Understanding Information Security Standards

ioSafe technology adds an extra layer of data protection to your current ISO data retention & security plan. Improving RTO & RPO at a very low cost.

One of the things we want to do here at HDDfirsafe.com is to help you understand some of the work and regulations that go into the systems you use every day. The product s and systems a person uses have all been put through various tests and standards to make sure they perform to the level that they advertise to. Many of these tests and standards are concerned with safety and product quality. Computer systems, security functions most importantly, are especially scrutinized.  In the modern age, the most important concern is the protection of data and businesses that manage and hold the personal, financial or health data of their clients are required by law to make sure that they are protecting this data.

One of the ways they do this is by making sure their computer systems run at a national or internationally recognized standard. The ability to put the sticker of approval from one of these organizations is proof that you’re taking care of business or if you see it at a company you’re doing business, you should feel more assured of your data’s safety.

Let’s look at a couple of examples of standards that you would use in your business or as a consumer, be protected by without even knowing about it.

ISO 17799/27002: The International Organization for Standardization (ISO) is an acclaimed international body which sets various worldwide proprietary, industrial and commercial standards. Headquartered in Switzerland, it was founded in 1947 and does the bulk of its work through over 2700 technical committees, subcommittees and working groups. They sell their standards across the world and 162 countries are voluntary members of this organization. ISO standards are so common-place that they have become part of some product’s designation; many CD images end with the extension “ISO” to indicate that they are using the ISO 9660 standard file system.

One of their increasingly important standards is ISO 17799/27002 which is a widely accepted standard for information security management. It is intended to serve as a single reference point for indentifying the range of controls needed for most situations where information systems are used in the commercial or industrial sense by large, medium or small businesses.

If your company purchases the 17799/27002, you’ll receive a generic guide on how to implement information security procedures in your business. The standard is very comprehensive. It will go over such topics as risk assessment and treatment, security policies, organization of information security, asset management, human, physical and environmental security, media handling, communications and much more. You’ll be able to set up the standard and tailor it to your unique needs. After that, you’ll be able to contact any number of accredited groups to look over your plan and tell you if meets ISO standards. This standard grew out up the requirements devised for ISO/IEC 27001 and revised edition should be released in 2012. Here is an in-depth guide that will tell you more about the standard.

ISO/IEC 27001: This standard is a formal set of specifications against which organizations can seek independent certification of their Information Security Management Systems (ISMS). An ISMS is a set of policies concerned with information security or IT related risks. The main idea behind this principle is that a company should design, implement and maintain a coherent set of policies, systems and processes to manage risks to its information assets. The 27001 covers all types of businesses, from mom ‘n’ pop shops to multinational corporations. Its use covers many bases; to ensure compliance with laws and regulations, identification and clarifying existing security methods and how they can be improved. 27001 are also used by external and internal auditors to of organizations to demonstrate security policies of a company.

The main goal of the standard is to organize all security efforts under ISMS, in this sense it is broader than the ISO 17799/27002 which provides a detailed plan for security management. The 27001 is like the standard which allows you to shape your other plans. A good bet would be to use both standards together and get positive overlap.

It is a very popular standard, over 7300 organizations worldwide have certified as compliant with ISO/IEC 27001. There are mandatory requirements for certification of the 27001 and many accredited agencies which you can use to perform the service. Here is an in-depth guide to ISO/IEC 27001; it will give a full account of the standard and applying it.

Common Criteria: This system is another approach to data security.  The Common Criteria for Information Technology Security Evaluation (Common Criteria or CC) is an international standard for computer security certification. It is a framework with which a computer system user can specify their security functional and assurance needs. With it a company can make a claim about the security attributes of their products and an outside testing laboratory can evaluate that claim. The CC provides assurance that the testing was done in a proper and rigorous manner.

The CC grew out three different standards; ITSEC from Europe, CTCPEC from Canada and the TCSEC from the U.S. Department of Defense. What makes it different from the ISO standards is that CC is used more commonly on products. To evaluate the claim the CC uses protection profiles, security targets, security functional requirements, security assurance requirements, evaluation assurance levels.

Common Criteria has been used on many products; such as access control devices, biometric systems, smart cards, operating systems and databases. Here is a complete list of products. There has been some criticism that the CC is too costly and that there is too much focus on documentation rather than actual security. CC continues to be updated and is currently in the 3.1 version. This is the official website of the Common Criteria Project, a good resource if you wish to learn more.

Another measure that you and your company can take to increase data security is to have more secured hard drives. IoSafe’s SoloPRO series of external hard drives are excellent choices because of the rugged protection they offer. The physical and data protection is top-notch. Take the 1 TB SoloPRO eSATA/USB 2.0 Desktop Hard Drive for example. With its environmental protection systems, it’s prepared for any real-world threat from fire, flood, shock, impact, chemical or air fan failure. The Data Recovery Service is a great safety net for a data management program. It’s a three year plan (upgrades available) where you have up to $2500 worth of forensic data recovery and advanced replacement in case of an internal error or system crash. It’s a back-up for your back-up plan. The eSTATA/USB 2.0 connectivity works with a NAS network and would be a niche in your data management system.

IoSafe products can provide the physical anchor for your new system of data management. At HDDFiresafe.com, we believe in covering all the bases and ioSafe will help you do that.

These standards and certifications can truly help your business. ISO can help you protect your data and Common Criteria can help you make better products. Each is an investment, of both time and money but doing so will benefit your company in the long run.

Written by:

Joseph Fowler

ASTM International is one of those organizations that have had a huge effect on consumer’s lives and those consumers may not even be aware of its existence.

Formerly known as the American Society for Testing and Materials and now called ASTM International, this organization is a globally recognized leader in the development and delivery of international consensus standards. Today over 12,000 ASTM standards are used all over the globe to improve product quality, enhance safety, facilitate market access and trade and build consumer confidence. ASTM has been in operation since 1898 and its members include over 30,000 technical experts from 135 different countries.

What is an international standard? It is a document that has been developed and established within the consensus principles of the organization and meets the requirements of ASTM procedures and regulations. Full consensus standards are developed with the participation of all parties that have a stake in the standards’ development and/or use. ASTM has no role in requiring compliance or enforcement of their standards but they may become mandatory when referenced by an external contact, corporation or government.

Where and how do people use ASTM standards? These standards are used by people, companies, agencies, purchasers and sellers, who incorporate them into contracts; scientists and engineers use them in their laboratories and offices; architects and designers use them in their blueprints; government entities use them as reference material for laws and many others refer to them for guidance on various issues and products.

ASTM divides their standards into six categories.

1.  The Standard Specification, which defines the requirements to be satisfied by subject of the standard.

2. The Standard Test Method, which defines the way a test is performed and the precision of the result.  The result of the test may be used to assess compliance with a Standard Specification.

3. The Standard Practice, which defines a sequence of operations that, unlike a Standard Test Method, does not produce a result.

4. The Standard Guide that which provides an organized collection of information or series of options that does not recommend a specific course of action.

5. The Standard Classification, that provide an arrangement or division of materials, products, systems or services into groups based on similar characteristics such as origin, composition, properties and use.

6.  The Terminology Standard, that provides agreed definitions of terms used in other standards.

IoSafe products such as the Solo and the SoloPRO are tested and proved per the ASTM rating E119 which covers test methods for fire tests or building construction and materials. IoSafe tested these products for heat and flame up to 1550 degrees Fahrenheit and for periods up to 30 minutes. An ASTM rating means that the methods ioSafe used to test their products work and they can prove their conclusions and claims.

If a company wants to put an ASTM rating on their products, they need to build their tests, products and organization to ASTM standards. They are one of the most commonly used independent rating companies but they are by no means the only one.

ETL SEMKO (formerly Edison Testing Laboratory) is a division of Intertek Group plc and they specialize in electrical product safety testing, EMC testing and benchmark performance testing. They have more than 30 offices and laboratories on six continents.

CE Mark, this rating is a mandatory conformity mark for products placed on the market in the European Economic Area.  It is necessary for certain product groups in the European Union and countries where EU products are sold. Seeing the mark on a product means it has been tested and it meets EU safety, health and environmental protection requirements.

Underwriters Laboratories is an organization established in 1894 and deals chiefly in product safety. They also develop standards and test procedures for materials, components, assemblies, tools and equipment. They also analyze drinking water and clean water samples through their laboratory in South Bend, Indiana. They are recognized by OSHA for safety standards.

NSF International is a Michigan-based not-for-profit public health and environmental organization that provides standards development and product certification. They were founded in 1944 and they work primarily in public health and safety. They have over 1200 employees in 150 countries and work with the World Health Organization.

The Canadian Standards Association is a not-for-profit crown corporation founded in 1919 with the stated aim developing standards for over 57 areas of specialization such as climate change, business management, industrial equipment, construction materials, boilers and pressure vessels and electronic/electrical equipment. Their employees are composed of representatives from government, industry and consumer groups.

SGS S.A. is an international organization that provides inspection, verification, testing and certification services for traded goods. They are divided into ten divisions; agriculture, automotive, consumer testing services, environmental services, governments and institutions, industrial, life science, minerals, oil/gas/chemicals and system/services certification. They were founded in 1878 and have spread from France to 1250 offices and laboratories across the world.

Seeing an ASTM rating on a product like having insider knowledge that it’s well-tested, well-made and can suit your purposes. Researching products for this rating is worth any consumer’s time and energy.