Standards, accreditations, institutions and campaigns

American Society for Industrial Security (ASIS)
Applied Computer Security Associates (ACSE)
BIS (Department for Business, Innovation and Skills) The Ten Steps to Cyber Security  is a BIS publication which aims to help businesses prevent or deter most cyber-attacks.  The Executive Companion offers guidance for business on how to make the UK’s networks more resilient and protect key information assets against cyber threats. It covers risk management and corporate governance and includes case studies based on real events.  The advice sheets provide detailed cyber security information and advice in 10 important technical and process/cultural areas.

BCS (British Computer Society)

CERT-UK –  is the UK National Computer Emergency Response Team, formed in March 2014 in response to the National Cyber Security Strategy. The National Cyber Security Strategy, published in 2011, sets out the importance of strengthening the UK’s response to cyber incidents. CERT-UK has four main responsibilities that flow from the UK’s Cyber Security Strategy:

  1. National cyber-security incident management
  2. Support to critical national infrastructure companies to handle cyber security incidents
  3. Promoting cyber-security situational awareness across industry, academia, and the public sector
  4. Providing the single international point of contact for co-ordination and collaboration between national CERTs
Center for Secure Information Systems (CSIS)
Computer Security Institute
CESG IT Health Check Scheme (CHECK) – was instigated to ensure that sensitive UK government networks and those constituting the GSI (Government Secure Intranet) and CNI (Critical National Infrastructure) were secured and tested to a consistently high level. The methodology aims to identify known vulnerabilities in IT systems and networks which may compromise the confidentiality, integrity or availability of information held on that IT system. A CHECK team is composed of at least one CHECK Team Leader and a number of CHECK Team Members who have passed either the CESG accredited CREST, Cyber or Tiger Scheme examination. Only CESG may confer CHECK Team Leader/Member status.

Center for Internet Security

ClubCISO – is a private members’ forum for senior leadership in the UK and Europe. This forum is designed to facilitate informal discussions, independent of vendors, on information security and cyber resilience in the organization. Through regular debate, networking and anonymous surveys, ClubCISO members can benchmark their security investments and implementations against their peers, grow their networks and improve buy-in at board level.

CBEST Vulnerability Testing Frameworkfollowing their meeting in June 2013, the FPC issued a recommendation requesting that HMT and the regulators work with the core of the UK financial system and its infrastructure to put in place a programme of work to improve and test resilience to cyber attack. The committee also noted it was important that boards of financial firms and infrastructure providers recognised their responsibility for responding to those attacks.

To assist the boards of financial firms and infrastructure providers, and regulators, in improving their understanding of the types of cyber-attack that could undermine financial stability in the UK, and the extent to which the UK financial sector is vulnerable to those attacks, a new, intelligence-led testing framework has been devised by the UK Financial Authorities in conjunction with CREST (the Council for Registered Ethical Security Testers) and Digital Shadows.

CompTIA – The Computing Technology Industry Association (CompTIA) is a non-profit trade association serving as the voice of the information technology industry. With approximately 2,000 member companies, 3,000 academic and training partners, 75,000 registered users and more than two million IT certifications issued, CompTIA is dedicated to advancing industry growth through educational programs, market research, networking events, professional certifications and public policy advocacy.

CREST – is a not-for-profit accreditation body that represents the technical information security industry. As part of this, CREST provides internationally recognised certifications for organizations and individuals providing penetration testing, cyber incident response and security architecture services.

Member companies undergo a rigorous assessment and certification process that looks at methodologies, legal and regulatory standards, staff vetting and data handling. CREST qualified individuals have passed challenging professional level examinations that demonstrate their knowledge, skill and competence.

Company assessments and individual qualifications are underpinned by a strict and enforceable code of conduct.  All CREST examinations and processes have been reviewed and approved by CESG, the Information Security arm of GCHQ, the UK Government Communications Headquarters. CREST has member companies in a number of countries and a formally established Chapter in Australia

Cyber Essentials Schemeis a UK government-backed, industry-supported scheme that helps protect themselves against common cyber-attacks. The scheme is offered to businesses of all sizes via IASME and CREST certified companies. Through independent assessment, the scheme identifies some fundamental technical security controls that a business needs to have in place in order to help defend against basic Internet-borne threats.

Cyber Scheme – is a UK not-for-profit organization and is run by an independent Board of Directors. The aim of the Cyber Scheme is to provide via training and associated progressive qualifications a range of professional capabilities in the areas of penetration testing, forensics, malware analysis, risk assessment, risk management and related cyber security capabilities. The profession needs properly trained and certificated professionals. The Cyber Scheme will help to encourage new talent into the cyber industry and to provide a professionalization route for those already working in the industry.

Be Cyber Streetwiseis a UK cross-government campaign, funded by the National Cyber Security Programme and delivered in partnership with the private and voluntary sectors. The campaign is led by the Home Office, working closely with the Department for Business, Innovation and Skills and the Cabinet Office. They aim to measurably and significantly improve the online safety behaviour and confidence of consumers and small businesses (SMEs). On their website they’ve collected links to all the great resources produced by partners, helping you find the information you need to protect yourselves, your families and your businesses.

EC Council – The International Council of E-Commerce Consultants (EC-Council) is a member-based organization that certifies individuals in various information security and e-business skills. EC-Council has been certified by American National Standards Institute to meet its ANSI 17024 standard. It is the owner and creator of the world famous Certified Ethical Hacker (CEH), Computer Hacking Forensics Investigator (CHFI) and EC-Council Certified Security Analyst (ECSA)/License Penetration Tester (LPT) programs, and as well as many others programs, that are offered in over 92 countries through a training network of more than 500 training partners globally.

ENISAis the European Union Agency for Network and Information Security, working for the EU Institutions and Member States. ENISA is the EU’s response to the cyber security issues of the European Union. As such, it positions itself as the ‘pace-setter’ for Information Security in Europe, and a centre of expertise.

Its objective is to make ENISA’s website the European ‘hub’ for exchange of information, best practices and knowledge in the field of Information Security. Their website is an access point to the EU Member States and other actors in this field.

ENISA is helping the European Commission, the Member States and the business community to address, respond and especially to prevent Network and Information Security problems. It is as a body of expertise, set up by the EU to carry out very specific technical, scientific tasks in the field of Information Security, working as a “European Agency”. It also assists the European Commission in the technical preparatory work for updating and developing Community legislation in the field of Network and Information Security.

Global Information Assurance Certification (GIAC) – Global Information Assurance Certification (GIAC) is the leading provider and developer of Cyber Security Certifications. GIAC tests and validates the ability of practitioners in information security, forensics, and software security. GIAC certification holders are recognized as experts in the IT industry and are sought after globally by government, military and industry to protect the cyber environment.

IISP – is a not–for-profit body with the principle objective to advance the professionalism of the Information Security Industry. Formed in 2005, it has a growing membership, drawn from a wide range of disciplines and sectors. The Institute aims to be the authoritative body for information security professionals and to act as an accreditation authority for the industry. Its activities are shaped by the membership and governed by an elected Board of industry leaders who provide their time on a voluntary basis.

The IISP Skills Framework is the only industry-accepted framework for measuring the practical hands-on knowledge and experience of information security professionals. The framework is used by the Institute to accredit the competency of information security professionals at Associate and Full membership levels and to accredit training courses. Within the UK, the IISP Skills Framework has also been adopted by Government to assess individuals through the CESG Certified Professional Scheme and by e-skills, to build a National Occupational Standard.

InfraGard

International Association for Computer Systems Security, Inc. (IACSS)
International Federation for Information Processing (IFIP) Technical Committee 11 (TC-11) on Security and Protection in Information Systems
International Society for Professionals in E-Commerce (iSPEC)

ISACAhas become a pace-setting global organization for information governance, control, security and audit professionals. The ISACA IS Auditing and IS Control standards are followed by practitioners worldwide, and its research pinpoints professional issues challenging its members. CISA, the Certified Information Systems Auditor is ISACA’s cornerstone certification. Since 1978, the CISA exam has measured excellence in the area of IS auditing, control and security and has grown to be globally recognized and adopted worldwide as a symbol of achievement. ISACA serves 140,000 IT security professionals in 180 countries and engages in the development, adoption and use of globally accepted, industry-leading knowledge and practices for information systems.

(ISC)² – is the global, not-for-profit leader in educating and certifying cyber, information, software and infrastructure security professionals throughout their careers. They provide vendor-neutral education products, career services, and Gold Standard credentials to professionals in more than 160 countries. They take pride in their reputation built on trust, integrity, and professionalism and are proud of their membership – an elite network that has over 110,000 certified industry professionals worldwide.

(ISC)² Foundation – is a non-profit charity formed by (ISC)² in 2011 as a conduit through which its members reach society and empower students, teachers and the general public to secure their online life with cyber security education and awareness programs in the community. The (ISC)² Foundation was formed to meet these needs and to expand altruistic programs such as Safe and Secure Online, the Information Security Scholarship Program, and Industry Research – the three core programs of the Foundation.

ISF is an independent, not-for-profit organization with a membership comprising many of the world’s leading organizations featured on the Fortune 500 and Forbes 2000 lists. They are dedicated to investigating, clarifying and resolving key issues in information security and risk management, by developing best practice methodologies, processes and solutions that meet the business needs of its members.

ISSA is the community of choice for international cybersecurity professionals dedicated to advancing individual growth, managing technology risk and protecting critical information and infrastructure. The Information Systems Security Association (ISSA)® is a not-for-profit, international organization of information security professionals and practitioners. It provides educational forums, publications, and peer interaction opportunities that enhance the knowledge, skill, and professional growth of its members.

National Cyber Security Awareness Month (NCSAM) – is observed each October since its inception in 2004 in the United States of America. Sponsored by the National Cyber Security Division (NCSD) within the Department of Homeland Security and the National Cyber Security Alliance (NCSA, a non-profit organization), National Cyber Security Awareness Month encourages vigilance and protection by all computer users.

During the month of October, the Department and the NCSA reach out to all Americans, public- and private-sector partners and the international community about cyber threats and offers tips and best practices concerning how to stay safe online.

The overall NCSAM theme is Our Shared Responsibility to reflect the notion that cyberspace cannot be secured without the help of all users. Each year, the month has weekly themes that deal with specific groups and trends in cyber security.

In line with President Obama’s 60-day review of cyber security, NCSAM builds on existing programs within the Department of Homeland Security. NCSD and NCSA continue to encourage participation in the Cyber Security Awareness Volunteer Education (C-SAVE) Program. The C-SAVE Program advocates for cyber security professionals to visit local schools to educate students on cyber security threats and the importance of staying safe online

A European Cyber Security Month, first piloted in October 2012, has also been created by the ENISA. In 2011, Norway started its own version called National Safety Month (Nasjonal sikkerhetsmåned) organized by NorSIS. Sponsored by agencies and companies like the The Norwegian National Security Authority (NSM), the Danish Data Protection Agency, Microsoft, Difi (Agency for Public Management and eGovernment) and Secunia.

Look out for online events and on social media use the hashtag #cyberaware and follow #NCSAM on Twitter.

National Institute of Standards & Technology (NIST) – Founded in 1901, NIST is one of the nation’s oldest physical science laboratories. Congress established the agency to remove a major handicap to U.S. industrial competitiveness at the time—a second-rate measurement infrastructure that lagged behind the capabilities of the United Kingdom, Germany, and other economic rivals. Today, NIST measurements support the smallest of technologies—nanoscale devices so tiny that tens of thousands can fit on the end of a single human hair—to the largest and most complex of human-made creations, from earthquake-resistant skyscrapers to wide-body jetliners to global communication networks. Two useful framework’s are NIST Cybersecurity Framework and the NIST Risk Management Framework.

Open Web Application Security Project (OWASP) – is an Open Source community project developing software tools and knowledge based documentation that helps people secure web applications and web services. It is an open source reference point for system architects, developers, vendors, consumers and security professionals involved in designing, developing, deploying and testing the security of web applications and Web Services.

OSSTMM objective is to set forth a standard for Internet security testing. It’s intended to form a comprehensive baseline for testing that, if followed, ensures a thorough and comprehensive penetration test has been undertaken. This should enable a client to be certain of the level of technical assessment independently of other organization concerns, such as the corporate profile of the penetration-testing provider.

Payment Card Industry Data Security Standards (PCI DSS) – were established in December 2004, and apply to all members, merchants, and service providers that store, process or transmit cardholder data. As well as a requirement to comply with this standard, there is a requirement to independently prove verification.

Penetration Testing Standard (PTS)the penetration testing execution standard consists of seven (7) main sections. These cover everything related to a penetration test – from the initial communication and reasoning behind a pen test, through the intelligence gathering and threat modelling phases where testers are working behind the scenes in order to get a better understanding of the tested organization, through vulnerability research, exploitation and post exploitation, where the technical security expertise of the testers come to play and combine with the business understanding of the engagement, and finally to the reporting, which captures the entire process, in a manner that makes sense to the customer and provides the most value to it.

Stay Safe Onlineis powered by the National Cyber Security Alliance who has a mission is to educate and therefore empower a digital society to use the Internet safely and securely at home, work, and school, protecting the technology individuals use, the networks they connect to, and our shared digital assets.

NCSA builds strong public/private partnerships to create and implement broad reaching education and awareness efforts to empower users at home, work and school with the information they need to keep themselves, their organizations, their systems, and their sensitive information safe and secure online and encourage a culture of cyber security.

The IT Governance Institute (ITGI)

Tigerscheme – is a commercial certification scheme for technical security specialists, backed by University standards and covering a wide range of expertise. It provides career progression through entry-level certification, intermediate level certification, and senior and technical specialist roles.

Certification under Tigerscheme provides a formal recognition of an individual’s skills, and is awarded on the basis of a rigorous independent assessment against published and widely accepted standards.