Archive for the 'NIST SP 800 / ISO17799 / PCI Credit Card Standard' Category

09
Apr
08

NIST SP 800 / ISO17799 / PCI Credit Card Standard

By Josiah Leave a Comment
Categories: NIST SP 800 / ISO17799 / PCI Credit Card Standard
National Institute of Standards and TechnologyImage via Wikipedia

NIST SP 800:

  • The National Institute of Standards and Technology – a unit of the United States Department of Commerce – has published a Special Publications set on Information Technology computer security policies, procedures, and guidelines known as the ‘800′ series.
  • “The publications cover all NIST-recommended procedures and criteria for assessing and documenting threats and vulnerabilities and for implementing security measures to minimize the risk of adverse events… The publications can be useful as guidelines for enforcement of security rules and as legal references in case of litigation involving security issues.” (See http://whatis.techtarget.com/definition/0,,sid9_gci1189451,00.html)
  • The SP 800 series is provided free of charge and is generally used in businesses, academia, and other large scale IT deployments.
  • Select topics include: VPNs, data models, cryptography, hash algorithms, etc.
  • See http://csrc.nist.gov/publications/PubsSPs.html for a complete reference on the SP 800 publication.

ISO 17799:

  • From The International Organization for Standardization – ISO 17799 is a set of information security management standards that have gained international recognition and approval.
  • ISO 17799 is made up of two parts, 1) ISO 17799 is set as a ‘code of practice’ that outlines such topics as Security Policy, Security Organization, Asset Classification and Control, Business Continuity Management, etc.
  • Part 2) is referred to as BS7799-2 / ISO27001. This standard details Information Security Management System policies and procedures. One site described this process as “Define a security policy, Define the scope of the ISMS, Undertake a risk assessment, Manage the risk, Select control objectives and controls to be implemented, Prepare a statement of applicability.” (See http://www.17799central.com/iso17799.htm for more information as described in part 1 and 2)

PCI Credit Card Standard:

  • The PCI (Payment Card Industry Data Security Standard) was enacted by CISP (Cardholder Information Security Program).  CISP, by the way, was created by VISA and the PCI standard in a substandard of CISP.
  • The purpose of PCI (and CISP as a whole) is to “ensure and enhance” privacy and security of credit card information – particularly as it is handled by businesses and other agencies.  (For a brief overview, see http://searchfinancialsecurity.techtarget.com/sDefinition/0,,sid185_gci1201178,00.html – where much of this section’s information has been obtained.)
  • Standards are in place for online transactions, as well as those placed over the telephone, in store, and by mail order.
  • Audits are am integral part of maintaining this standard worldwide.
  • See VISA for more details on the program (http://usa.visa.com/merchants/risk_management/cisp.html)