Skip to main content
Version: 4.0

3.1 References & Standards

The following organisations, publications and/or standards have been used for the source of references in this document:

  • 3GPP (3rd Generation Partnership Project)

  • CSA (Cloud Security Alliance)

  • DoD (US Department of Defense)

  • ENISA (European Union Agency for Network and Information Security)

  • ETSI (European Telecommunications Standards Institute)

  • EU (European Union)

  • FIPS (US Federal Information Processing Standard)

  • GSMA (GSM Association)

  • IETF (Internet Engineering Task Force)

  • IoTSF (Internet of Things Security Foundation)

  • ISO (International Standard Organisation)

  • JTAG (Joint Test Action Group)

  • NCSC (UK National Cyber Security Centre)

  • NIST (US National Institute of Standards and Technology)

  • OWASP (Open Web Application Security Project)

References and Bibliography

3GPP.TS33.117. 3GPP Portal, TS33.117 V19.1.0, "Catalogue of general security assurance requirements", March 2025. https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=2928.

CCPART1V3. "Common Criteria for Information Technology Security Evaluation Part 2: Security functional components", Version 3.1 Revision 4, September 2012. https://www.commoncriteriaportal.org/files/ccfiles/CCPART2V3.1R4.pdf.

CCPART3V3. "Common Criteria for Information Technology Security Evaluation Part 3: Security assurance components", Version 3.1 Revision 4, September 2012. https://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3.1R4.pdf.

CERT-C.MEM03. SEI CERT C Coding Standard Recommendation MEM03-C: "Clear sensitive information stored in reusable resources". https://wiki.sei.cmu.edu/confluence/display/c/MEM03-C.+Clear+sensitive+information+stored+in+reusable+resources.

CISA.CIR. CISA "Cybersecurity Incident Response". https://www.cisa.gov/topics/cybersecurity-best-practices/organizations-and-cyber-safety/cybersecurity-incident-response.

CSA.HOME. Cloud Security Alliance Web Home Page. https://cloudsecurityalliance.org.

DODI.8500.2. Department of Defense Instruction 8500.2, “Information Assurance (IA) Implementation”, E2.1.26 IA Control, February 6, 2003. https://irp.fas.org/doddir/dod/d8500_2.pdf.

ENISA.ALERT. ENISA "Alerts, Warnings and Announcements Best Practices Guide", November 2013. https://www.enisa.europa.eu/sites/default/files/publications/AlertsWarningsAnnouncements_final.pdf.

ENISA.RMF. ENISA "Interoperable EU Risk Management Framework", January 2023. https://www.enisa.europa.eu/publications/interoperable-eu-risk-management-framework.

ETSI.EN.303645. ETSI EN 303 645 v2.1.1 "CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements" June 2020. https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf.

EU.GDPR. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Da.

FIPS.140-2. FIPS PUB 140-2, "Security Requirements for Cryptographic Modules", May 2001. https://csrc.nist.gov/pubs/fips/140-2/upd2/final.

FIPS.140-3. FIPS PUB 140-3, "Security Requirements for Cryptographic Modules", Mar 2019. https://csrc.nist.gov/pubs/fips/140-3/final.

GOV.UK.CYBER. National Cyber Security Centre (NCSC) "Cyber Essentials" (UK government-backed, industry supported scheme to help organisations protect themselves against common cyber-attacks). https://www.ncsc.gov.uk/cyberessentials.

GOV.UK.NCSC. National Cyber Security Centre (NCSC) - Provides cyber security support for consumers and providers of cloud services. https://www.ncsc.gov.uk/.

GOV.UK.PG. UK Government advice, "Password Guidance:Simplifying your approach", CESG and CPNI, Sept 2015. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/458857/Password_guidance\_-\_simplifying_your_approach.pdf.

GOV.UK.PSWD. NCSC guidance: "Password administration for system owners". https://www.ncsc.gov.uk/guidance/password-collection.

GOV.UK.RISKMAN. NCSC Guidance "Risk management". https://www.ncsc.gov.uk/collection/risk-management.

GOV.UK.TLS. NCSC guidance "Using TLS to protect data", July 2021. https://www.ncsc.gov.uk/guidance/using-tls-to-protect-data.

GOV.UK.VDISC-TK. NCSC "Vulnerability Disclosure Toolkit". https://www.ncsc.gov.uk/files/NCSC_Vulnerability_Toolkit.pdf.

ICO.DATAP. Information Commissioner's Office, "Key data protection terms you need to know". https://ico.org.uk/for-organisations/advice-for-small-organisations/key-data-protection-terms-you-need-to-know/.

ICO.GDPR. Information Commissioner's Office, "UK GDPR guidance and resources". https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/.

IEEE.802.11. IEEE 802.11i-2004 "IEEE Standard for information technology-Telecommunications and information exchange between systems-Local and metropolitan area networks-Specific requirements-Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) s.

IOTSF.SBOM. IoTSF Whitepaper "The Use of Software Bills of Materials for IoT and OT Devices", Release 1.1.0, February 2023. https://iotsecurityfoundation.org/the-use-of-software-bills-of-materials-for-iot-and-ot-devices/.

IOTSF.SCW. IoTSF Whitepaper "Securing the Internet of Things Supply Chain" Release 1.0.0, June 2022. https://iotsecurityfoundation.org/wp-content/uploads/2022/06/RELEASE-JUNE-2022-IoTSF-supply-chain-whitepaper-v5.pdf.

IOTSF.SD-BPG. IoTSF "Secure Design Best Practice Guides", Release 2, November 2019. https://iotsecurityfoundation.org/wp-content/uploads/2019/12/Best-Practice-Guides-Release-2_Digitalv3.pdf.

IOTSF.VDISC-BPG. IoTSF "Vulnerability Disclosure Best Practice Guidelines", Release 2.0, September 2021. https://iotsecurityfoundation.org/wp-content/uploads/2021/09/IoTSF-Vulnerability-Disclosure-Best-Practice-Guidelines-Release-2.0.pdf.

ISO.IEC.20008. ISO/IEC 20008-1:2013 "Information technology — Security techniques — Anonymous digital signatures". https://www.iso.org/standard/57018.html.

ISO.IEC.24772. ISO/IEC 24772-1:2024 "Programming languages — Avoiding vulnerabilities in programming languages" - "7.27 Sensitive information not cleared before use [XZK]", October 2024. https://www.iso.org/standard/83629.html.

ISO.IEC.29147. ISO/IEC 29147:2018 "Information technology — Security techniques — Vulnerability disclosure". https://www.iso.org/standard/72311.html.

ISO.IEC.30111. ISO/IEC 30111:2019 "Information technology — Security techniques — Vulnerability handling processes". https://www.iso.org/standard/69725.html.

MITRE.CVE. "CVE® Program Mission". https://www.cve.org/.

MITRE.CWE-226. MITRE CWE-226 "Sensitive Information in Resource Not Removed Before Reuse". https://cwe.mitre.org/data/definitions/226.html.

MITRE.CWE-244. CWE-244 "Improper Clearing of Heap Memory Before Release ('Heap Inspection')". https://cwe.mitre.org/data/definitions/244.html.

NIST.8259A. NIST 8259A "IoT Device Cybersecurity Capability Core Baseline", May 2020. https://csrc.nist.gov/pubs/ir/8259/a/final.

NIST.CSF. NIST Cyber Security Framework. https://www.nist.gov/cyberframework.

NIST.HOME. National Institute of Standards and Technology (NIST). https://www.nist.gov/.

NIST.SAMATE. NIST "Source Code Security Analyzers". https://www.nist.gov/itl/ssd/software-quality-group/source-code-security-analyzers.

NIST.SP.1500-201. NIST Special Publication 1500-201, "Framework for Cyber-Physical Systems: Volume 1, Overview", June 2017. https://doi.org/10.6028/NIST.SP.1500-201.

NIST.SP.1800-36. NIST SP 1800-36 "Trusted Internet of Things (IoT) Device Network-Layer Onboarding and Lifecycle Management", May 2024, https://csrc.nist.gov/pubs/sp/1800/36/ipd.

NIST.SP.800-121. NIST Special Publication 800–121 Rev. 2 "Guide to Bluetooth Security" - "Numeric Comparison" in "3.1.1.2 Secure Simple Pairing", January 2022. https://csrc.nist.gov/pubs/sp/800/121/r2/upd1/final.

NIST.SP.800-122. NIST Special Publication 800-122 "Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)", April 2010. https://csrc.nist.gov/pubs/sp/800/122/final.

NIST.SP.800-131A. NIST Special Publication 800-131A Revision 1, "Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths", November 2015. https://csrc.nist.gov/pubs/sp/800/131/a/r2/final.

NIST.SP.800-167. NIST Special Publication 800–167 "Guide to Application Whitelisting", October 2015. https://csrc.nist.gov/pubs/sp/800/167/final.

NIST.SP.800-22. NIST Special Publication 800-22 Revision 1a, "A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications", April 2010. https://csrc.nist.gov/pubs/sp/800/22/r1/upd1/final.

—. NIST Special Publication 800-22, "Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)", April 2010. https://csrc.nist.gov/pubs/sp/800/122/final.

NIST.SP.800-30. NIST Special Publication 800-30 "Guide for Conducting Risk Assessments", September 2012. https://www.nist.gov/publications/guide-conducting-risk-assessments.

NIST.SP.800-37. NIST SP 800-37 Rev.2 "Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy", December 2018. https://csrc.nist.gov/pubs/sp/800/37/r2/final.

NIST.SP.800-53.SC-5. NIST Special Publication 800-53, Rev 5.1.1, "Security and Privacy Controls for Federal Information Systems and Organizations" – "SC-5 Denial of Service Protection". https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final.

NIST.SP.800-53.SI-10. NIST Special Publication 800-53, Rev 5.1.1, "Security and Privacy Controls for Federal Information Systems and Organizations" - "SI-10 Information Input Validation". https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final.

NIST.SP.800-57P1. NIST Special Publication SP800-57 Part 1, "NIST Special Publication 800–57 Part 1 Rev. 5 Recommendation for Key Management: Part 1 – General", May 2020. https://csrc.nist.gov/pubs/sp/800/57/pt1/r5/final.

NIST.SP.800-57P3. NIST Special Publication SP800-57 Part 3 Revision 1, "NIST Special Publication 800 – 57 Part 3 Revision 1 Recommendation for Key Management Part 3: Application – Specific Key Management Guidance", January 2015. https://csrc.nist.gov/pubs/sp/800/57/pt3/r1/.

NIST.SP.800-63B. Revision 1" NIST Special Publication 800-63B Digital Identity Guidelines Authentication and Lifecycle Management", June 2017 https://pages.nist.gov/800-63-3/sp800-63b.html

NIST.SP.800-90A. NIST Special Publication 800-90A Revision 1, "Recommendation for Random Number Generation Using Deterministic Random Bit Generators", June 2015. https://csrc.nist.gov/pubs/sp/800/90/a/r1/final.

NTIA.GOV.SBOM. US National Telecommunications and Information Administration (NTIA) Guidance: "Software Bill Of Materials". https://www.ntia.gov/page/software-bill-materials.

NTPSEC. The Secure Network Time Protocol (NTPSec). https://www.ntpsec.org/.

ONEM2M.TP-2017-0200. OneM2M Technical Presentation, "AppID Registry: A Foundation for Trusted Interoperability", July 2017. https://www.onem2m.org/images/ppt/TP-2017-0200-AppID_Registry_A_Foundation_for_Trusted_Interoperability.pdf.

ONEM2M.TS-0003. OneM2M Technical Specification TS-0003-V2.21.1, "Security Solutions" - "Annex J (normative): List of Privacy Attributes" & "Clause 11 Privacy Protection Architecture using Privacy Policy Manager (PPM)", https://onem2m.org/technical/published-specificatio.

OWASP.ASVS. OWASP "Application Security Verification Standard Version 5.0.0", "V4 API and Web Service", May 2025. https://owasp.org/www-project-application-security-verification-standard/.

OWASP.PIN. OWASP, "Certificate and Public Key Pinning". https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning.

OWASP.TLS-CS. OWASP "Transport Layer Security Cheat Sheet". https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html.

OWASP.TOP10. OWASP "Top 10 Web Application Security Risks", 2021. https://owasp.org/Top10/.

RFC2119. IETF RFC7525, "Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)", May 2015. https://tools.ietf.org/html/rfc7525.

SCHNEIER.AT. Schneier on Security – "Attack Trees" by Bruce Schneier December 1999. https://www.schneier.com/academic/archives/1999/12/attack_trees.html.

SEI.OCTAVE. "Introduction to the OCTAVE Approach", Alberts C.J. et al, August 2003. https://insights.sei.cmu.edu/library/introduction-to-the-octave-approach/.

SHOSTACK.TM. Book "Threat Modeling: Designing for Security", Adam Shostack, 2014. https://shostack.org/books/threat-modeling-book.

SSLLABS.TLS. SSL Labs "SSL-and-TLS-Deployment-Best-Practices", 15 January 2020. https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices.

TARANDACH.TM. Book "Threat Modeling: A Practical Guide for Development Teams", Izar Tarandach & Matthew J. Coles, O'Reilly, 2021. https://threatmodeling.dev/.

VAN.DER.HAM. Jeroen van der Ham, "Toward a Better Understanding of “Cybersecurity”. ACM Digital Threats: Research and Practice , Volume 2, Issue 3, June 2021. https://dl.acm.org/doi/10.1145/3442445.