7

The Payment Card Industry Data Security Standard is widely used in the financial industry and seems to be a useful requirement from the standpoint of a potential customer (see also Does PCI compliance really reduce risk and improve security?). But as noted at Is PCI DSS applicable to other solutions than those dealing with payment cards? it is focused on protecting things like credit card numbers ("primary account numbers").

Are there standards and related server certifications that are more suitable for e.g. web sites that hold a variety of sensitive personal information that is not financial (e.g. social networking sites), or government or military sites, or sites that run private or public elections?

Update: To clarify, I know lots of other questions on this site address more general guideline lists which are useful to IT departments and developers when they address the security of their own sites, and I'm not looking for more of those. I'm asking this question from the viewpoint of an outsider - a potential customer, relying party or partner of a web site, and I'm looking for standards which the customer could require compliance to. Ideally the standard would come with some relatively formal notion of who is qualified to judge compliance with it. And I'm wondering if requiring PCI-DSS would be appropriate for any of the kinds of web sites I mention, assuming that they don't actually handle any financial "primary account numbers".

I'm also sympathetic to the sentiment that the answer may just be "No" - that efforts to establish certifiable rules for a general case are just taking the wrong approach, and that such standards only make sense for certain very specific types of sites. Pointers to evidence or well though-out opinions of that sort would be helpful in that case.

This question was IT Security Question of the Week.
Read the Nov 11, 2011 blog entry for more details or submit your own Question of the Week.

nealmcb
  • 20,693
  • 6
  • 71
  • 117
  • I wonder if there ever could be a useful standard that is not too complex. As is often noted in questions and answers on this site, the solution depends on what you are protecting and who you are protecting it from. Even similar industries under different jurisdictions may need different protections. Thus I think it makes sense for specific industries and organizations to produce their own standards. – this.josh Sep 05 '11 at 04:52

3 Answers3

7

It isn't quite "certification" but there are many go-to security baseline configuration standards available..

Some examples to get you started are:

The Center for Internet Security (CIS)

The National Institute of Standards and Technology (NIST) csrc.nist.gov/publications/PubsSPs.html

NSA

Often times the vendor of the technology or application will also provide specific security lock-down guidance and practices. For example, Microsoft offers tons of docs ranging from threat modelling to auditing practices to secure configuration.

Some vulnerability assessment tools will benchmark check your configuration against these templates. But note, like PCI benchmarks, it may not cover all of the guidance provided.

Personally, i have favored the Center for Internet Security (CIS) ones in the past.

Gabe
  • 404
  • 2
  • 5
4

It's a literal grab-bag, and that's definitely no exhaustive list.

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
Jeff Ferland
  • 38,170
  • 9
  • 94
  • 172
4

The ISF have a Standard of Good Practice which is publicly available and is exactly what it sounds like: rational good practice in security.

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321