What is it?
A common set of rules designed to ensure interoperability between different products, systems, and organizations.
Why is it important?
Standards provide stable, long-term guidelines that products can be validated against to ensure they will operate correctly and securely with other products that adhere to the same standard. Standards reflect the best practices of experienced cybersecurity professionals.
Why does a business professional need to know this?
Business professionals must decide which standards make business sense for their companies to implement. In the area of cybersecurity, the National Institute for Science and Technology Cybersecurity Framework (NIST CSF)[Fleck-Graeme 1] is the most widely used framework for cybersecurity.
Other important security standards and standards organizations include the following:
- ISO/IEC 27001 and 27002: information security management systems[Mattsson-Ulf 1]
- Consortium for IT Software Quality (CISQ): develops standards related to software quality[Mattsson-Ulf 2]
- Information Security Forum (ISF): publishes the Standard of Good Practice[Mattsson-Ulf 3]
- ISO 15408: standards for computer security certification, also known as Common Criteria[Mattsson-Ulf 4]
- Payment Card Industry Data Security Standard (PCI DSS): standard for handling credit and debit card data and transactions[Schaffzin-Jeff 3]
- Federal Information Processing Standards (FIPS): series of standards for cryptography and US federal standards for government systems[Mattsson-Ulf 5]
Some standards, for example PCI DSS, are mandated by industry to ensure a high level of security across multiple participants. If you want to process credit and debit cards, you must follow PCI DSS or partner with a processor who complies with that standard. Other standards are based on industry best practices that have been shown to improve security.