IT security standards are guidelines and specifications for various practices within the IT security industry, arrived at through a process culminating in consensus. The use of IT security standards has arisen in response to how reliant the modern world has become on digital information, making it crucial to properly safeguard that information. Additionally, privacy and security concerns necessitate effective security measures. IT security standards accomplish this duty by, for example, promoting widely and thoroughly tested methods for encryption and key management or by setting out basic requirements for new entity authentication systems. IT security standards are also vital for interoperability.
IT security, at its core, is concerned with balancing the necessary tasks of keeping information secure, reliable, and accessible. To illustrate this, take the extreme and diametrically opposed examples of two security systems, one set to irreversibly destroy its data at the first sign of any attempts at unauthorized access and the other left totally accessible to any anonymous user. While both have their niche, neither of the two is widely applicable, with most situations requiring more balanced implementations.
These core requirements of security, reliability, and accessibility expand and interact with each other, meeting at a different optimal balance for every distinct industry and application. Some of the more frequent and well studied roles of IT security are to
- Identify authorized users, verify their identity, and
- Restrict access to only those authorized users;
- Track authorized changes, and
- Prevent unauthorized changes, identifying them if they do occur;
- Keep from unnecessarily burdening authorized users and
- Maximize system uptime.
To achieve this, the IT security industry employs a number of different techniques, ranging from broadly applied digital cryptography to physical biometrics. Since poorly implemented security measures are potentially dangerous and the nature of information technology puts a premium on interoperability, various voluntary consensus standards have emerged in the IT security industry, some trickling down from mandatory IT security standards utilized by the military and various government agencies while others embrace massive volunteer efforts.
Within the scope of IT security, two industries, those of health care and financial services, distinguish themselves by how incredibly sensitive the information they need to function is, prompting the formation of industry specific IT security standards in response. In the medical field, health care providers need information about their patients that in any other situation would be incredibly invasive of the patient’s privacy. For the financial services industry, the ever-present threat of identity theft adequately encapsulates how sensitive the financial industry’s information is. While it becomes clear that medical and financial information must be kept secured, that same information is also legitimately used in different places, requiring ease of access to be carefully balanced against properly restricting access. With that said, progress made in IT security standards for specific industries is frequently applicable in other fields.
IT security standards are in large part responsible for the ongoing stability of our modern world, doing their part to keep our information safe and our privacy secured.
Some packages of IT Security Standards, as well as individual and industry specific ones:
- ISO/IEC 27001 AND 27002 IT SECURITY TECHNIQUES PACKAGE
- ISO/IEC 27000 INFORMATION TECHNOLOGY SECURITY TECHNIQUES COLLECTION
- ISO 9564 – BANKING PERSONAL IDENTIFICATION NUMBER PACKAGE
- ISO 11568 – BANKING KEY MANAGEMENT PACKAGE
- X9 ENCRYPTION COLLECTION
- X9 CRYPTOGRAPHIC MESSAGE COLLECTION
- Information Security Management Systems (ISMS)
- Financial Services Industry
- Security Framework
- Public key cryptography using irreversible algorithms
- Part 1: The digital signature algorithm
- Part 2: The secure hash algorithm
- Public key cryptography for the Financial Services industry
- Agreement of symmetric keys using discrete logarithm cryptography
- The Elliptical Curve Digital Signature Algorithm (ECDSA)
- Digital algorithms giving partial message recovery
- Wrapping of keys and associated data (symmetric key cryptography)
- Financial transaction cards
- Personal Identification Number (PIN) management and security
- Health Informatics
- Security requirements for archiving of electronic health records
- Information security management in health using ISO/IEC 27002
- Public key infrastructure
- Electronic health record communications
- Part 1: Reference model
- Part 2: Archetype interchange specifications
- Part 3: Reference archetypes and term lists
- Part 4: Security
- Part 5: Interface specification