The Government Accountability Office this week issued a report on just that notion saying: "Given the plethora of guidance available, individual entities within the sectors may be challenged in identifying the guidance that is most applicable and effective in improving their security. Greater knowledge of the guidance that is available could help both federal and private sector decision makers better coordinate their efforts to protect critical cyber-reliant assets."
Such information though is valuable in that these myriad groups offer guidelines and principles as well as technical security techniques for maintaining the confidentiality, integrity, and availability of information systems and data, the GAO stated.
"When implementing cybersecurity technologies and processes, organisations can avoid making common implementation mistakes by consulting guidance developed by various other organisations. Public and private organisations may decide to voluntarily adopt this guidance to help them manage cyber-based risks," the GAO stated.
Who are some of these key organisations? From the GAO:
• International Organisation for Standardisation (ISO): a nongovernmental organisation that develops and publishes international standards. The standards, among other things, address information security by establishing guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organisation.
• International Electrotechnical Commission (IEC): an organisation for standardisation comprising all national eletrotechnical committees. The commission publishes international standards, technical specifications, technical reports, and publicly available specifications and guides. The information security standards address safety, security, and reliability in the design and operations of systems in the power industry, among other things.
• The International Telecommunication Union: a United Nations agency whose mission includes, among other things, developing technical standards and providing technical assistance and capacity building to developing countries. The union has also developed technical standards for security and, more recently, engaged in other cybersecurity activities. For example, the union has established a study group for telecommunications security to focus on developing standards and recommendations associated with network and information security, application security, and identity management. Similarly, the union, through its members' efforts, prepared a report on cybersecurity best practices for countries seeking to organise national cybersecurity efforts.
• The International Society of Automation (ISA): a global and nonprofit organisation that develops standards for automation. It has developed a series of standards to address security in industrial automation and control systems.
• The American National Standards Institute (ANSI): a US organisation that is responsible for coordinating and promoting voluntary consensus-based standards and information sharing to minimise overlap and duplication of US standards-related efforts. In addition, it is the representative of US interests in international standards-developing organisations.
In an earlier report the GAO identified 19 global organisations" whose international activities significantly influence the security and governance of cyberspace."
The organisations range from information-sharing forums that are non-decision-making gatherings of experts to private organisations to treaty-based, decision-making bodies founded by countries. The groups address a variety of topics from incident response, the development of technical standards, the facilitation of criminal investigations to the creation of international policies related to information technology and critical infrastructure, the GAO stated.
From that GAO report a few key influential groups include:
• Asia-Pacific Economic Cooperation (APEC) is a cooperative economic and trade forum designed to promote economic growth and cooperation among 21 countries from the Asia-Pacific region. APEC's Telecommunication and Information Working Group supports security efforts associated with the information infrastructure of member countries through activities designed to strengthen effective incident response capabilities, develop information security guidelines, combat cybercrime, monitor security implications of emerging technologies, and foster international cybersecurity cooperation.
• Association of Southeast Asian Nations (ASEAN) is an economic and security cooperative comprised of 10 member nations from Southeast Asia. According to the 2009-2015 Roadmap for an ASEAN Community, it looks to combat transnational cybercrime by fostering cooperation among member-nations' law enforcement agencies and promoting the adoption of cybercrime legislation. In addition, the road map calls for activities to develop information infrastructure and expand computer emergency response teams (CERT) and associated drills to all ASEAN partners.
• The Council of Europe is a 47-member organisation founded in 1949 to develop common and democratic principles for the protection of individuals. In 2001, the council adopted a Convention on Cybercrime to improve international cooperation in combating actions directed against the confidentiality, integrity, and availability of computer systems, networks, and data. This convention identified agreed-upon cyber-related activities that should be deemed criminal acts in countries' domestic law. The U.S. Senate ratified this convention in August 2006.
• The European Union is an economic and political partnership among 27 European countries. Subcomponents of its executive body - the European Commission - engage in cybersecurity activities designed to improve (1) preparedness and prevention, (2) detection and response, (3) mitigation and recovery, (4) international cooperation, and (5) criteria for European critical infrastructure in the information communication technology sector. The European Commission also formed the European Network and Information Security Agency (ENISA), an independent agency created to enhance the capability of its members to address and respond to network and information security problems. Several independent organisations within Europe develop technical standards. The European Committee for Standardisation is to work to remove trade barriers for European industry and provide a platform for the development of European standards and technical specifications. The European Committee for Electrotechnical Standardisation is a not-for-profit technical organisation that is responsible for preparing voluntary standards for electrical and electronic goods and services in the European market. The European Telecommunications Standards Institute is also a not-for-profit organisation that is responsible for producing globally applicable standards for information and communications technologies including those supporting the Internet.
• Forum of Incident Response and Security Teams (FIRST) is an international federation of individual CERTs that work together to share technical and security incident information. It includes over 220 members from 42 countries. The members' incident response teams represent government, law enforcement, academia, the private sector, and other organisations. FIRST has also worked with multiple international standards organisations to develop standards for cybersecurity and incident management and response. In addition, FIRST uses the Common Vulnerability Scoring System as a standard method for rating information technology vulnerabilities, which helps when communicating vulnerabilities and their properties to others.