2. Secure transport
Card readers
Security room CCTV
Secured doors and vaults
Surveillance and alarms
Patrolling security guard
Firewalls and router ACLs
Network- and host-based
intrusion detection Scanner
Centralized security and policy
management
Identity, AAA, access control
servers and certificate authorities Encryption and virtual private
networks (VPNs)
Extended perimeter security Intrusion protection
Intrusion protection
Security management and policy Secure connectivity
Identity services
I
I
Security Technologies
Slide 5
3. Layered Security
• Firewall
• Network IPS
• ADC
• WAF
• DDoS Mitigation
• Network DLP
• Web & Mail GW
• SIEM
• VM
• NBA
• ITGRC
• FIM
• Pen Testing
• Vulnerability Assessment
• Security Awareness
• Security Compliance
• Forensic Analysis
• Secure Software
• Host Protection
• Host DLP
• White Listing
• DB Protection
• Virtualization Protection
• Data Encryption
• Access Control
• Video Surveillance
• Video Analytics
• Motion Detection
• Fire Alarm
• AAA
• IAM
• 2FA
• Adaptive Authentication
• NAC
• SSL VPN
Slide 6
4. Standards and Regulations
# Code Standard name Organization name
1 PCI‐ DSS Payment Card Industry Data Security Standard Payment Card Industry Security Standards Council (PCI SSC)
2 PA‐DSS Payment Application Data Security Standard Payment Card Industry Security Standards Council (PCI SSC)
3 ISO/IEC 27001:2005 Information Security Management Standard International Organization for Standardization (ISO)
4 HIPAA/HITECH The Health Insurance Portability and Availability Act United States Congress
5 SAS 70 Statement of Acceptance Standard American Institute of Certified Public Accountants (AICPA)
6 SOX 404 Sarbanes‐Oxley Act United States Congress (United States federal law)
7 GLBA Gramm‐Leach‐Bliley Act United States Congress (United States federal law)
8 FISMA Federal Information Security Management Act United States Congress (United States federal law)
9 SSAE 16 Statement on Standards for Attestation Engagements American Institute of Certified Public Accountants (AICPA)
10 OSSTMM Open‐Source Security Testing Methodology Manual The Institute for Security and Open Methodologies (ISECOM)
11 OWASP Open Web Application Security Project OWASP foundation
12 GIAC Global Information Assurance Certification GIAC company
Slide 7
5. Standards and Regulations
# Code Genre Description Organization name
ITU‐T
ITU Telecommunication
Standardization Sector
E.408
Provide overview of security requirement ,threat
identification frameworks guidelines for risk
mitigation
International
Telecommunication Union
E.409 Incident organization and securing incident handling
X.805
Security architecture for systems providing end‐to‐
end communications
X.1051
ISMS guidelines for telecommunication which is also
referred as ISO 27011:2008
3GPP
3rd Generation
Partnership Project
33‐series Provide specifications for security standards for
GSM(including GPRS and EDGE ),WCDMA and LTE
(including advanced LTE ) mobile systems
Groups of
telecommunications
associations(the
Organizational Partners)
3GPP2 S.S0086 && others
ISO/IEC
Information Security
Management
Standard(ISO)/
International Electro‐
technical Commission
(IEC)
27001:2005
Specifies requirements for an information security
management system
International Organization
for Standardization
(ISO)
27001:2005
Specifies code of practice for information security
management based on ISO 27001
27011:2008
ISO 27002 tailored specifically for applications
telecommunications organizations, developed as a
joint effort with IUT‐T
15408
(the common criteria
)
A common set of security requests for evaluation of
computer security products and systems, including
telecommunication network components
Slide 8
6. ICS/SCADA Security Standards
# Code Standard name Organization Name
1 FIPS 140‐2 Federal information processing standards National institute of standards and technology
2 API 1164 American petroleum‐ institute pipeline SCADA security American petroleum institute
3 API security guide lines Guide lines for the petroleum industry American petroleum institute
4 CAG Consensus Audit guidelines American internet security training company
5 ChemITC Guidance for cyber security in chemistry American chemistry council
7 ISO27001
Information security –security techniques –information security
management systems –requirements
International Organization for Standardization
8 IEC62351 Data and communication security International Electro‐technical Commission
9 IEEE 1402
IEEE guide for electric power substation physical and electronic
security
Institute of electrical and electronic
engineering
10 ISA99‐2 / IEC 624435‐2‐1
Manufacturing and control system security.
Establishing a manufacturing & control system security program
International Society for Automation (ISA)
11 NERC CIP (CIP) Critical Infrastructure Protection Cyber security North American Electric reliability committee
12 NIST SP 800‐53R3
Recommended security controls for federal information
systems and organizations
National institute of standards and technology
13 RG 5.71 Regulatory 5.71 “cyber security programs for nuclear facilities“ U.S. Regulatory
14 CFATS Chemical facility Anti‐terrorism standards Slide 9