Scribd
Upload
21 views4 pages

Security Standards for E

Uploaded by

Robin Shrestha
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
21 views4 pages

Security Standards for E

Uploaded by

Robin Shrestha
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Security Standards for E-Government

1. ISO/IEC 27001

ISO/IEC 27001 is an internationally recognized standard for Information Security Management


Systems (ISMS). It is part of the ISO/IEC 27000 family of standards, providing a framework to
manage and protect sensitive information systematically.

• Purpose: To establish, implement, maintain, and continuously improve information


security practices within an organization.
• Key Components:
o Risk Assessment: Identifying risks to information and mitigating them.
o Controls: Implementation of security controls outlined in Annex A, which includes
93 controls across 4 domains like access control, cryptography, and incident
management.
o Compliance: Regular audits ensure compliance with the standard.
• Benefits:
o Improves security posture.
o Reduces the risk of data breaches.
o Enhances trust with clients and stakeholders.

2. NIST Cybersecurity Framework

The NIST Cybersecurity Framework (CSF) was developed by the U.S. National Institute of
Standards and Technology (NIST). It is widely used for improving critical infrastructure security
but is applicable to organizations of all sizes.

• Purpose: Provides a set of guidelines and best practices to manage and reduce
cybersecurity risks.
• Core Functions:
o Identify: Understand risks and assets.
o Protect: Safeguard systems and data.
o Detect: Continuously monitor for cyber events.
o Respond: Develop plans to manage and mitigate incidents.
o Recover: Ensure systems return to normal after incidents.
• Key Components:
o Framework Core: Security activities and outcomes.
o Implementation Tiers: Assess the maturity of an organization’s cybersecurity
posture.
o Profiles: Tailor the framework to meet business needs.

3. GDPR (General Data Protection Regulation)

The General Data Protection Regulation (GDPR) is a European Union regulation that protects
the privacy and personal data of individuals within the EU and the European Economic Area
(EEA).

• Purpose: To give individuals control over their personal data and enforce strict rules on
organizations handling such data.
• Key Principles:
o Lawfulness, Fairness, and Transparency: Data processing must be transparent
and legal.
o Purpose Limitation: Collect data for specific, legitimate purposes.
o Data Minimization: Only collect necessary data.
o Accuracy: Keep data accurate and up-to-date.
o Storage Limitation: Retain data for as long as necessary.
o Integrity and Confidentiality: Secure data from unauthorized access.
• Rights of Individuals:
o Right to Access, Erasure (Right to be Forgotten), and Data Portability.
• Penalties: Non-compliance can lead to fines up to €20 million or 4% of annual global
revenue.

4. OWASP Standards

The OWASP (Open Web Application Security Project) provides security standards and
guidelines to identify and mitigate web application vulnerabilities.

• Purpose: Help developers and organizations improve web application security.


• Key Resources:
o OWASP Top 10: A list of the most critical web application vulnerabilities, such
as:
1. Injection (e.g., SQL injection).
2. Broken Authentication.
3. Sensitive Data Exposure.
4. XML External Entities (XXE).
5. Broken Access Control.
6. Security Misconfiguration.
7. Cross-Site Scripting (XSS).
8. Insecure Deserialization.
9. Using Components with Known Vulnerabilities.
10. Insufficient Logging & Monitoring.
• Benefits: Improves security awareness and provides actionable steps to address
vulnerabilities.

5. Local Standards

Local standards refer to national or regional cybersecurity regulations or frameworks that


organizations must comply with based on their geographical location or industry.
• Examples:
o HIPAA (Health Insurance Portability and Accountability Act) in the U.S. for
healthcare data.
o PCI DSS (Payment Card Industry Data Security Standard) for payment card
information.
o India’s IT Act 2000: Legal framework for cybersecurity in India.
o China’s Cybersecurity Law: Regulates internet security within China.
• Importance:
o Ensures local legal compliance.
o Aligns with cultural and operational needs of the region.
o Protects data sovereignty and promotes trust in the region.

You might also like