Standards
Featuring 26 Papers as of December 10, 2020
-
Managing ICS Security with IEC 62443 by Jason Dely - December 2, 2020
- Associated Webcasts: Understanding IEC 62443: An Overview of the Standard, Its Deployment and How to Use Fortinet Products for Compliance
- Sponsored By: Fortinet, Inc.
In this followup to “Effective ICS Cybersecurity Using the IEC 62443 Standard,” this paper examines how to use the Standard to strategically reduce ICS cybersecurity risk.
-
Effective ICS Cybersecurity Using the IEC 62443 Standard Analyst Paper (requires membership in SANS.org community)
by Jason Dely - November 17, 2020- Associated Webcasts: Understanding IEC 62443: An Overview of the Standard, Its Deployment and How to Use Fortinet Products for Compliance
- Sponsored By: Fortinet, Inc.
IEC 62443 is the global standard for the security of ICS networks, designed to help organizations reduce the risk of failure and exposure of ICS networks to cyberthreats. This paper explores how that standard can provide guidance to enterprises looking to choose and implement technical security capabilities. It also addresses how Fortinet's layered solutions may help asset owners and system integrators reach IEC 62443 compliance.
-
Aligning Your Security Program with the NIS Directive Analyst Paper (requires membership in SANS.org community)
by Matt Bromiley - August 16, 2020- Sponsored By: Fortinet, Inc.
The NIS Directive, adopted by the European Parliament in 2016, addresses the security of network and information systems within the EU. It also sets forth best practices to encourage better cyberrisk mitigation and incident identification and notification. This whitepaper explores various measures of the NIS Directive and how to align your organization’s security posture with those measures.
-
Securing the Supply Chain - A Hybrid Approach to Effective SCRM Policies and Procedures SANS.edu Graduate Student Research
by Daniel Carbonaro - November 7, 2019Organizations’ supply chains are growing increasingly interdependent and complex, the result of which is an ever-increasing attack surface that must be defended. Current supply chain security frameworks offer effective guidance to organizations to help mitigate their supply chains from attack. However, they are limited in their scope and impact and can be extremely complex for organizations to adopt effectively. To further complicate issues, the ability of an organization to identify the scope of their supply chains may be a complicated endeavor. This paper seeks to give context not only to the challenges facing security within the ICT Supply Chain, but attempts to give a hybrid framework for any business regardless of size or function to follow when attempting to mitigate threats both to and from within their supply chain.
-
Filling the Gaps by Robert Smith - August 18, 2016
There should be an emphasis on the importance of regular internal and external auditing focusing on the business mentality of "It can't happen to me" and mitigating the risk of complacency. The key areas covered will be cementing assessments and audits as a benefit versus a reactive or troublesome activity. The cost savings from regular auditing against the alternatives such as breaches and poor publicity. The world is full of technical and administrative compliance requirements, understanding where gaps are present is not something to be afraid of, but to readily embrace and act upon those deficiencies. Thinking that you are compliant and knowing you are compliant can make a large difference in business longevity and profitability.
-
Critical Security Controls: Software Designed Inventory, Configuration, and Governance SANS.edu Graduate Student Research
by Lenny Rollison - May 24, 2016The events of September 11, 2001, show us how isolated communication and the inability to share intelligence could paralyze decision making (Johnston, 2003).
-
eAUDIT: Designing a generic tool to review entitlements SANS.edu Graduate Student Research
by Francois Begin - June 22, 2015In a perfect world, identity and access management would be handled in a fully automated way.
-
Critical Security Controls: From Adoption to Implementation Analyst Paper (requires membership in SANS.org community)
by James Tarala - September 18, 2014- Associated Webcasts: The Critical Security Controls: From Adoption to Implementation A SANS Survey
- Sponsored By: Qualys Tripwire, Inc. Mcafee LLC EiQnetworks
This SANS survey report explores how widely the CSCs are being adopted, as well as what challenges adopters are facing in terms of implementation of the controls and what they are looking for to improve their implementation practices.
-
Systems Engineering: Required for Cost-Effective Development of Secure Products by Dan Lyon - October 8, 2012
Security of data and systems is critical to consider during development of a complex system, and by taking a systems approach, secure design can be achieved in a cost effective manner.
-
Security for Critical Infrastructure SCADA Systems by Andrew Hildick-Smith - August 24, 2005
Supervisory Control and Data Acquisition (SCADA) systems and other similar control systems are widely used by utilities and industries that are considered critical to the functioning of countries around the world.
-
Information Security Gets a Seat at the Table by Kent Nabors - April 8, 2004
A company is a statement of faith between suppliers, employees, investors and customers. If any one or more of those groups decides they don't want to play any more, then the game is over. If a bank loses critical customer information because of a security failure, a financial risk arbitrage maneuver won't help.
-
The HIPAA Final Security Standards and ISO/IEC 17799 by Sheldon Borkin - September 4, 2003
This paper provides a detailed analysis comparing HIPAA Final Security Standards and ISO/IEC 17799, along with an approach to compliance with both standards.
-
The Trusted PC: Current Status of Trusted Computing by Christopher Hageman - August 8, 2003
This paper, focusing on the Trusted Computing Group's standards, will provide an overview of trusted computing as it stands today: its methods, applications, possible pitfalls and current implementations.
-
TEACH, the DMCA and Distance Education by Katie Flowers - June 3, 2003
By reviewing the technological requirements of TEACH, the titles of the DMCA and the history of both acts this paper will show that while TEACH, to date, has not been publicly recognized as an amendment to the DMCA it can truly be viewed as such in the United States with regards to the issue of distance education.
-
Common Criteria and Protection Profiles: How to Evaluate Information by Kathryn Wallace - June 3, 2003
The purpose of this paper is to discuss the standards of Common Criteria and the security framework provided by the Common Criteria.
-
A Survey Of Trusted Computing Specifications And Related Technologies by Ricard Kelly - June 2, 2003
This paper seeks to survey the key points of these technologies and provide a framework for suggesting whether a TCPA/TCG or NGSCB architecture will improve security in an environment and where it may reduce security.
-
Protection Profile, A Key Concept in The Common Criteria by Nor Ramli - May 8, 2003
This paper will give a description of the roadmap to the Common Criteria (CC) that basically explains the distinct but related parts and how three key CC user groups namely the consumers, developers and evaluators use them.
-
Securing Sensitive Data: Understanding Federal Information Processing Standards (FIPS) by Thomas Kenworthy - July 30, 2002
This paper will define FIPS (Federal Information Processing Standards), identify FIPS approved encryption algorithms, and examine some different vendor solutions and their use of these approved algorithms.
-
Internal SLA (Service Level Agreements) for Information Security by Eric Hansen - December 6, 2001
The purpose of this paper is to advocate for the establishment of internal SLAs between the Information Technology team and the Information Security team.
-
Collaborative Security Strategies in an Outsourced, Cross-Agency Web System by Roopangi Kadakia - October 15, 2001
This analysis will look at the Certification and Accreditation models, Risk assessment frameworks, and risk management strategies, which can be used in combating new challenges in existing processes and standards.
-
Multilevel Security Networks: An Explanation of the Problem by Gary McKerrow - October 2, 2001
This paper addresses the current efforts within the Department of Defense (DoD) to develop a Multi-Level Security (MLS) system, although, the same methodology and practice can be applied to other networks with similar requirements.
-
The NSA: A Brief Examination of the "No Such Agency" by Steven Bennett - October 1, 2001
This paper introduces the National Security Agency (NSA) to the reader and discusses some of the key technologies, methods, and issues that relate to its mission.
-
The Common Criteria ISO/IEC 15408 - The Insight, Some Thoughts, Questions and Issues by Ariffuddin Aizuddin - October 1, 2001
This paper provides an overview of an international effort called Common Criteria (CC), an IT Security evaluation methodology, developed to define and facilitate consistent evaluations of security products and systems, fostering international recognition and trust in the quality of security products and systems throughout the global economy.
-
The OSI Model: An Overview by Rachelle Miller - September 13, 2001
This paper provides an overview of the Open Systems Interconnection (OSI) reference model which defines a hierarchical architecture that logically partitions the functions required to support system-to-system communication.
-
HIPAA Security Standards v1.2d by Daniel Fagin - August 10, 2001
The focus of this paper is the creation of certain baseline information security standards to protect electronic medical records.
-
Organizational Information Security from Scratch - A Guarantee for Doing It Right by Patrick Jones - July 18, 2001
The purpose of this document is to provide an overview of an information security infrastructure and a strategy for implementing it.
Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.
All papers are copyrighted. No re-posting or distribution of papers is permitted.
SANS.edu Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.