Skip to main content

3.1 References & Standards

The following organisations, publications and/or standards have been used for the source of references in this document:

  • 3GPP (3rd Generation Partnership Project)
  • CSA (Cloud Security Alliance)
  • DoD (US Department of Defense)
  • ENISA (European Union Agency for Network and Information Security)
  • ETSI (European Telecommunications Standards Institute)
  • EU (European Union)
  • FIPS (US Federal Information Processing Standard)
  • GSMA (GSM Association)
  • IETF (Internet Engineering Task Force)
  • IoTSF (Internet of Things Security Foundation)
  • ISO (International Standard Organisation)
  • JTAG (Joint Test Action Group)
  • NCSC (UK National Cyber Security Centre)
  • NIST (US National Institute of Standards and Technology)
  • OWASP (Open Web Application Security Project)

The following references are used in this document:

  1. NIST Special Publication SP800-57 Part 3 Revision 1” NIST Special Publication 800 – 57 Part 3 Revision 1 Recommendation for Key Management Part 3: Application – Specific Key Management Guidance” January 2015 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf

  2. NIST Special Publication 800-131A Revision 1 ”Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths” November 2015

  3. NIST Special Publication 800-90A Revision 1 “Recommendation for Random Number Generation Using Deterministic Random Bit Generators” June 2015 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf

  4. Special Publication 800-22 Revision 1a “A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications” April 2010 https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=906762

  5. FIPS PUB 140-2, Security Requirements for Cryptographic Modules, May 2001. http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf

  6. Common Criteria for Information Technology Security Evaluation Part 1: Introduction and general model September 2012 Version 3.1 CCMB-2012-09-001 CCMB-2012-09-003 https://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R4_marked_changes.pdf

  7. Common Criteria for Information Technology Security Evaluation Part 2: Security functional components September 2012 Version 3.1 Revision 4 CCMB-2012-09-002 https://www.commoncriteriaportal.org/files/ccfiles/CCPART2V3.1R4.pdf

  8. Common Criteria for Information Technology Security Evaluation Part 3: Security assurance components September 2012 Version 3.1 Revision 4 https://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3.1R4.pdf

  9. Draft Framework for Cyber-Physical Systems; NIST; October 2016 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-201.pdf

  10. UK Government advice on Password Guidance, Simplifying your approach, CESG and CPNI Sept 2015: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/458857/Password_guidance_-_simplifying_your_approach.pdf

  11. DoDI-8500.2 IA Controls: http://www.dote.osd.mil/tempguide/index.html

  12. NIST Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), Special Publication 800-122, NIST, April 2010: http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf

  13. Key definitions of the Data Protection Act, ICO: https://ico.org.uk/for-organisations/guide-to-data-protection/key-definitions

  14. Overview of the General Data Protection Regulations (GDPR), ICO: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr

  15. TS-0003 Annex J (normative): List of Privacy Attributes and Clause 11 Privacy Protection Architecture using Privacy Policy Manager (PPM) https://www.onem2m.org/technicalpublished-specifications

  16. Example of IoT application ID registry and possible privacy profile registry https://www.onem2m.org/images/ppt/TP-2017-0200-AppID_Registry_A_Foundation_for_Trusted_Interoperability.pdf

  17. 3GPP TS33.117. Catalogue of general security assurance requirements produced by ESTI https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=2928

  18. Cloud Security Alliance, Cloud Security Alliance is a not-for-profit organization promoting best practices for security assurance within Cloud Computing https://cloudsecurityalliance.org

  19. IoTSF Vulnerability Disclosure Guidelines can be found https://iotsecurityfoundation.org/best-practice-guidelines

  20. NIST National Institute of Standards and Technology www.nist.gov

  21. NIST Cyber Security Framework https://www.nist.gov/cyberframework

  22. Octave, programming language https://www.gnu.org/software/octave/

  23. UK Cyber Essentials: UK government-backed, industry supported scheme to help organisations protect themselves against common cyber-attacks https://www.cyberaware.gov.uk/cyberessentials

  24. UK Government Cloud Security Principles is for consumers and providers using cloud services https://www.gov.uk/government/publications/cloud-service-security-principles/cloud-service-security-principles

  25. IETF – RFC2119 “Key words for use in RFCs to Indicate Requirement Levels” https://www.ietf.org/rfc/rfc2119.txt

  26. NIST SP800-63b Revision 1” NIST Special Publication 800-63B Digital Identity Guidelines Authentication and Lifecycle Management” June 2017 https://pages.nist.gov/800-63-3/sp800-63b.html

  27. ENISA “Algorithms, Key Sizes and Parameters Report – 2013” https://www.enisa.europa.eu/publications/algorithms-key-sizes-and-parameters-report

  28. IETF RFC7525 “Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)” https://tools.ietf.org/html/rfc7525

  29. SSL Labs “SSL-and-TLS-Deployment-Best-Practices” 31 March 2017 https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices

  30. OWASP “Transport Layer Protection Cheat Sheet” https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet

  31. OWASP Certificate and Public Key Pinning https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning

  32. NIST Special Publication 800-53, Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations” – SC-5 Denial of Service Protection https://nvd.nist.gov/800-53/Rev4/control/SC-5

  33. NIST 800-53, Revision 4, “Security Controls and Assessment Procedures for Federal Information Systems and Organizations” - SI10 Information Input Validation https://nvd.nist.gov/800-53/Rev4/control/SI-10

  34. NIST Special Publication 800–167 “Guide to Application Whitelisting” http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-167.pdf

  35. NIST SP 800-37 Rev. 1 “Guide for Applying the Risk Management Framework to Federal Information Systems: a Security Life Cycle Approach Risk Management Framework” https://csrc.nist.gov/publications/detail/sp/800-37/rev-1/final or Octave from ENISA

  36. Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE), an approach for managing information security risks. https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=51546

  37. Supply Chain of Trust by Hayden Povey of Secure Thingz and the IoTSF http://www.newelectronics.co.uk/article-images/152099/P18-19.pdf

  38. Static Code Analysis Tools https://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html

  39. Bluetooth Numeric Comparison https://csrc.nist.gov/publications/detail/sp/800-121/rev-1/archive/2012-06-11 page 14

  40. UK Government Cyber security risk assessment guidance https://www.ncsc.gov.uk/guidance/risk-management-collection

  41. NIST Special Publication 800-30 guidance for conducting risk assessments https://www.nist.gov/publications/guide-conducting-risk-assessments

  42. EU ENISA guidance of Cyber Security Risk Management https://www.enisa.europa.eu/topics/threat-risk-management/risk-management

  43. Security Policy ISO/IEC Standards for Vulnerability Disclosures ISO/IEC 29147 and ISO/IEC 30111 http://standards.iso.org/ittf/PubliclyAvailableStandards/c045170_ISO_IEC_29147_2014.zip and https://www.iso.org/standard/53231.html

  44. Enhanced Privacy standard for Anonymous Signatures ISO/IEC20008 https://www.iso.org/standard/57018.html

  45. IoTSF Best Practice Guidelines for Connected Consumer Products V1.1 https://www.iotsecurityfoundation.org/best-practice-guidelines/#ConnectedConsumerProducts includes at time of publication individual guidelines for the following topics:

    A. Classification of data

    B. Physical security

    C. Device secure boot

    D. Secure operating system

    E. Application security

    F. Credential management

    G. Encryption

    H. Network connections

    J. Securing software updates

    K. Logging

    L. Software update policy

  1. CIA Triad has no original source, but for more info visit: https://www.techrepublic.com/blog/it-security/the-cia-triad

  2. Examples of security vulnerability advisory programs: https://www.us-cert.gov/report and https://ics-cert.us-cert.gov/ICS-CERT-Vulnerability-Disclosure-Policy

  3. Example of memory sanitisation:

    SEI CERT C Coding Standard Recommendation MEM03-C: “Clear sensitive information stored in reusable resources” https://wiki.sei.cmu.edu/confluence/display/c/MEM03-C.+Clear+sensitive+information+stored+in+reusable+resources

    ISO/IEC TR 24772:2013 “Information technology -- Programming languages -- Guidance to avoiding vulnerabilities in programming languages through language selection and use” “Sensitive Information Uncleared Before Use” https://www.iso.org/standard/61457.html

    Other references:

        MITRE CWE-226 “Sensitive Information Uncleared Before Release” https://cwe.mitre.org/data/definitions/226.html

        CWE-244 “Improper Clearing of Heap Memory Before Release ('Heap Inspection')” https://cwe.mitre.org/data/definitions/244.html

  1. NCSC password guidance https://www.ncsc.gov.uk/guidance/password-collection

  2. Privacy Impact Assessment advice can be found at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/ and https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-122.pdf

  3. NCSC guidance on TLS management https://www.ncsc.gov.uk/guidance/tls-external-facing-services

  4. WPA - Wi-Fi Protected Access is the name given to wireless security standard IEEE 802.11i-2004 https://standards.ieee.org/standard/802_11i-2004.html

  5. The ETSI Technical Committee on Cybersecurity EN 303 645 version 2.1.1 “CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements” June 2020, , a standard for cybersecurity in the Internet of Things that establishes a security baseline for internet-connected consumer products and provides a basis for future IoT certification schemes. https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf

  6. NIST 8259A “IoT Device Cybersecurity Capability Core Baseline” May 2020 https://nvlpubs.nist.gov/nistpubs/ir/2020/NIST.IR.8259A.pdf