Transcript Slide 1
Brief Synopsis of Computer Security
Standards
Tenets of Information Systems
Security
Confidentiality
Integrity
Availability
Over the years, standards and legislation have
been created to support the tenets of
information systems security.
1968 NBS
National Bureau of Standards does a study of
US Government's computer security needs.
1972 NBS & ACM
NBS in collaboration with ACM (Association for
Computing Machinery) sponsor their first
conference on computer security
1974 TEMPEST
Establishes standards for shielding eminations
1977 NBS & ANSI
NBS sponsors workshops to audit and evaluate
computer system security.
ANSI (American National Standards Institute)
adopts DES, the data encryption standard.
This is the official standard encryption for
unclassified data
1986 NSA no longer endorses DES
1980 Computer Security Center
Department of Defense establishes the
Computer Security Center within the NSA
1983 TCSEC Orange Book Release
DOD releases the “Trusted Computer System
Evaluation Criteria”, TCSEC
Affectionately known as the “Orange Book”,
because of its orange cover.
Revised in 1985
Retired in 2002
1984 NSTISSP
National Security on Telecommunications and
Automated Information Systems Security, gave
the NSA the authority to advise the private
sector on computer security
http://www.fas.org/irp/offdocs/nsdd145.htm
1986 Computer Fraud and Abuse
Act
Establishes legal action against unauthorized or
fraudulent access to government computers
and electronic data.
1987 Computer Security Act
Government agencies must have a well defined
information system security plan
Common Criteria
Developed during the 1990s in Europe then
established later in Canada.
Superseded the TCSEC (Orange Book) circa
2002.
1996 HIPAA
Health Insurance Portability and Accountability
Act
Among other things, it establishes standards for
electronic health care transactions
Establishes the importance of privacy and security
for health care data
1999 Gramm Leach Bliley Act
Contains a financial privacy rule
requires financial institutions to design, implement,
and maintain safeguards to protect customer
information.
2002 SOX
Sarbanes-Oxley
Among other things, impacts internal controls of
data relevant to the auditing of records belonging to
publicly traded companies.
2002 FISMA
Federal Information Security Management Act
Each federal agency must develop, document,
and implement an agency wide security
program to protect their information systems
data and infrastructure.
2004 PCI SSC
Payment Card Industry Security Standards
Council
Establishes a minimum level of security for
merchants and card issuers
2009 HITECH Act
Heath Information Technology for Economic
and Clinical Health
Designed to further support HIPAA rules.
Addresses privacy and security concerns
associated with the electronic transmission and
storage of health information.