Network and information security standards are developed under the action of the following "dynamics".
Interoperability requirements between security products. Encryption and decryption, signature and authentication, secure interconnection between networks, etc. All require products from different manufacturers to interoperate smoothly and realize complete security functions. This demand led to the birth of the first batch of network information security standards, which appeared in the form of "algorithm", "protocol" or "interface". For example, the English full name of the famous symmetric encryption algorithm DES is "data encryption standard".
Necessity of safety level appraisal. It is impossible for people to listen to the manufacturer's claims on its security functions, and most users are not security experts themselves, so a group of neutral security experts trusted by users are needed to identify the security functions and performance of security products. After summarizing and refining, some "safety levels" have been formed, and each safety level has a strict definition of specific safety functions and performance, corresponding to a series of operable evaluation and authentication means. These safety levels defined by objective and operable means put the evaluation and judgment of safety products on the right track.
Need to measure the ability of service providers, this term explains "what is the security standard of wireless routers".
With the development of network information security as an industry, the weakness of long period and high cost of security level appraisal is gradually exposed. Therefore, in addition to identifying the level of "eggs" (safety products), people thought of indirectly identifying "eggs" by identifying the level of "chickens" (safety service providers) that laid eggs. In this way, the standards with product suppliers and engineering contractors as evaluation objects are popular, and the evaluation and certification standards with products or systems as evaluation and certification objects form a complementary pattern. With the popularity of the Internet, network-based information service enterprises and enterprises that transmit work information on the network-based platform, such as financial, securities, insurance and various e-commerce enterprises, have begun to pay attention to security issues. Therefore, the information security management standards for enterprises that use networks and information systems to provide services came into being.
At present, international standards related to network and information security can be roughly divided into three categories:
Interoperability standards, such as symmetric encryption standards DES, 3DES, IDEA and AES, are generally favored. Asymmetric encryption standard RSA;; VPN standard IPSec;; Transport layer encryption standard SSL;; Secure e-mail standard s-mime; Standard set for secure electronic transactions; ; Common vulnerability description standard CVE. These are commonly used algorithms and protocols after a spontaneous selection process, that is, the so-called "fact standard".
Technical and engineering standards, such as general evaluation standards for information products (CC/ISO15408); Capability maturity model of safety system engineering.
Network and information security management standards
For example, the information security management system standard (BS 7799); Information security management standard (ISO 13335).