Um dos temas que comentarei muito aqui no monolithos, são os padrões internacionais. Isso porque não tenho nenhuma pretensão de reinventar a roda e depois, aproveitar o que já foi desenvolvido com qualidade, é obedecer uma outra regra fundamental que uso para a minha vida, tanto particular quanto profissional: K.I.S.S. (Keep It Simple Stupid).
Na minha visão e experiência com Segurança da Informação, acredito com fervor que usar como guia (como trilha, como referência) um padrão, é a melhor maneira de dar o primeiro passo. Depois, se houver cuidado de não cair em duas tentações comuns no pós adoção de padrões, o desenvolvimento dos próximos passos será suave e sem impactos para o objetivo fundamental da organização. E quais seriam então estas duas tentações? A primeira é a falsa sensação de poder e criação de um sentimento de soberba, de que tudo está perfeito e nada de errado acontecerá, pois adota-se um padrão internacional.
A outra tentação, talvez derivada dessa primeira, é abandonar a “trilha” que citei acima e transformá-la em um “trilho” (rígido, sem espaço para movimentações), usando o padrão com fervor religioso, diria até xiita. Posso garantir que a chance de fracasso é muito forte em ambas as situações. Bom, a idéia desse post não é justificar ou indicar a adoção de padrões, quero discutir isso muitas outras vezes, mas não agora. Meu objetivo hoje é chamar a atenção da quantidade de padrões de segurança da informação que a mais importante organização internacional tem a oferecer.
A ISO – International Organization for Standardization, tem um Comitê Técnico conhecido como JTC 1 (Joint ISO/IEC Technical Committee), cujo tema de trabalho é Tecnologia da Informação. Dentro do JTC 1, existe um subcomitê chamado SC 27, que trata dos padrões internacionais relacionados à técnicas de segurança de TI. Só como referência, IEC é a International Electrotechnical Commission, forte parceira da ISO neste subcomitê. Pois bem, fora a série 27000 que todos os profissioanais de Segurança da Informação ao menos ouviram falar, existem dezenas de outros padrões relacionados à segurança de TI. Abaixo, um alistagem dos que estão publicados e em vigor:
- ISO/IEC 7064:2003
Information technology — Security techniques — Check character systems
- ISO/IEC 9796-2:2002
Information technology — Security techniques — Digital signature schemes giving message recovery — Part 2: Integer factorization based mechanisms
- ISO/IEC 9796-3:2006
Information technology — Security techniques — Digital signature schemes giving message recovery — Part 3: Discrete logarithm based mechanisms
- ISO/IEC 9797-1:1999
Information technology — Security techniques — Message Authentication Codes (MACs) — Part 1: Mechanisms using a block cipher
- ISO/IEC 9797-2:2002
Information technology — Security techniques — Message Authentication Codes (MACs) — Part 2: Mechanisms using a dedicated hash-function
- ISO/IEC 9798-1:2010
Information technology — Security techniques — Entity authentication — Part 1: General
- ISO/IEC 9798-2:2008
Information technology — Security techniques — Entity authentication — Part 2: Mechanisms using symmetric encipherment algorithms
- ISO/IEC 9798-3:1998
Information technology — Security techniques — Entity authentication — Part 3: Mechanisms using digital signature techniques
- ISO/IEC 9798-4:1999
Information technology — Security techniques — Entity authentication — Part 4: Mechanisms using a cryptographic check function
- ISO/IEC 9798-5:2009
Information technology — Security techniques — Entity authentication — Part 5: Mechanisms using zero-knowledge techniques
- ISO/IEC 9798-6:2005
Information technology — Security techniques — Entity authentication — Part 6: Mechanisms using manual data transfer
- ISO/IEC 10116:2006
Information technology — Security techniques — Modes of operation for an n-bit block cipher
- ISO/IEC 10118-1:2000
Information technology — Security techniques — Hash-functions — Part 1: General
- ISO/IEC 10118-2:2010
Information technology — Security techniques — Hash-functions — Part 2: Hash-functions using an n-bit block cipher
- ISO/IEC 10118-3:2004
Information technology — Security techniques — Hash-functions — Part 3: Dedicated hash-functions
- ISO/IEC 10118-4:1998
Information technology — Security techniques — Hash-functions — Part 4: Hash-functions using modular arithmetic
- ISO/IEC 11770-1:1996
Information technology — Security techniques — Key management — Part 1: Framework
- ISO/IEC 11770-2:2008
Information technology — Security techniques — Key management — Part 2: Mechanisms using symmetric techniques
- ISO/IEC 11770-3:2008
Information technology — Security techniques — Key management — Part 3: Mechanisms using asymmetric techniques
- ISO/IEC 11770-4:2006
Information technology — Security techniques — Key management — Part 4: Mechanisms based on weak secrets
- ISO/IEC 11889-1:2009
Information technology — Trusted Platform Module — Part 1: Overview
- ISO/IEC 11889-2:2009
Information technology — Trusted Platform Module — Part 2: Design principles
- ISO/IEC 11889-3:2009
Information technology — Trusted Platform Module — Part 3: Structures
- ISO/IEC 11889-4:2009
Information technology — Trusted Platform Module — Part 4: Commands
- ISO/IEC 13888-1:2009
Information technology — Security techniques — Non-repudiation — Part 1: General
- ISO/IEC 13888-2:1998
Information technology — Security techniques — Non-repudiation — Part 2: Mechanisms using symmetric techniques
- ISO/IEC 13888-3:2009
Information technology — Security techniques — Non-repudiation — Part 3: Mechanisms using asymmetric techniques
- ISO/IEC TR 14516:2002
Information technology — Security techniques — Guidelines for the use and management of Trusted Third Party services
- ISO/IEC 14888-1:2008
Information technology — Security techniques — Digital signatures with appendix — Part 1: General
- ISO/IEC 14888-2:2008
Information technology — Security techniques — Digital signatures with appendix — Part 2: Integer factorization based mechanisms
- ISO/IEC 14888-3:2006
Information technology — Security techniques — Digital signatures with appendix — Part 3: Discrete logarithm based mechanisms
- ISO/IEC 14888-3:2006/Amd 1:2010
Elliptic Curve Russian Digital Signature Algorithm, Schnorr Digital Signature Algorithm, Elliptic Curve Schnorr Digital Signature Algorithm, and Elliptic Curve Full Schnorr Digital Signature Algorithm
- ISO/IEC 15292:2001
Information technology – Security techniques – Protection Profile registration procedures
- ISO/IEC 15408-1:2009
Information technology — Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general model
- ISO/IEC 15408-2:2008
Information technology — Security techniques — Evaluation criteria for IT security — Part 2: Security functional components
- ISO/IEC 15408-3:2008
Information technology — Security techniques — Evaluation criteria for IT security — Part 3: Security assurance components
- ISO/IEC TR 15443-1:2005
Information technology — Security techniques — A framework for IT security assurance — Part 1: Overview and framework
- ISO/IEC TR 15443-2:2005
Information technology — Security techniques — A framework for IT security assurance — Part 2: Assurance methods
- ISO/IEC TR 15443-3:2007
Information technology — Security techniques — A framework for IT security assurance — Part 3: Analysis of assurance methods
- ISO/IEC TR 15446:2009
Information technology — Security techniques — Guide for the production of Protection Profiles and Security Targets
- ISO/IEC 15816:2002
Information technology — Security techniques — Security information objects for access control
- ISO/IEC 15945:2002
Information technology — Security techniques — Specification of TTP services to support the application of digital signatures
- ISO/IEC 15946-1:2008
Information technology — Security techniques — Cryptographic techniques based on elliptic curves — Part 1: General
- ISO/IEC 15946-5:2009
Information technology — Security techniques — Cryptographic techniques based on elliptic curves — Part 5: Elliptic curve generation
- ISO/IEC 18014-1:2008
Information technology — Security techniques — Time-stamping services — Part 1: Framework
- ISO/IEC 18014-2:2009
Information technology — Security techniques — Time-stamping services — Part 2: Mechanisms producing independent tokens
- ISO/IEC 18014-3:2009
Information technology — Security techniques — Time-stamping services — Part 3: Mechanisms producing linked tokens
- ISO/IEC 18028-2:2006
Information technology — Security techniques — IT network security — Part 2: Network security architecture
- ISO/IEC 18028-3:2005
Information technology — Security techniques — IT network security — Part 3: Securing communications between networks using security gateways
- ISO/IEC 18028-4:2005
Information technology — Security techniques — IT network security — Part 4: Securing remote access
- ISO/IEC 18028-5:2006
Information technology — Security techniques — IT network security — Part 5: Securing communications across networks using virtual private networks
- ISO/IEC 18031:2005
Information technology — Security techniques — Random bit generation
- ISO/IEC 18032:2005
Information technology — Security techniques — Prime number generation
- ISO/IEC 18033-1:2005
Information technology — Security techniques — Encryption algorithms — Part 1: General
- ISO/IEC 18033-2:2006
Information technology — Security techniques — Encryption algorithms — Part 2: Asymmetric ciphers
- ISO/IEC 18033-3:2005
Information technology — Security techniques — Encryption algorithms — Part 3: Block ciphers
- ISO/IEC 18033-4:2005
Information technology — Security techniques — Encryption algorithms — Part 4: Stream ciphers
- ISO/IEC 18043:2006
Information technology — Security techniques — Selection, deployment and operations of intrusion detection systems
- ISO/IEC TR 18044:2004
Information technology — Security techniques — Information security incident management
- ISO/IEC 18045:2008
Information technology — Security techniques — Methodology for IT security evaluation
- ISO/IEC 19772:2009
Information technology — Security techniques — Authenticated encryption
- ISO/IEC 19790:2006
Information technology — Security techniques — Security requirements for cryptographic modules
- ISO/IEC TR 19791:2010
Information technology — Security techniques — Security assessment of operational systems
- ISO/IEC 19792:2009
Information technology — Security techniques — Security evaluation of biometrics
- ISO/IEC 21827:2008
Information technology — Security techniques — Systems Security Engineering — Capability Maturity Model® (SSE-CMM®)
- ISO/IEC 24759:2008
Information technology — Security techniques — Test requirements for cryptographic modules
- ISO/IEC 24761:2009
Information technology — Security techniques — Authentication context for biometrics
- ISO/IEC 24762:2008
Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services
- ISO/IEC 27000:2009
Information technology — Security techniques — Information security management systems — Overview and vocabulary
- ISO/IEC 27001:2005
Information technology — Security techniques — Information security management systems — Requirements
- ISO/IEC 27002:2005
Information technology — Security techniques — Code of practice for information security management
- ISO/IEC 27003:2010
Information technology — Security techniques — Information security management system implementation guidance
- ISO/IEC 27004:2009
Information technology — Security techniques — Information security management — Measurement
- ISO/IEC 27005:2008
Information technology — Security techniques — Information security risk management
- ISO/IEC 27006:2007
Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems
- ISO/IEC 27011:2008
Information technology — Security techniques — Information security management guidelines for telecommunications organizations based on ISO/IEC 27002
- ISO/IEC 27033-1:2009
Information technology — Security techniques — Network security — Part 1: Overview and concepts
