Difference between revisions of "Journal:Understanding cybersecurity frameworks and information security standards: A review and comprehensive overview"
Shawndouglas (talk | contribs) (Saving and adding more.) |
Shawndouglas (talk | contribs) (Saving and adding more.) |
||
Line 170: | Line 170: | ||
[[File:Fig3 Taherdoost Electronics22 11-14.png|700px]] | [[File:Fig3.1 Taherdoost Electronics22 11-14.png|700px]] | ||
{{clear}} | {{clear}} | ||
{| | {| | ||
Line 230: | Line 230: | ||
==Research methodology== | ==Research methodology== | ||
In this section, the employed process to conduct a literature review in this study is described in detail. The objective of the narrative literature review is to respond to the research questions, including how information security standards are being used in different fields and the current condition of the most frequently used information security standards. | |||
The screening for paper selection was conducted in a process that included several steps. In the first step, a collection of papers based on the literature relevant to information security standards was extracted from the Science Direct database using “information security standards,” “cyber security standards,” and “cybersecurity standards” as keywords in several steps. Limiting the search to the English language and studies that were published from 2000 to 2022 indicated that 253,187 papers were matched to "information security standards," 15,710 papers were matched to "cyber security standards," and 5,054 were matched to "cybersecurity standards." | |||
To analyze the literature review in more depth and limit the number of articles, a query of title, abstract, or author-specified keywords was applied to manually re-screen the search results. The results indicated that there were 1,136 publications on "information security standards," 203 publications on "cyber security standards," and 99 publications on "cybersecurity standards." In the next step, the search result was limited to considering review articles and research articles. Therefore, book chapters, book reviews, discussions, editorials, mini reviews, news reports, short communications, and others were excluded from the search to narrow the search. As a result, 857 publications were found using the "information security standards" keyword, 164 results were found using the "cyber security standards" keyword, and 84 results were found using the "cybersecurity standards" keyword. | |||
The titles, keywords, and abstracts of all extracted papers were scanned and analyzed in terms of relevance to the topic of the research and response to research questions based on their main focus area. As such, studies with no focus on the research topic were excluded from the review. If the title or abstract of a study revealed relevance to the domain of this study, it was included for further examination; otherwise, it was eliminated. Then, extracted papers were narrowed to 43 studies based on the title, abstract, and keywords. In the next step, duplicate papers were found and eliminated from the final list. In cases where the abstract of the study was unclear, the study was carried into the next stage to examine the full content of the study. Through this detailed refining process, 17 studies that met all the criteria were retrieved. The papers that met the criteria to be used as the basis of this narrative literature review are summarized in Table 2, found in the next section. | |||
Figure 4 shows the decision process of selecting the final papers for a narrative literature review. | |||
[[File:Fig4 Taherdoost Electronics22 11-14.png|700px]] | |||
{{clear}} | |||
{| | |||
| style="vertical-align:top;" | | |||
{| border="0" cellpadding="5" cellspacing="0" width="700px" | |||
|- | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |<blockquote>'''Fig. 4''' Flowchart of selecting papers in a narrative literature review.</blockquote> | |||
|- | |||
|} | |||
|} | |||
Figure 5 shows the details of the process to select the final papers that were reviewed in this study. | |||
[[File:Fig5 Taherdoost Electronics22 11-14.png|800px]] | |||
{{clear}} | |||
{| | |||
| style="vertical-align:top;" | | |||
{| border="0" cellpadding="5" cellspacing="0" width="800px" | |||
|- | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |<blockquote>'''Fig. 5''' Flowchart of selecting papers for this narrative literature review.</blockquote> | |||
|- | |||
|} | |||
|} | |||
==Review of information security standards journal articles== | |||
Table 2 summarizes the data of 17 extracted articles. For each paper, the title of the paper, author, and publication year are inserted in separate columns. Moreover, the aim of the research, main findings of the research, relevant industry or field of usage, and employed standards were listed to provide an overview of the existing literature. The number of Science Direct citations as of July 29, 2022 are also inserted in a separate column to clarify how each paper is referenced. | |||
{| | |||
| style="vertical-align:top;" | | |||
{| class="wikitable" border="1" cellpadding="5" cellspacing="0" width="70%" | |||
|- | |||
| colspan="7" style="background-color:white; padding-left:10px; padding-right:10px;" |'''Table 2.''' Overview of cybersecurity and information security standards journal articles used for this review. * = year of publication; ** = Science Direct citations, as of June 29, 2022; *** = relevant industry/field. | |||
|- | |||
! style="background-color:#dddddd; padding-left:10px; padding-right:10px;"|Source | |||
! style="background-color:#dddddd; padding-left:10px; padding-right:10px;"|Year * | |||
! style="background-color:#dddddd; padding-left:10px; padding-right:10px;"|Citation ** | |||
! style="background-color:#dddddd; padding-left:10px; padding-right:10px;"|Aim of the research | |||
! style="background-color:#dddddd; padding-left:10px; padding-right:10px;"|Main findings | |||
! style="background-color:#dddddd; padding-left:10px; padding-right:10px;"|Field *** | |||
! style="background-color:#dddddd; padding-left:10px; padding-right:10px;"|Employed standard(s) | |||
|- | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |Breda and Kiss [46] | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |2020 | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |3 | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |To describe how organizations that define information security standards are founded, as well as the description of standards | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |Employment of solutions for physical protection and application of the protected relevant areas lead to addressing the risk of nonconformity with information security standards. | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |Electromagnetic shielding emission security | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |IEEE 299-2006, ISO 140-4:1998, ISO/IEC 27000, ISO/IEC 27001, ISO/IEC 27002, MIL-STD-285, MSZ 15601-1:2007, MSZ 15601-2:2007 | |||
|- | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |Broderick [56] | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |2006 | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |40 | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |To provide a description on the evolution and application of ISMS and how it helps to fit into information protection regulations | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |- | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |- | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |BS 7799-2:2002, ISO/IEC 27001:2005, ISO/IEC 17799:2000, ISO/IEC 17799:2005 | |||
|- | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |Everett [54] | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |2011 | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |9 | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |To focus on the importance of increasing awareness regarding risk management in information security | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |Being pushed to implement a standard regardless of increasing personnel awareness is a waste of time and money. | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |- | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |ISO/IEC 27005, ISO 31000 | |||
|- | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |Fumy [28] | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |2004 | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |4 | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |To review fundamental security mechanisms, including hash functions, encryption algorithms, digital signature schemes, and | |||
authentication techniques | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |The main security challenge in organizations is its application by people, which should be addressed by training. | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |- | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |ISO/IEC 17799, ISO/IEC 18028, ISO/IEC 24743, ISO/IEC TR 13335-5, ISO/IEC TR 15947 | |||
|- | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |Gil-García [57] | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |2004 | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |14 | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |To provide a comparison of the availability of IT standards and policies in the states of the U.S. | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |The most significant, frequently reviewed and main concerns of states to implement relevant standards among them are security, e-mail usage, internal networks, privacy, and software standards. | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |U.S. states | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |Subjects for information policies | |||
|- | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |Hemphill and Longstreet [49] | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |2016 | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |16 | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |To compare and evaluate existing standards for the U.S. retail economy data | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |Self-regulation standards for the industry are proposed. | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |U.S. retail economy | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |Payment Card Industry Data Security Standard (PCI DSS) | |||
|- | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |Humphreys [48] | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |2008 | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |77 | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |To investigate the impact of information security standards on compliance and solving insider threat challenges | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |ISO/IEC 27001 can be employed in organizations of different size and nature to address the risks of insider threats. | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |- | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |ISO/IEC 27001 | |||
|- | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |Lai and Dai [56] | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |2009 | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |6 | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |To describe approaches to implement physical isolation, network isolation, and logical isolation | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |A new revision of implementation guidance for network isolation based on the ISO/IEC 17799 standard is presented. | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |Government departments | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |ISO/IEC 17799 | |||
|- | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |Leszczyna [53] | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |2018 | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |48 | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |To provide an overview on smart grid standards that illustrate challenges in cybersecurity | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |- | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |Smart grids | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |AMI System Security Requirements, DHS Catalog, DHS Cyber Security, G3-PLC, GB/T 22239, IEC 62056-5-3, IEC 62351 (Parts 1–8), IEC 62541, IEEE C37.240, IEEE 1402, IEEE 1686, ISA/IEC 62443, ISO/IEC 14543, ISO/IEC 15408 (Common Criteria or CC), ISO/IEC 18045 (Common Methodology for Information Technology: Evaluation Methodology or CEM), ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27019, NERC CIP, NIST SP 800-53, NIST SP 800-82, NIST SP 800-124, NISTIR 7628, Privacy and Security of AMI, Security Profile for AMI | |||
|- | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |Leszczyna [59] | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |2018 | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |41 | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |To provide an overview to identify the appropriate cybersecurity standard based on the requirements of smart grids | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |An overview of cybersecurity standards for the smart grid area is provided for selection, based on the case. | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |Smart grids | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |AMI System Security Requirements, Cyber Security Procurement Language for Control Systems, DHS Catalog, IEC 62351, IEEE C37.240, IEEE 1686, ISA/IEC 62443, ISO 15118, ISO/IEC 27019, NERC CIP, NISTIR 7268, Privacy and Security of AMI, VGB-S-175 | |||
|- | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" |Papapanagiotou, Marias, and Georgiadis [55] | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" | | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" | | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" | | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" | | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" | | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" | | |||
|- | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" | | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" | | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" | | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" | | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" | | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" | | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" | | |||
|- | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" | | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" | | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" | | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" | | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" | | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" | | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" | | |||
|- | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" | | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" | | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" | | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" | | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" | | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" | | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" | | |||
|- | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" | | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" | | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" | | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" | | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" | | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" | | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" | | |||
|- | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" | | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" | | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" | | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" | | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" | | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" | | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" | | |||
|- | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" | | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" | | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" | | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" | | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" | | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" | | |||
| style="background-color:white; padding-left:10px; padding-right:10px;" | | |||
|- | |||
|} | |||
|} | |||
Revision as of 20:43, 15 March 2023
Full article title | Understanding cybersecurity frameworks and information security standards: A review and comprehensive overview |
---|---|
Journal | Electronics |
Author(s) | Taherdoost, Hamed |
Author affiliation(s) | University Canada West |
Primary contact | Email: hamed dot taherdoost at gmail dot com |
Year published | 2022 |
Volume and issue | 11(14) |
Article # | 2181 |
DOI | 10.3390/electronics11142181 |
ISSN | 2079-9292 |
Distribution license | Creative Commons Attribution 4.0 International |
Website | https://www.mdpi.com/2079-9292/11/14/2181 |
Download | https://www.mdpi.com/2079-9292/11/14/2181/pdf (PDF) |
This article should be considered a work in progress and incomplete. Consider this article incomplete until this notice is removed. |
Abstract
Businesses are reliant on data to survive in the competitive market, and data is constantly in danger of loss or theft. Loss of valuable data leads to negative consequences for both individuals and organizations. Cybersecurity is the process of protecting sensitive data from damage or theft. To successfully achieve the objectives of implementing cybersecurity at different levels, a range of procedures and standards should be followed. Cybersecurity standards determine the requirements that an organization should follow to achieve cybersecurity objectives and minimize the impact of cybercrimes. Cybersecurity standards demonstrate whether an information management system can meet security requirements through a range of best practices and procedures. A range of standards has been established by various organizations to be employed in information management systems of different sizes and types. However, it is challenging for businesses to adopt the standard that is the most appropriate based on their cybersecurity demands. Reviewing the experiences of other businesses in the industry helps organizations to adopt the most relevant cybersecurity standards and frameworks.
This study presents a narrative review of the most frequently used cybersecurity standards and frameworks based on 1. existing papers in the cybersecurity field and 2. applications of these cybersecurity standards and frameworks in various fields to help organizations select the cybersecurity standard or framework that best fits their cybersecurity requirements.
Keywords: cybersecurity framework, cybersecurity standard, information security framework, information security standard, cybersecurity requirements, information security requirements, narrative review
Introduction
A standard is described as an ideal condition with a minimum achievement limit. [1] It also refers to technical specifications that are required to be applied by a service facility to enable service users to acquire the maximum function, purpose, or profit from the services. [2] Many international organizations, associations, and consortia have a vital role in the development of standards. [3,4] According to Standards Australia[1], standards are represented as documents which define specifications, procedures, and guidelines, aiming to ensure safety, consistency, and reliability of products, services, and systems. Moreover, based on the provided definition by the International Organization for Standardization/International Electrotechnical Commission (ISO/IEC), standards are documents or rules made based on a general agreement and validated by a legal entity, which help to achieve optimal results, as a guideline, model, or sample, in a particular context.[2] A standard practically meets user demands, considers the limitations of technology and resources, and also meets the verification requirements. [2]
The term "standard" most commonly refers to established documents by professional bodies to be used by other organizations (i.e., technical standards, program standards), or standards of technical practice (i.e., practical cybersecurity standards).
The sets of practices or technical methods that help organizations to secure their cyber environment are referred to as cybersecurity standards. [6] Cybersecurity standards include users, network infrastructure, software, hardware, processes, and information in system storage media that can be connected to the internet. [6] The scope of cybersecurity standards is broad in that it covers security features in applications and cryptographic algorithms that mainly provide perspective toward security controls, processes, procedures, guidelines, and baselines. [7] Security experts recommend implementing cybersecurity standards as a fundamentally essential element consisting of a collection of best practices to protect organizations from cybersecurity threats and risks. [8]
The main aim of cybersecurity standards is to prevent or mitigate cyberattacks and reduce the risk of cyber threats. [9] The implementation of such standards typically benefits the adopter by saving time, decreasing costs, increasing profits, improving user awareness, minimizing risks, and offering business continuity. [7] Additionally, using standards facilitates the compliance of an organization to industry best practices and procedures and provides the opportunity to compare a security system on an international level. [10] Hence, the application of cybersecurity standards has been established in different organizations or businesses to protect assets against cyber threats. [11,12] As a result, different cybersecurity standards have been developed by various organizations to ensure that organizations of different size and nature implement appropriate measures to prevent and mitigate cyber threats. [13] However, since a considerable number of standards have been developed to cover different aspects of cybersecurity in various organizations, it may be challenging for business owners to choose the appropriate standard that is the best match for their business. [14]
This study aims to provide an overview of the most frequently used cybersecurity standards based on existing papers in the cybersecurity field, clarifying their features and applications in different industries. A wide range of cybersecurity standards and frameworks are available to ensure the protection of data in different industries; however, this review paper aims to provide a comparative concept regarding cybersecurity standards and frameworks and facilitate the selection of the most appropriate standards and frameworks. This paper can be also helpful for academic purposes to determine the direction of further studies in this field.
In the next section, an overview of the most common cybersecurity standards and frameworks is provided. Following that is a narrative literature review that is the result of extracting and analyzing 17 papers published about cybersecurity standards between 2000 to 2022, and then considering the aim of each study, the main findings of the research, as well as relevant industry and employed standards. Finally, a concluding discussion is presented that clarifies the contribution of different standards for specific purposes.
Cybersecurity standards and frameworks
Cybersecurity standards are generally classified into two main categories: information security standards and information security governance standards. [15] Information security standards and frameworks such as the ISO/IEC 27000 series, ISF SOGP, NIST 800 series, SOX, and Risk IT mainly concentrate on security concerns. Selecting the most appropriate standard or framework is a serious decision that should be made based on the requirements of the organization to examine if it adequately suits the demands of the business. In some cases, employment of a single standard does not suffice to meet the expectations of a business. Thus, managers need to examine whether they need to consider more than one standard or framework. [2]
Open standards and frameworks are easily available and optional to be employed. Thus, organizations can use some parts or all of the guidelines, as required, or use them in combination, integrated with other standards, to complement and strengthen other requirements. [16] Performance standards can be a policy or law to be complied with by certain countries. They may also be required by the responsible organization, association, or regulatory body to be complied with by the implementing organization. [17] A country or company is authorized to reject rules or standards published by others, or to develop their own proprietary standards or local regulatory standards. [18]
The effective implementation of cybersecurity standards as guidelines or techniques which include best practices to be used in business or industry is not possible without the employment of the relevant cybersecurity framework. [19,20] Cybersecurity standards explain and provide methods one by one, specify what is expected to be done to complete the process, and clarify methods to coincide with the standard; a cybersecurity framework is a general guideline that covers many components or domains that can be adopted by businesses/companies/institutions, which doesn't necessarily specify the steps that are required to be taken. [21] Satisfactory cybersecurity protection can be achieved by adopting a cybersecurity framework that describes the scope, implementation, and evaluation processes, and also provides a general structure and methodology for protecting critical digital assets. [22] In fact, organizations can refer to cybersecurity frameworks to realize guidelines in the successful implementation of cybersecurity standards to be better equipped to identify, detect, and respond to cyberattacks. [23]
Cybersecurity frameworks are flexible and can provide users with the freedom to choose some parts or the whole model, methods, or technical practices, offering general and adoptable guidelines, as well as offering suggestions to be applied within the organization. [24] Implementation costs can be reduced as a result of the flexibility of cybersecurity frameworks. This can be effective to protect the infrastructure against cyber threats and secure critical sectors in the nation and economy. Therefore, cybersecurity frameworks have been developed by academic institutions, international organizations, countries, and corporations to ensure cyber resilience. [25] Businesses that seek to successfully implement cybersecurity standards are dependent on cybersecurity frameworks to harmonize policy, business, and technological approaches that are effective to mitigate cybersecurity issues and address cyber risks. [26] Thus, to ensure the protection of data and the infrastructure in organizations, businesses, and governments, cybersecurity standards and frameworks are required. [27]
The difference between a standard and a framework is summarized in Table 1.
|
Cybersecurity and information security standards
Cybersecurity standards, as key parts of IT governance, are consulted to ensure that an organization is following its policies and strategy in cybersecurity. [3] Therefore, by relying on cybersecurity standards, an organization can turn its cybersecurity policies into measurable actions. Cybersecurity standards clarify functional and assurance steps that should be taken to achieve the objectives of the organization in terms of cybersecurity. It may seem costly for a business to invest in the implementation of cybersecurity standards; however, the confidence and trust that it brings are more beneficial for the organization. [28]
Written cybersecurity standard documents describe requirements to be respected by the organization and are easy to be controlled by stakeholders or relevant auditors. However, standards do not include how to achieve the standard requirements. The most popular and frequently used cybersecurity standards, referred to in this paper, are shown in Figure 1. It is important to note that cybersecurity frameworks may not be limited to what is presented in the scope of this study, since new frameworks are constantly being published based on demands. In a general classification, the ISO 27000 series, BSI, and SoGP are provided. Additionally, some standards that are common in industry are presented in the "Industry Related" category.
|
The evolution of cybersecurity standards over time is represented in Figure 2.
|
In the following subsections, the most popular cybersecurity standards—including the ISO 27000 series, SoGP, and BSI—are described to provide an overview and facilitate the process of decision-making.
ISO/IEC 27000 standards
The ISO/IEC 27000 series of standards concentrates on security in information systems management (ISM). [15] The family of ISO/IEC 27000 standards was initially recognized as BS7799 and then introduced as ISO standards as soon as the ISO added it to the information security management system (ISMS) standards. [29] Methods and practices to ensure effective implementation of information security in an organization are described in detail in ISO 27001, focusing on providing a secure and trustable exchange of data and communication channels. The main consideration of ISO 27001 in accomplishing managerial and organizational objectives and sub-objectives is through stressing the imporatance of risk management approaches. However, the ISO 27000 series has not been shown to successfully work as a complete information systems management (ISM) solution to be integrated into larger systems. ISO 27001, the first in the series of ISO/IEC 27000 standards, dates back to 2005. However, four standards, including 27001, 27002, 27005, and 27006, are currently published and widely used in organizations. [30]
ISO/IEC 27001:2013
ISO/IEC 27001:2013 is an internationally recognized standard that determines requirements to implement a certified ISMS for a business through seven key elements. [10] These steps include specifications for installation, performance, operation, controlling and monitoring, review, maintenance, and improvement of the system. General requirements for the treatment and assessment of risks that exist in the information system of the organizations are also included, regardless of the size, type, and nature of the business. ISO/IEC 27001 is commonly used along with ISO/IEC 27002, which clarifies security control objectives and recommendations, since it does not list specific security controls. Employment of ISO/IEC 27001 helps organizations to manage and protect the valuable information of employees and clients, manage information risks, and protect and develop their brands. [31] (Note that since the original publishing of this journal article, the standard was updated, in October 2022.)
ISO/IEC 27002:2013
ISO/IEC 27002:2013 is the code of practice for information security controls that lists a structured series of information security controls to comply with ISO/IEC 27001. However, security controls that are not specifically mentioned in this list are not mandatory to be employed by organizations. Best practice recommendations to be used by responsible individuals when they try to implement information security management are provided in ISO/IEC 27002. [32] This includes managing assets in an organization, securing human resources, managing operations and communications, securing environmental and physical aspects, managing business continuity, and managing compliance and information security incident areas. [25] (Note that since the original publishing of this journal article, the standard was updated, in February 2022.)
ISO/IEC 27005:2018
Guidelines for risk-based implementation of cybersecurity risk management are provided in ISO/IEC 27005:2018. The standard supports concepts and requirements that are specifically listed in ISO/IEC 27001. To completely understand ISO/IEC 27005, organizations need to gain knowledge about the processes and concepts of ISO/IEC 27001 and ISO/IEC 27002. ISO/IEC 27005 can be applicable to those implementing a satisfactory risk-based information system in organizations of different sizes and sectors. [33] ISO/IEC 27005 employs an information risk management process that consists of seven main elements, including installation of context, assessing risk, treating risk, accepting risk, communicating risk, consulting risk, as well as monitoring risk and reviewing risk. [25] (Note that since the original publishing of this journal article, the standard was updated, in October 2022.)
ISO/IEC 27006:2015
The main purpose of ISO/IEC 27006 is to determine formal processes and requirements that should be respected by third-party bodies that provide information security auditing and certifying services for other organizations. Conforming to ISO/IEC 27006 helps bodies to be recognized as trustable and reliable organizations operating ISMS. [10]
Other ISO/IEC standards
Other cybersecurity and information security standards put forth by the ISO/IEC JTC 1/SC 27 technical committee include [25]:
- ISO/IEC 27000:2018 Information technology — Security techniques — Information security management systems — Overview and vocabulary
- ISO/IEC 27003:2017 Information technology — Security techniques — Information security management systems — Guidance
- ISO/IEC 27004:2016 Information technology — Security techniques — Information security management — Monitoring, measurement, analysis and evaluation
- ISO/IEC 27007:2020 Information security, cybersecurity and privacy protection — Guidelines for information security management systems auditing
- ISO/IEC TS 27008:2019 Information technology — Security techniques — Guidelines for the assessment of information security controls
- ISO/IEC 27009:2020 Information security, cybersecurity and privacy protection — Sector-specific application of ISO/IEC 27001 — Requirements
- ISO/IEC 27011:2016 Information technology — Security techniques — Code of practice for Information security controls based on ISO/IEC 27002 for telecommunications organizations
- ISO/IEC 27013:2021 Information security, cybersecurity and privacy protection — Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1
- ISO/IEC 27014:2020 Information security, cybersecurity and privacy protection — Governance of information security
- ISO/IEC TR 27016:2014 Information technology — Security techniques — Information security management — Organizational economics
- ISO/IEC 27017:2015 Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services
- ISO/IEC 27018:2019 Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
- ISO/IEC 27019:2017 Information technology — Security techniques — Information security controls for the energy utility industry
ISF's Standard of Good Practice for Information Security
the Information Security Forum (ISF), an international organization based in London, with staff in New York City, initially published the Standard of Good Practice for Information Security in 1996. The ISF is a non-profit and independent organization that concentrates on the development of best practices and benchmarking in the information security arena. [7] Companies and individuals in manufacturing, financial services, transportation, chemical/pharmaceutical, retail, government, telecommunications, media, transportation, energy, and professional services from all over the world can join the ISF. The standard—which includes best practices in cybersecurity—is also revised every two years to cover the most recent best practices in information security. The standard is mainly designed to concentrate on six major aspects, including installing computers, application of critical business processes, managing security and networks, developing systems, and securing the environment for the end user. [2]
BSI's IT-Grundschutz Compendium and 200-X Standards
The German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik or BSI) is responsible for managing the security of computers and communication for the German government, focusing on security of computer applications, cryptography, internet security, security products, and security test laboratories [10]. Through its focus on "IT baseline protection" or IT-Grundschutz, BSI has provided recommendations for approaches, processes, methods, and procedures that are related to cybersecurity in its IT-Grundschutz Compendium, as well as its 200-X series of standards. It also covers key areas in information security that are required to be considered while setting approaches for companies and public authorities. [34]
BSI-Standard 200-1: Information Security Management Systems (ISMS)
The first standard in the BSI Standards 200-X series is BSI-Standard 200-1, which describes the main requirements that should be followed to implement ISMSs. There is full compatibility between 200-1 and ISO/IEC 27001. Moreover, recommendations and solutions of ISO standards are taken into consideration in this standard. [10] This standard mainly concentrates on managing the challenges of planning the information technology implementation process described in the ISO/IEC 27001 standard.[3]
BSI-Standard 200-2: IT-Grundschutz-Methodology
BSI-Standard 200-2 includes the employment of IT security management practices in a practical step-by-step manner, covering suggestions for the selection of appropriate measures in information technology security, the implementation of information technology security, and the intricacies of information technology security using the IT-Grundschutz methodologies of standard, basic, and core protection. Additionally, general requirements to employ ISO 27001, 27002 and 13335 standards are interpreted using notes and examples, which help facilitate the establishment of a successful ISMS. [34][4]
BSI-Standard 200-3: Risk Analysis based on IT-Grundschutz
BSI-Standard 200-3 concentrates on risk analysis. Organizations apply this approach to promote their risk analysis while they implement the IT-Grundschutz methodologies. [34] The elementary threats described in the IT-Grundschutz Compendium form the basis of the recommended information security risk analysis procedures of 200-3.[5]
Apart from the general classification of cybersecurity standards, a class of cybersecurity standards focusing on their application to specific business industries—including ISA/IEC 62443, ISO/SAE 21434, ETSI EN 303 645, and FIPS 140-3—is also provided in this study.
ISA/IEC 62443 standards
ISA/IEC 62443 is an international series of standards in cybersecurity that is focused on the employment of cybersecurity requirements for operating technology in systems used for industrial automation and control system (IACS) purposes. [35] This series of standards, initially established by the ISA99 committee, addresses current and future cybersecurity concerns in IACSs. The International Electrotechnical Commission (IEC) has adopted this standard and asks security experts in industrial automation and control systems from all over the world to help develop the standard. [35] Since the standard has divided cybersecurity topics into different categories, it is not limited to the technology sector, and it also considers mitigating cyber threats regarding processes, employees, and countermeasures.
ISO/SAE 21434:2021
This standard is focused on cybersecurity risk management requirements in the engineering of electronic systems of road vehicles and includes production, operation, development, maintenance, etc. concepts in vehicular engineering. [36] It also expands into addressing both components and interfaces of road vehicles. The main aim of this standard is to ensure that cybersecurity concerns are addressed in the engineering of road vehicles and that they are protected against different cyberattacks. [36]
ETSI EN 303 645 V2.1.1
Cybersecurity is becoming a growing challenge, as more devices are connected to the internet and more people are sharing their personal data using internet of things (IoT) technologies. This standard targets all parties that are involved in manufacturing and developing IoT products and appliances. [37] The standard has collected a wide range of best practices and requirements in internet-connected products and appliances to ensure the security of consumers’ data. The main focus of this standard is on the establishment of organizational policies and technical controls that are applicable to all IoT devices. [37]
FIPS 140-3
The Federal Information Processing Standards (FIPS) are published by the National Institute of Standards and Technology (NIST). This standard includes hardware and software requirements to protect cryptography modules. Cryptography modules include valuable information that should be secured with respect to integrity and confidentiality concerns. Four security levels, from the lowest to the highest, are defined in FIPS 140-3. This standard is established based on the joint collaboration of NIST and the Canadian Centre for Cyber Security to ensure that cryptographic modules meet validation requirements. Therefore, if a product meets FIPS 140-3 requirements, it is accepted by federal agencies of the United States and Canada at the same time. [38][6]
Cybersecurity and information security frameworks and supporting documents
The cybersecurity framework is the structure that an organization needs with respect to becoming protected against cyberattacks. Some cybersecurity frameworks are mandatory and others are often strongly encouraged by regulators. [25] Thus, frameworks guide organizations in the implementation process to meet standard requirements. The main goal of a cybersecurity framework is to reduce the risk of cyber threats through learning from the best practices. [3] The most popular and frequently used cybersecurity frameworks and supporting documents that are referred to in this paper are shown in Figure 3. It is important to note that cybersecurity frameworks may not be limited to what is presented in the scope of this study, since new frameworks are constantly being published based on demands.
|
The NIST SP 800-X series
NIST is a non-regulatory federal agency established within the U.S. Department of Commerce that was founded in 1901, and its mission is to improve life and economic security through the development of technology, science, and standards. [10] Industries that are supported by NIST standards and measurements include building and fire research, chemical science and technology, information technology, electronics and electrical engineering, materials science and engineering, technology services, manufacturing engineering, physics, neutron research, and nanoscale science and technology [42].
NIST defines the NIST SP 800-X series as a series of publications that report on the NIST "Information Technology Laboratory’s research, guidelines, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations."[7] It began publishing the SP 800-X series of documents in 1990, which is considered the oldest publications among its information security standards, covering a wide range of documents that support different aspects of information security. [7] The publications include recommendations, guidelines, technical features, and reports that NIST publishes annually about its cybersecurity activities. The SP 800-X series was initially developed to address privacy and security requirements in federal information systems; however, it was later used by non-federal organizations as well. To employ the publication for national security systems, it is mandatory to get approval from the relevant federal authority. [43] Popular NIST SP 800-X documents include:
- SP 800-12, Rev. 1 An Introduction to Information Security
- SP 800-30, Rev. 1 Guide for Conducting Risk Assessments
- SP 800-37, Rev. 2 Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy
- SP 800-39 Managing Information Security Risk: Organization, Mission, and Information System View
- SP 800-53, Rev. 5 Security and Privacy Controls for Information Systems and Organizations
NIST SP 800-12, Rev. 1 has been one of the more popular documents in this series, since it offers a good perspective of the NIST approach. [10] However, SP 800-53, Rev. 5 and ancillary frameworks such as the NIST Cybersecurity Framework play critical roles for many organizations today.[8]
Outside the SP 800-X series of documents, NIST also provides complementary information security and cybersecurity works, including the NIST Cybersecurity Framework, NIST Privacy Framework, and NIST Risk Management Framework (RMF).
SP 800-12, Rev. 1
The core principles of cybersecurity are covered in detail in NIST SP 800-12. [10] It was initially developed to be used in governmental and federal agencies; however, it can also be employed in other organizations focusing on computer security and controls. [7] The broad approach of the NIST is characterized in NIST SP 800-12, clarifying the main elements, including the role of computer security in supporting the mission of the business, emphasizing the role of computer security in sound management, the importance of performing cost effective computer security, the importance of clearly defining accountability and responsibilities in computer security, emphasizing the role of system owners outside of the organization, emphasizing the employment of an integrated and comprehensive approach, the importance of assessing computer security on a regular basis, and describing the relationship between computer security and societal factors. [7] This document also covers cost considerations, significant concepts, and the correlation between different security controls, eventually offering solutions to ensure that resources are secure. [43]
SP 800-30, Rev. 1
This document mainly concentrates on providing guidance for the development of information systems risk assessment. Risk assessment plans are conducted using NIST SP 800-30 based on the recommendations and principles of the NIST methodology. This guidance facilitates the understanding of cyber risks for decision makers in the organization. [43] When decision makers realize the risks and issues mentioned by a technician, they can make smart decisions based on the available resources and budget. [7]
SP 800-37, Rev. 2
This framework mainly concentrates on providing guidelines to apply a risk management framework in information systems and organizations. It also presents guidelines for organizations to implement and manage privacy and security risks regarding the best practices in information systems. The responsibility of managing privacy and security, according to NIST SP 800-37, belongs to the top management team. [7]
SP 800-39
This document mainly concentrates on providing guidance to organizations on developing a program that aims to manage information security risks regarding the organization's mission, operations, reputation, functions, individuals, image, and assets. [43] This structured and flexible approach specifically concentrates on assessing and monitor risks and responding accordingly. Moreover, this guide towards risk is not intended to take the place of other risk-related measures in organizations. [7]
SP 800-53, Rev. 5
This framework mainly concentrates on security and privacy controls for information systems and organizations aiming to secure assets, individuals, and operations from different cyber threats, including human error, hostile attacks, failures in structure, natural disasters, privacy risks, and threats from foreign intelligence entities. [7] The framework is extensive, and the controls are intentionally made to be "flexible and customizable" in how they help organizations address security and privacy from a functionality perspective.[9]
NIST Cybersecurity Framework
The NIST CSF was established by NIST after the executive order signed by President Obama in 2014. Furthermore, the role of the NIST was updated by the Cybersecurity Enhancement Act of 2014 (CEA), which aimed to cover the identification and development of cybersecurity risk frameworks for critical infrastructure operators and owners. Existing business operations and cybersecurity concerns are covered in this framework. Thus, it can be referred to as a foundation for building a new cybersecurity program or improving an existing program, which can be adopted as the best practices by organizations or private sectors to secure their own critical organization [44].
The NIST CSF helps organizations improve their cybersecurity measures and provides an integrated organizing structure for different approaches in cybersecurity through collecting best practices, standards, and recommendations. In other words, the CSF is a framework that provides a means of expressing cybersecurity requirements while also effectively pointing out the existing gaps in the cybersecurity practices of an organization.
NIST Privacy Framework
The NIST Privacy Framework [45] concentrates on addressing the concerns of organizations wishing to detect and respond to concerns related to privacy and establish innovative services and products while at the same time considering individuals' privacy. [7] This framework is based on five major functions, including identifying, governing, controlling, communicating, and protecting. This framework can also help managers to address privacy concerns in IoT-based environments.
NIST Risk Management Framework
This framework proposes a seven-step process to cybersecurity risk management, including preparing, categorizing, selecting, implementing, assessing, authorizing, and monitoring in order for the organization to manage its privacy and information security risks. [7] This process is designed to be a comprehensive and measurable process that is repeatable at different times. This framework can also be employed in IoT-based environments to address growing privacy and security challenges.
COBIT
As organizations have become more reliant on technology and communication, the likelihood of being impacted by cyber threats from internal and external sources has increased dramatically. [7] Hence, organizations need to follow a consistent approach to ensure that they appropriately identify risks and accurately assess and manage cybersecurity risks. This approach is essential for all organizations, regardless of their size, nature, and sophistication in cybersecurity. With this intent, COBIT was developed by the Information Systems Audit and Control Association (ISACA), which is an organization founded in 1967 in the United States in response to the growing concerns of computer systems. COBIT was initially released in 1996 to help users and decision-makers of IT systems develop and improve upon an authoritative series of information technology control objectives that are generally accepted. Therefore, they can realize the level of required security and control to protect the assets of their companies through the establishment of an information technology governance model. [39]
In actuality, COBIT is a high-level information technology standard in a governance and management framework that concentrates on broad concepts of decision-making processes in IT management, instead of focusing on the fine details. [15] COBIT includes 34 main IT processes and encompasses the best practices and approaches regarding process, infrastructure, resource, responsibility, and control management within an organization. Each IT process in COBIT includes a series of 318 high-level detailed control objectives (DCOs), as well as a range of control objectives (COs), which are classified into four main categories: planning, implementing, supporting, and monitoring and evaluating. [40]
COBIT is the best choice to be implemented as an integrated solution because of its broadness. However, COBIT is not the best solution in cases where the appropriate implementation of security controls is the first priority, since it does not provide guidelines to achieve predefined control objectives. [41]
Research methodology
In this section, the employed process to conduct a literature review in this study is described in detail. The objective of the narrative literature review is to respond to the research questions, including how information security standards are being used in different fields and the current condition of the most frequently used information security standards.
The screening for paper selection was conducted in a process that included several steps. In the first step, a collection of papers based on the literature relevant to information security standards was extracted from the Science Direct database using “information security standards,” “cyber security standards,” and “cybersecurity standards” as keywords in several steps. Limiting the search to the English language and studies that were published from 2000 to 2022 indicated that 253,187 papers were matched to "information security standards," 15,710 papers were matched to "cyber security standards," and 5,054 were matched to "cybersecurity standards."
To analyze the literature review in more depth and limit the number of articles, a query of title, abstract, or author-specified keywords was applied to manually re-screen the search results. The results indicated that there were 1,136 publications on "information security standards," 203 publications on "cyber security standards," and 99 publications on "cybersecurity standards." In the next step, the search result was limited to considering review articles and research articles. Therefore, book chapters, book reviews, discussions, editorials, mini reviews, news reports, short communications, and others were excluded from the search to narrow the search. As a result, 857 publications were found using the "information security standards" keyword, 164 results were found using the "cyber security standards" keyword, and 84 results were found using the "cybersecurity standards" keyword.
The titles, keywords, and abstracts of all extracted papers were scanned and analyzed in terms of relevance to the topic of the research and response to research questions based on their main focus area. As such, studies with no focus on the research topic were excluded from the review. If the title or abstract of a study revealed relevance to the domain of this study, it was included for further examination; otherwise, it was eliminated. Then, extracted papers were narrowed to 43 studies based on the title, abstract, and keywords. In the next step, duplicate papers were found and eliminated from the final list. In cases where the abstract of the study was unclear, the study was carried into the next stage to examine the full content of the study. Through this detailed refining process, 17 studies that met all the criteria were retrieved. The papers that met the criteria to be used as the basis of this narrative literature review are summarized in Table 2, found in the next section.
Figure 4 shows the decision process of selecting the final papers for a narrative literature review.
|
Figure 5 shows the details of the process to select the final papers that were reviewed in this study.
|
Review of information security standards journal articles
Table 2 summarizes the data of 17 extracted articles. For each paper, the title of the paper, author, and publication year are inserted in separate columns. Moreover, the aim of the research, main findings of the research, relevant industry or field of usage, and employed standards were listed to provide an overview of the existing literature. The number of Science Direct citations as of July 29, 2022 are also inserted in a separate column to clarify how each paper is referenced.
|
References
- ↑ "What is a standard?". Standards Australia. 2022. https://www.standards.org.au/standards-development/what-is-standard. Retrieved 01 February 2022.
- ↑ "ISO/IEC Directives, Part 2: Rules for the structure and drafting of International Standards" (PDF). International Organization for Standardization, International Electrotechnical Commission. 2011. https://boss.cen.eu/media/yypjl3mn/iso_iec_directives_part2.pdf.
- ↑ "BSI-Standard 200-1: Information Security Management Systems (ISMS)". Bundesamt für Sicherheit in der Informationstechnik. 7 May 2018. https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi-standard-2001_en_pdf.html?nn=908032.
- ↑ "BSI-Standard 200-2: IT-Grundschutz-Methodology". Bundesamt für Sicherheit in der Informationstechnik. 7 May 2018. https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi-standard-2002_en_pdf.html?nn=908032.
- ↑ "BSI-Standard 200-3: Risk Analysis based on IT-Grundschutz". Bundesamt für Sicherheit in der Informationstechnik. 7 May 2018. https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi-standard-2003_en_pdf.html?nn=908032.
- ↑ "FIPS PUB 140-3 Security Requirement for Cyptographic Modules" (PDF). National Institute of Standards and Technology. 22 March 2019. https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf.
- ↑ "NIST Special Publication". Computer Security Resource Center Glossary. 2022. https://csrc.nist.gov/glossary/term/nist_special_publication.
- ↑ "Analysis and Comparison of the NIST SP 800-53 and ISO/IEC 27001:2013". Proceedings of the Workshop on Cybersecurity Providing in Information and Telecommunication Systems. CEUR Workshop Proceedings 3288: 21–32. 2022. ISSN 1613-0073. https://ceur-ws.org/Vol-3288/.
- ↑ "SP 800-53 Rev. 5 Security and Privacy Controls for Information Systems and Organizations". National Institute of Standards and Technology. 23 September 2020. https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final.
Notes
This presentation is faithful to the original, with only a few minor changes to presentation, grammar, and punctuation. In some cases important information was missing from the references, and that information was added. The BSI standards discussed in the original refer to the old 100 standards, for some unknown reason; they were updated to the 200-X series of standards for this version. Additional references to those 200-X standards are also supplied in this version. Similarly, the author refers to FIPS 140-2 instead of 140-3, for some unknown reason, despite 140-3 being released in March 2019; 140-3 is used in this version, and an additional reference is supplied. The NIST SP 800-X series descriptions were arguably opaque and outdated in the original; additional modifications were made to clarify that content and remove withdrawn items (like NIST SP 800-14) for this version.