TechRepublic: Groups vie for superiority in security standards competition
TechRepublic:
Groups vie for superiority in security standards competition
Oct 8, 2001
Judith N. Mottl
- The National Information Assurance Partnership (NIAP)
The NIAP was created in 1997 to join the efforts of the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) to meet the security testing, evaluation, and assessment needs of both IT producers and consumers. Its long-term goal is to boost consumer confidence in their information systems and networks. Agencies such as the Federal Aviation Administration are starting to work with NIAP to better define their security requirements, and NIAP is looking for other target communities where the organization can serve as a catalyst to spur security requirements and standardization of rules. - Generally Accepted System Security Principles (GASSP)
The GASSP effort began in mid-1992 in response to a 1990 recommendation from the National Research Council. The effort is sponsored by the International Information Systems Security Certification Consortium ((ISC)2), an international common criteria effort to develop IT product-related information security principles. Its objectives include promoting good practices and providing an authoritative point of reference for IT professionals and a legal reference for the rest of the world for information security principles, practices, and opinions. The GASSP Pervasive Principles have been developed, and work has begun on defining and mapping the GASSP Broad Functional Principles. - The Center for Internet Security
The Center, founded in October 2000, is focused on helping organizations worldwide efficiently manage information-security risk. The group, which is vendor neutral, provides tools to measure, monitor, improve, and compare the security status of Internet-connected appliances and systems. Nearly 200 members help identify the top security threats and participate in creating practical methods to reduce those threats. - British Standard (BS) 7799
This enterprise security policy standard is popular in several European countries. BS 7799 has two main parts: a code of practice for information security management and a specification for information security management systems. It prescribes a specific process to determine what policies should be in place, how to document them, and how to develop those that are not specifically identified in the model. It hasn’t been widely adopted within the U.S. IT community, as the International Organization for Standardization (ISO) community considers it incomplete and too restrictive. The ISO, established in 1947, is a non-government, worldwide federation of national standards bodies from some 140 countries. - Commonly Accepted Security Practices & Recommendations (CASPR)
The CASPR project, launched in August 2001, focuses on distilling expert information through a series of free papers available via the Internet. With the open source movement as a guide, CASPR has nearly 100 certified security professionals involved and is actively recruiting subject matter experts in all areas of information security.
