and the risks that lead to the controls. Intended use and local factors determine which exact capabilities will be useful in the dialog about risk.

The capability descriptions in this report are intended to supply:

a) health delivery organizations (HDOs),

b) medical device manufacturers (MDMs), and

c) IT vendors

Source: https://www.iso.org/standard/57939.html

This document provides guidance on how to leverage existing standards in a cybersecurity framework.
The concepts behind information security can be used to assess and manage cybersecurity risks. The key question is how to manage cybersecurity risk in a comprehensive and structured manner, and ensure that processes, governance and controls exist and are fit for purpose. This can be done through a management systems approach. An Information Security Management System (ISMS) as described in ISO/IEC 27001 is a well proven way for any organization to implement a risk-based approach to cybersecurity.

This document demonstrates how a cybersecurity framework can utilize current information security standards to achieve a well-controlled approach to cybersecurity management.

Source: https://www.iso.org/standard/72437.html

This part of ISO 28004 identifies supply chain risk and threat scenarios, procedures for conducting risks/threat assessments, and evaluation criteria for measuring conformance and effectiveness of the documented security plans in accordance with ISO 28000 and the ISO 28004 series implementation guidelines. An output of this effort will be a level of confidence rating system based on the quality of the security management plans and procedures implemented by the seaport to safeguard the security and ensure continuity of operations of the supply chain cargo being processed by the seaport. The rating system will be used as a means of identifying a measurable level of confidence (on a scale of 1 to 5) that the seaport security operations are in conformance with ISO 28000 for protecting the integrity of the supply chain.

Source: https://www.iso.org/standard/60905.html

In the contexts of information technology and cybersecurity, a vulnerability is a behaviour or set of conditions present in a system, product, component, or service that violates an implicit or explicit security policy
Attackers exploit vulnerabilities to compromise confidentiality, integrity, availability, operation, or some other security property.
This document provides requirements and recommendations to vendors on the disclosure of vulnerabilities in products and services. Vulnerability disclosure enables users to perform technical vulnerability management as specified in ISO/IEC 27002:2013, 12.6.1.
Vulnerability disclosure helps users protect their systems and data, prioritize defensive investments, and better assess risk. The goal of vulnerability disclosure is to reduce the risk associated with exploiting vulnerabilities. Coordinated vulnerability disclosure is especially important when multiple vendors are affected.

Source: https://www.iso.org/standard/72311.html

Effective information security in the process control domain of the energy utility sector can be achieved by establishing, implementing, monitoring, reviewing and, if necessary, improving the applicable measures set forth in this document, in order to attain the specific security and business objectives of the organization.
Ultimately, the overall success of the cybersecurity of energy industries is based on collaborative efforts by all stakeholders (vendors, suppliers, customers, etc.).
This document provides guidance based on ISO/IEC 27002:2013 applied to process control systems used by the energy utility industry for controlling and monitoring the production or generation, transmission, storage and distribution of electric power, gas, oil and heat, and for the control of associated supporting processes.
For example this includes in particular the following:
- central and distributed process control, monitoring and automation technology as well as information systems used for their operation, such as programming and parameterization devices.
- all further supporting information systems used in the process control domain, e.g. for supplementary data visualization tasks and for controlling, monitoring, data archiving, historian logging, reporting and documentation purposes.

Source: https://www.iso.org/standard/68091.html

This document provides the specialized requirements to demonstrate competence of individuals in performing IT product security evaluations in accordance with ISO/IEC 15408 (all parts) and 
ISO/IEC 18045.
This document includes knowledge and skills especially in the following areas.
      — Information security

Knowledge: Information security principles, information security properties, information security threats and vulnerabilities
Skills: Understand information security requirements, understand the context

— Information security evaluation

Knowledge: Knowledge of ISO/IEC 15408 (all parts) and ISO/IEC 18045, laboratory management system
Skills: Basic evaluation skills, core evaluation skills, skills required when evaluating specific security assurance classes, skills required when evaluating specific security functional requirements classes

— Information systems architecture

Knowledge: Technology being evaluated
Skills: Understand the interaction of security components and information

— Information security testing

Knowledge: Information security testing techniques, information security testing tools, product development lifecycle, test types
Skills: Create and manage an information security test plan, design information security tests, prepare and conduct information security tests

Source: https://www.iso.org/standard/71122.html

This part of ISO/IEC 9797 specifies three MAC algorithms that use a secret key and a hash-function (or its round-function) with an n-bit result to calculate an m-bit MAC. These mechanisms can be used as data integrity mechanisms to verify that data has not been altered in an unauthorized manner. They can also be used as message authentication mechanisms to provide assurance that a message has been originated by an entity in possession of the secret key.

Source: https://www.iso.org/obp/ui/#iso:std:iso-iec:9797:-2:ed-2:v2:en
 

This part of ISO/IEC 9797 specifies the following MAC algorithms that use a secret key and a universal hash-function with an n-bit result to calculate an m-bit MAC based on the block ciphers specified in ISO/IEC 18033-3 and the stream ciphers specified in ISO/IEC 18033-4:

a) UMAC;

b) Badger;

c) Poly1305-AES;

d) GMAC.

Source: https://www.iso.org/obp/ui/#iso:std:iso-iec:9797:-3:ed-1:v1:en

This part of ISO/IEC 9798 specifies an authentication model and general requirements and constraints for entity authentication mechanisms which use security techniques. These mechanisms are used to corroborate that an entity is the one that is claimed. An entity to be authenticated proves its identity by showing its knowledge of a secret. The mechanisms are defined as exchanges of information between entities and, where required, exchanges with a trusted third party.

Source:  https://www.iso.org/obp/ui/#iso:std:53634:en