Igor Korotach
Head of FinTech at Quantum
Written by: Igor Korotach
ISO/IEC 27001 is an international standard to manage information security.
There are also numerous recognized national variants of the standard. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS)
ISO/IEC 27001 requires that management:
NIST Special Publication 800-53 is an information security standard that provides a catalog of privacy and security controls for information systems. Originally intended for U.S. federal agencies except those related to national security, since the 5th revision it is a standard for general usage.
Two related documents are 800-53A and 800-53B which provide guidance, and baselines based on 800-53.
NIST Special Publication 800-53 covers the steps in the Risk Management Framework that address security control selection for federal information systems in accordance with the security requirements in Federal Information Processing Standard (FIPS) 200.
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard used to handle credit cards from major card brands. The standard is administered by the Payment Card Industry Security Standards Council, and its use is mandated by the card brands. It was created to better control cardholder data and reduce credit card fraud. Validation of compliance is performed annually or quarterly with a method suited to the volume of transactions
In version 3.2.1 of the PCI DSS, the twelve main requirements are:
IEC 62443 is an international standard that focuses on securing Industrial Automation and Control Systems (IACS). It provides a comprehensive set of guidelines to address cybersecurity in critical infrastructures, such as manufacturing systems, energy grids, water treatment facilities, and other industrial environments. It is designed to help organizations mitigate cybersecurity risks in industrial environments, where both IT (Information Technology) and OT (Operational Technology) coexist.
The OWASP Application Security Verification Standard is an open standard that sets out the coverage and level of rigor expected when it comes to performing web application security verification. The standard also provides a basis for testing any technical security controls that are relied on to protect against vulnerabilities in the application.
The ASVS defines three levels of security verification:
The ASVS is split into such sections:
V1 Architecture, Design and Threat Modeling
V2 Authentication
V3 Session Management
V4 Access Control
V5 Validation, Sanitization and Encoding
V6 Stored Cryptography
V7 Error Handling and Logging
V8 Data Protection
V9 Communication
V10 Malicious Code
V11 Business Logic
V12 Files and Resources
V13 API and Web Service
V14 Configuration
OWASP Top 10
CWE (Common Weakness Enumeration)
OWASP DevSecOps Guideline
SAFECode
Presentation link: https://slides.com/emulebest/quantum-security-course
By Igor Korotach