Standards and Frameworks on Management and Controls for Security, Privacy and Risk

NIST Frameworks on Security

CIS Frameworks on Security

CIS - Center for Internet Security.
  • CIS Controls
    Conjunto de ações (controles) priorizadas para proteger organizações e dados contra vetores conhecidos de ciberataques.
    Inicialmente publicado pelo SANS Institute ("SANS 20"), a publicação foi transferida em 2015 para o CIS.
    Até a versão 7, eram 20 controles, que os tornavam conhecidos como "CIS 20". Na versão 8, lançada em maio de 2021, foram reestruturados em 18 controles, distribuídos em 3 Grupos de Implementação (IG), contemplando focos atuais como nuvem, mobile e trabalho remoto. As salvaguardas de cada controle são mapeadas em uma das 5 funções de segurança: Identify, Protect, Detect, Respond e Recover.
    1. CIS Control 1: Inventory and Control of Enterprise Assets
    2. CIS Control 2: Inventory and Control of Software Assets
    3. CIS Control 3: Data Protection
    4. CIS Control 4: Secure Configuration of Enterprise Assets and Software
    5. CIS Control 5: Account Management
    6. CIS Control 6: Access Control Management
    7. CIS Control 7: Continuous Vulnerability Management
    8. CIS Control 8: Audit Log Management
    9. CIS Control 9: Email Web Browser and Protections
    10. CIS Control 10: Malware Defenses
    11. CIS Control 11: Data Recovery
    12. CIS Control 12: Network Infrastructure Management
    13. CIS Control 13: Network Monitoring and Defense
    14. CIS Control 14: Security Awareness and Skills Training
    15. CIS Control 15: Service Provider Management
    16. CIS Control 16: Application Software Security
    17. CIS Control 17: Incident Response Management
    18. CIS Control 18: Penetration Testing
    Há mapeamentos do CIS Controls v8 com outros frameworks de segurança: NIST Cybersecurity Framework (CSF), NST SP 800-53 Rev.5, NIST SP 800-171 Rev.2, Cybersecurity Maturity Model Certification (CMMC), CSA Cloud Controls Matrix v4, MITRE Enterprise ATT&CK v8.2.
  • CIS Benchmarks
    Mais de 100 guias de configuração para famílias de produtos de mais de 25 fabricantes, para proteger sistemas contra as ameaças cibernéticas atuais em evolução. Cobre sistemas operacionais, software servidor, provedores de nuvem, dispositivos de rede, software desktop, impressoras multifuncionais, dispositivos móveis etc.

ISO Standards on Security

ISO/IEC 27000 series (formerly 17799, BS 7799) - Information Security Management

The British Standard 7799 (BS7799) was originally a code of practice issued by the UK Government (Department of Trade and Industry - DTI) in 1993, then published as standard in 1995 by the British Standards Institution (BSi) and revised in 1999. When initially published as an ISO international standard in December 2000, BS7799 part 1 (BS7799-1) became ISO 17799, because a standard called ISO 7799 already existed.

In October 2005, British Standard BS 7799 part 2 (BS7799-2) was adopted by ISO, re-badged beggining the new 27000 international information security standard series, released as ISO/IEC 27001:2005 standard.

From 2001 to 2004, the ISO 17799 (BS7799-1) international standard went throught a major revision, culminating in the new version ISO/IEC 17799:2005 published in June 2005. In July 2007, the 17799:2005 standard was renumbered to 27002:2005 (by ISO/IEC 17799:2005/Cor.1:2007), integrating the new 27000 series.

ISO 27001 [BS7799-2]: information security management systems (ISMS) requirements. ISO/IEC 27001:2005 = BS 7799-2:2005. Requirements (shall) to implement an information security management system.
ISO 27002 [BS7799-1]: code of practice for information security management. ISO/IEC 27002:2005 = ISO 17799:2005 = BS7799-1:2005. Recommendations (should) of information security controls.

Security Standards for Applications and IT

ISO/IEC 15408 - Common Criteria (CC)

Common Criteria Evaluation and Validation Scheme (CCEVS) & Rainbow Series

  • The Common Criteria Evaluation and Validation Scheme (CCEVS)
    By National Information Assurance Partnership (NIAP), a U.S. Government initiative.
  • Rainbow Series
    From Wikipedia, the free encyclopedia.
  • Rainbow Series Library
    The Rainbow Series (sometimes known as the Rainbow Books) is a series of computer security standards and guidelines published by the United States government in the 1980s and 1990s. They were originally published by the U.S. Department of Defense (DoD) Computer Security Center, and then by the National Computer Security Center.
    The Rainbow Series is six-foot tall stack of books on evaluating "Trusted Computer Systems" according to the National Security Agency (NSA). The term "Rainbow Series" comes from the fact that each book is a different color. The main book, upon which all other expound, was the Orange Book.
    Note (2003): Portions of the Rainbow Series (e.g. the Orange book and the Red Book) have been superseded by the Common Criteria Evaluation and Validation Scheme (CCEVS).
    Format: ASCII Text. Available at Federation of American Scientists (FAS), Intelligence Resource Program. Alternative:
  • The Orange Book Site -
    First published in 1983, the US Department of Defense Trusted Computer System Evaluation Criteria, (DOD-5200.28-STD) known as the Orange Book was a de facto standard for computer security, now superseded by the Common Criteria Evaluation and Validation Scheme (CCEVS). Orange Book was part of NSA/DoD Rainbow Series.
    Orange Book Summary.
    USA Department of Defense Standard: Trusted Computer System Evaluation Criteria (DoD 5200.28-STD).

Open Web Application Security Standards

Public-Key Cryptography and Digital Signature Standards

Public-Key Cryptography Standards (PKCS)

The Public-Key Cryptography Standards are specifications produced by RSA Laboratories in cooperation with secure systems developers worldwide for the purpose of accelerating the deployment of public-key cryptography. First published in 1991 as a result of meetings with a small group of early adopters of public-key technology, the PKCS documents have become widely referenced and implemented. Contributions from the PKCS series have become part of many formal and de facto standards, including ANSI X9 documents, PKIX, SET, S/MIME, and SSL.

Cryptographic Message Syntax (CMS) & PKCS #7

Cryptographic Tokens and Smart Cards - PKCS #11 and #15

  • PKCS #11: Cryptographic Token Interface Standard
    RSA Laboratories Public-Key Cryptography Standards (PKCS).
    This standard specifies an API, called Cryptoki, to devices which hold cryptographic information and perform cryptographic functions. Cryptoki, pronounced crypto-key and short for cryptographic token interface, follows a simple object-based approach, addressing the goals of technology independence (any kind of device) and resource sharing (multiple applications accessing multiple devices), presenting to applications a common, logical view of the device called a cryptographic token.
  • PKCS #15: Cryptographic Token Information Format Standard
    RSA Laboratories Public-Key Cryptography Standards (PKCS).
    PKCS #15 establishes a standard that enables users in to use cryptographic tokens to identify themselves to multiple, standards-aware applications, regardless of the application's cryptoki (or other token interface) provider.
  • ISO/IEC 7816-15:2016
    Identification cards -- Integrated circuit cards -- Part 15: Cryptographic information application.
  • Wikipedia: PKCS #11
    From Wikipedia, the free encyclopedia.
  • PKCS#11 Explorer
    PKCS#11 Explorer is a tool for examining the contents of PKCS#11 tokens (e.g. USB tokens and smartcards), and for carrying out various operations on them, including: show all objects stored and all mechanisms supported and their properties; monitor token insert/removal; initialize tokens; set and change PINs; create test keys; seed and generate random data. Free download, including executable and full Delphi source code.
  • FreeOTFE Explorer - Appendix E: PKCS#11 Driver Libraries (PDF)
    FreeOTFE Explorer manual, p 145-150. Not exhaustive list of token manufacturers, devices and their PKCS#11 driver libraries.
    FreeOTFE at Sourceforge.
  • PKCS#11 Task Force - Found Drivers
  • Wikipedia: Smart card
    From Wikipedia, the free encyclopedia.
    A smart card, chip card, or integrated circuit card (ICC) is any pocket-sized card with embedded integrated circuits. Smart cards can provide strong security identification, authentication, data storage (including digital certificates) and application processing.
  • Secure Technology Alliance
    Antes Smart Card Alliance. Smart Card Alliance mission is to accelerate the widespread adoption, usage, and application of smart card technology in North America by bringing together users and technology providers in an open forum to address opportunities and challenges for our industry.
  • OpenSC - tools and libraries for smart cards
    OpenSC provides a set of libraries and utilities to work with smart cards. Its main focus is on cards that support cryptographic operations, and facilitate their use in security applications such as authentication, mail encryption and digital signatures. OpenSC implements the PKCS#11 API so applications supporting this API (such as Mozilla Firefox and Thunderbird) can use it. On the card OpenSC implements the PKCS#15 standard and aims to be compatible with every software/card that does so, too.
  • M.U.S.C.L.E. - Movement for the Use of Smart Cards in a Linux Environment
    MUSCLE is a project to coordinate the development of smart cards and applications under Linux. The purpose is to develop a set of compliant drivers, API's, and a resource manager for various smart cards and readers for the GNU environment. Source code is now distributed by this site that supports the Schlumbeger Reflex 60 line of reader and all ISO-7816-4 compliant smart cards. I would like to see a Linux resource manager for smart cards and other cryptographic tokens such as Ibuttons or SecureId. A good standpoint for this is the PC/SC specifications written for Microsoft OS.
  • PCSC-Lite project
    PC/SC-Lite: Middleware to access a smart card using SCard API (PC/SC). CCID driver: This package provides the source code for a generic USB CCID (Chip/Smart Card Interface Devices) driver and ICCD (Integrated Circuit(s) Card Devices).

Advanced Electronic Signatures (AdES) Standards: CAdES, XAdES, PAdES

XML Signature (XMLDSig)