More on cybersecurity: From Anonymous to Hackerazzi: The year in security mischief-making
The Government Accountability Office this week issued a report on just that notion saying: " Given the plethora of guidance available, individual entities within the sectors may be challenged in identifying the guidance that is most applicable and effective in improving their security. Greater knowledge of the guidance that is available could help both federal and private sector decision makers better coordinate their efforts to protect critical cyber-reliant assets."
Such information though is valuable in that these myriad groups offer guidelines and principles as well as technical security techniques for maintaining the confidentiality, integrity, and availability of information systems and data, the GAO stated.
"When implementing cybersecurity technologies and processes, organizations can avoid making common implementation mistakes by consulting guidance developed by various other organizations. Public and private organizations may decide to voluntarily adopt this guidance to help them manage cyber-based risks," the GAO stated.
Who are some of these key organizations? From the GAO:
• International Organization for Standardization (ISO): a nongovernmental organization that develops and publishes international standards. The standards, among other things, address information security by establishing guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization.
• International Electrotechnical Commission (IEC): an organization for standardization comprising all national eletrotechnical committees. The commission publishes international standards, technical specifications, technical reports, and publicly available specifications and guides. The information security standards address safety, security, and reliability in the design and operations of systems in the power industry, among other things.
• The International Telecommunication Union: a United Nations agency whose mission includes, among other things, developing technical standards and providing technical assistance and capacity building to developing countries. The union has also developed technical standards for security and, more recently, engaged in other cybersecurity activities. For example, the union has established a study group for telecommunications security to focus on developing standards and recommendations associated with network and information security, application security, and identity management. Similarly, the union, through its members' efforts, prepared a report on cybersecurity best practices for countries seeking to organize national cybersecurity efforts.
• The International Society of Automation (ISA): a global and nonprofit organization that develops standards for automation. It has developed a series of standards to address security in industrial automation and control systems.
• The American National Standards Institute (ANSI): a U.S. organization that is responsible for coordinating and promoting voluntary consensus-based standards and information sharing to minimize overlap and duplication of U.S. standards-related efforts. In addition, it is the representative of U.S. interests in international standards-developing organizations.
In an earlier report the GAO identified 19 global organizations" whose international activities significantly influence the security and governance of cyberspace."
The organizations range from information-sharing forums that are non-decision-making gatherings of experts to private organizations to treaty-based, decision-making bodies founded by countries. The groups address a variety of topics from incident response, the development of technical standards, the facilitation of criminal investigations to the creation of international policies related to information technology and critical infrastructure, the GAO stated.
From that GAO report a few key influential groups include:
• Asia-Pacific Economic Cooperation (APEC) is a cooperative economic and trade forum designed to promote economic growth and cooperation among 21 countries from the Asia-Pacific region. APEC's Telecommunication and Information Working Group supports security efforts associated with the information infrastructure of member countries through activities designed to strengthen effective incident response capabilities, develop information security guidelines, combat cybercrime, monitor security implications of emerging technologies, and foster international cybersecurity cooperation.
• Association of Southeast Asian Nations (ASEAN) is an economic and security cooperative comprised of 10 member nations from Southeast Asia. According to the 2009-2015 Roadmap for an ASEAN Community, it looks to combat transnational cybercrime by fostering cooperation among member-nations' law enforcement agencies and promoting the adoption of cybercrime legislation. In addition, the road map calls for activities to develop information infrastructure and expand computer emergency response teams (CERT) and associated drills to all ASEAN partners.
• The Council of Europe is a 47-member organization founded in 1949 to develop common and democratic principles for the protection of individuals. In 2001, the council adopted a Convention on Cybercrime to improve international cooperation in combating actions directed against the confidentiality, integrity, and availability of computer systems, networks, and data. This convention identified agreed-upon cyber-related activities that should be deemed criminal acts in countries' domestic law. The U.S. Senate ratified this convention in August 2006.
• The European Union is an economic and political partnership among 27 European countries. Subcomponents of its executive body - the European Commission - engage in cybersecurity activities designed to improve (1) preparedness and prevention, (2) detection and response, (3) mitigation and recovery, (4) international cooperation, and (5) criteria for European critical infrastructure in the information communication technology sector. The European Commission also formed the European Network and Information Security Agency (ENISA), an independent agency created to enhance the capability of its members to address and respond to network and information security problems. Several independent organizations within Europe develop technical standards. The European Committee for Standardization is to work to remove trade barriers for European industry and provide a platform for the development of European standards and technical specifications. The European Committee for Electrotechnical Standardization is a not-for-profit technical organization that is responsible for preparing voluntary standards for electrical and electronic goods and services in the European market. The European Telecommunications Standards Institute is also a not-for-profit organization that is responsible for producing globally applicable standards for information and communications technologies including those supporting the Internet.
• Forum of Incident Response and Security Teams (FIRST) is an international federation of individual CERTs that work together to share technical and security incident information. It includes over 220 members from 42 countries. The members' incident response teams represent government, law enforcement, academia, the private sector, and other organizations. FIRST has also worked with multiple international standards organizations to develop standards for cybersecurity and incident management and response. In addition, FIRST uses the Common Vulnerability Scoring System as a standard method for rating information technology vulnerabilities, which helps when communicating vulnerabilities and their properties to others.