International Security Standards

We have already published two articles about security standards in the UK and the US. Now we will talk about international standards which are adopted around the world.

See also: UK Security Standards

PCI DSS

What is it?

PCI DSS is a proprietary information security standard for organizations processing payment cards of major payment systems.

Who has to comply

Any organization which handles essential credit card information.

Who confirms compliance

There are two ways to get certified depending on the annual volume of transactions:.

• QSA-audit which is performed by a certified auditor
• filling self-assessment questionnaire (SAQ) sent to the claimant

Consequences of non-compliance

1. Larger insurance deposit
2. Fines from $25k to $200k
3. Material liability for associated merchants and service providers
4. Termination or non-conclusion of a service providing agreement

How often to confirm compliance

PCI DSS compliance must be confirmed annually. Also, certification must be confirmed when an organization makes significant changes IT infrastructure. In some cases, an organization has to perform vulnerability scanning of its infrastructure on quarterly basis.

Useful links

• https://www.pcisecuritystandards.org/
• https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf
• https://www.pcicomplianceguide.org/
• https://www.secureworks.com/compliance/pci/pci-compliance-faq/

ISO 27001

What is it?

ISO 27001 is an Information Security Management System (ISMS) standard. The ISMS is an overarching management framework through which the organization identifies, analyzes and addresses its information security risks. It is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties.

Who has to comply

It is not mandatory. Regardless, any organization could undertake a certified audit in order to prove the ability to defend its infrastructure.

Who confirms compliance

An (ISMS) can be certified compliant with ISO/IEC 27001 by a number of Accredited Registrars worldwide.

How often confirm compliance

The standard suggests reviewing the organization’s ISMS at planned intervals (at least once a year) to ensure its continuing. This review shall include assessing areas to be improved and the need for changes in ISMS, including their information security policy and objectives. The results of the review should be well documented.

Useful links

• http://www.iso27001security.com
• https://www.iso.org/iso/catalogue_detail?csnumber=42103
• http://www.27000.org
• http://www.iso27001standard.com
• http://www.27001-online.com

Common Criteria

What is it?

The Common Criteria for Information Technology Security Evaluation (abbreviated as Common Criteria or CC) is an international standard for computer security certification. Common Criteria is a framework in which computer system stakeholders can specify their functional and security assurance requirements through the use of Protection Profiles. Vendors can then implement the specified requirements and then make claims about the security attributes of their products. In other words, Common Criteria assures that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous, standard and repeatable manner.

Who confirms compliance

Certification process is performed by testing laboratories which must comply with ISO 17025 and certification bodies will normally be approved against either ISO/IEC Guide 65 or BS EN 45011.

Useful links

• http://www.commoncriteriaportal.org
• https://www.corsec.com/common-criteria-services/common-criteria-faq
• https://whatis.techtarget.com/definition/Common-Criteria-CC-for-Information-Technology-Security-Evaluation