Understanding Information Security Standards
One of the things we want to do here at HDDfirsafe.com is to help you understand some of the work and regulations that go into the systems you use every day. The product s and systems a person uses have all been put through various tests and standards to make sure they perform to the level that they advertise to. Many of these tests and standards are concerned with safety and product quality. Computer systems, security functions most importantly, are especially scrutinized. In the modern age, the most important concern is the protection of data and businesses that manage and hold the personal, financial or health data of their clients are required by law to make sure that they are protecting this data.
One of the ways they do this is by making sure their computer systems run at a national or internationally recognized standard. The ability to put the sticker of approval from one of these organizations is proof that you’re taking care of business or if you see it at a company you’re doing business, you should feel more assured of your data’s safety.
Let’s look at a couple of examples of standards that you would use in your business or as a consumer, be protected by without even knowing about it.
ISO 17799/27002: The International Organization for Standardization (ISO) is an acclaimed international body which sets various worldwide proprietary, industrial and commercial standards. Headquartered in Switzerland, it was founded in 1947 and does the bulk of its work through over 2700 technical committees, subcommittees and working groups. They sell their standards across the world and 162 countries are voluntary members of this organization. ISO standards are so common-place that they have become part of some product’s designation; many CD images end with the extension “ISO” to indicate that they are using the ISO 9660 standard file system.
One of their increasingly important standards is ISO 17799/27002 which is a widely accepted standard for information security management. It is intended to serve as a single reference point for indentifying the range of controls needed for most situations where information systems are used in the commercial or industrial sense by large, medium or small businesses.
If your company purchases the 17799/27002, you’ll receive a generic guide on how to implement information security procedures in your business. The standard is very comprehensive. It will go over such topics as risk assessment and treatment, security policies, organization of information security, asset management, human, physical and environmental security, media handling, communications and much more. You’ll be able to set up the standard and tailor it to your unique needs. After that, you’ll be able to contact any number of accredited groups to look over your plan and tell you if meets ISO standards. This standard grew out up the requirements devised for ISO/IEC 27001 and revised edition should be released in 2012. Here is an in-depth guide that will tell you more about the standard.
ISO/IEC 27001: This standard is a formal set of specifications against which organizations can seek independent certification of their Information Security Management Systems (ISMS). An ISMS is a set of policies concerned with information security or IT related risks. The main idea behind this principle is that a company should design, implement and maintain a coherent set of policies, systems and processes to manage risks to its information assets. The 27001 covers all types of businesses, from mom ‘n’ pop shops to multinational corporations. Its use covers many bases; to ensure compliance with laws and regulations, identification and clarifying existing security methods and how they can be improved. 27001 are also used by external and internal auditors to of organizations to demonstrate security policies of a company.
The main goal of the standard is to organize all security efforts under ISMS, in this sense it is broader than the ISO 17799/27002 which provides a detailed plan for security management. The 27001 is like the standard which allows you to shape your other plans. A good bet would be to use both standards together and get positive overlap.
It is a very popular standard, over 7300 organizations worldwide have certified as compliant with ISO/IEC 27001. There are mandatory requirements for certification of the 27001 and many accredited agencies which you can use to perform the service. Here is an in-depth guide to ISO/IEC 27001; it will give a full account of the standard and applying it.
Common Criteria: This system is another approach to data security. The Common Criteria for Information Technology Security Evaluation (Common Criteria or CC) is an international standard for computer security certification. It is a framework with which a computer system user can specify their security functional and assurance needs. With it a company can make a claim about the security attributes of their products and an outside testing laboratory can evaluate that claim. The CC provides assurance that the testing was done in a proper and rigorous manner.
The CC grew out three different standards; ITSEC from Europe, CTCPEC from Canada and the TCSEC from the U.S. Department of Defense. What makes it different from the ISO standards is that CC is used more commonly on products. To evaluate the claim the CC uses protection profiles, security targets, security functional requirements, security assurance requirements, evaluation assurance levels.
Common Criteria has been used on many products; such as access control devices, biometric systems, smart cards, operating systems and databases. Here is a complete list of products. There has been some criticism that the CC is too costly and that there is too much focus on documentation rather than actual security. CC continues to be updated and is currently in the 3.1 version. This is the official website of the Common Criteria Project, a good resource if you wish to learn more.
Another measure that you and your company can take to increase data security is to have more secured hard drives. IoSafe’s SoloPRO series of external hard drives are excellent choices because of the rugged protection they offer. The physical and data protection is top-notch. Take the 1 TB SoloPRO eSATA/USB 2.0 Desktop Hard Drive for example. With its environmental protection systems, it’s prepared for any real-world threat from fire, flood, shock, impact, chemical or air fan failure. The Data Recovery Service is a great safety net for a data management program. It’s a three year plan (upgrades available) where you have up to $2500 worth of forensic data recovery and advanced replacement in case of an internal error or system crash. It’s a back-up for your back-up plan. The eSTATA/USB 2.0 connectivity works with a NAS network and would be a niche in your data management system.
IoSafe products can provide the physical anchor for your new system of data management. At HDDFiresafe.com, we believe in covering all the bases and ioSafe will help you do that.
These standards and certifications can truly help your business. ISO can help you protect your data and Common Criteria can help you make better products. Each is an investment, of both time and money but doing so will benefit your company in the long run.