Page 527 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 527

Guidelines


               In addition to overall security access models, such as Common
               Criteria, there are many other more specific or focused security
               standards for various aspects of storage, communication, transactions,
               and the like. Two of these standards you should be familiar with are
               Payment Card Industry Data Security Standard (PCI DSS) and

               International Organization for Standardization (ISO).

               PCI DSS is a collection of requirements for improving the security of
               electronic payment transactions. These standards were defined by the
               PCI Security Standards Council members, who are primarily credit
               card banks and financial institutions. The PCI DSS defines
               requirements for security management, policies, procedures, network
               architecture, software design, and other critical protective measures.

               For more information on PCI DSS, please visit the website at
               www.pcisecuritystandards.org.

               ISO is a worldwide standards-setting group of representatives from
               various national standards organizations. ISO defines standards for
               industrial and commercial equipment, software, protocols, and
               management, among others. It issues six main products: International
               Standards, Technical Reports, Technical Specifications, Publicly

               Available Specifications, Technical Corrigenda, and Guides. ISO
               standards are widely accepted across many industries and have even
               been adopted as requirements or laws by various governments. For
               more information on ISO, please visit the website at www.iso.org.


               Certification and Accreditation


               Organizations that require secure systems need one or more methods
               to evaluate how well a system meets their security requirements. The
               formal evaluation process is divided into two phases, called
               certification and accreditation. The actual steps required in each
               phase depend on the evaluation criteria an organization chooses. A
               CISSP candidate must understand the need for each phase and the

               criteria commonly used to evaluate systems. The two evaluation
               phases are discussed in the next two sections, and then we present
               various evaluation criteria and considerations you must address when
   522   523   524   525   526   527   528   529   530   531   532