Those standards listed under Australia/New Zealand are those that have been developed locally. All others are listed as international. Note that a number of international standards (eg ISO standards) apply in Australia and New Zealand.

The list provided has been constructed with a view to what interests AusCERT members. We will be happy to add further references as requested or required. Please contact AusCERT ( http://www.auscert.org.au) if you have any comments or questions.

Note: AusCERT has not reviewed all of the documents listed in this web page. This information is provided purely as a reference for AusCERT members ( http://www.auscert.org.au/render.html?it=1959).

Management

Evaluation

Development

Financial

Risk

Authentication

Information Security Management

• ACSI33

  The Defence Signals Directorate has produced the Australian Communications Security Instruction Number 33 (ACSI33) Security Guidelines for Australian Government IT Systems document. This document is available at http://www.dsd.gov.au/library/infosec/acsi33.html .

• Operating System Checklists

  AusCERT and the CERT Coordination Center have produced the Windows NT Configuration Guidelines, available from http://www.auscert.org.au/render.html?it=1970

  AusCERT has also produced the UNIX Computer Security Checklist, available from http://www.auscert.org.au/render.html?it=1935

International

• ISO/IEC 17799:2005

  The primary information security standard in Australia was AS4444, and in New Zealand was NZS4444. These have been replaced with the international standard, 17799. See Standards Australia OnLine at http://www.standards.com.au.

  Quality Assurance Services is currently coordinating a certification program for this standard. This certification program is discussed at their Quality Assurance Services web site (http://www.sai-global.com/assuranceservices/certification/InfoSecurityManagement/).

• ISO/IEC 27001:2005

  A widely accepted standard, the British Standard BS 7799 has been updated and published as the international standard ISO/IEC 27001. It was developed by the British Standards Institute ( http://www.bsi-global.com) and is sometimes referred to as BS ISO/IEC 27001:2005.

• RFC 2196

  The Internet Engineering Task Force (IETF) has produced RFC2196 Site Security Handbook, which provides practical guidance to administrators trying to secure their information and services. It is available from http://www.ietf.org/rfc/rfc2196.txt.

• IT Baseline Protection Manual (Germany)

  The Federal Agency For Security In Information Technology in Germany has produced the IT Baseline Protection Manual. This document presents a set of recommended standard security measures or "safeguards", as they are referred to in the manual, for typical IT systems. The most recent version is dated October 2000. Further information can be found at http://www.bsi.bund.de/gshb/english/etc/menue.html.

• OECD Guidelines

  OECD Guidelines for the Security of Information Systems, are available at http://www.oecd.org/document/42/0,2340,en_2649_34255_15582250_1_1_1_1,00.html.

Evaluation

• Gateway Certification Guide

  The Defence Signals Directorate has also produced the Gateway Certification Guide, which provides guidelines for independent assessment of an agency gateway. This document is available at http://www.dsd.gov.au/library/infosec/gateway.html.

• DSD EPL

  The Defence Signals Directorate administers the Australian government's Evaluated Products List. Details are available at http://www.dsd.gov.au/infosec/evaluation_services/epl/epl.html.

International

• ISO 15408 ("Common Criteria")

  The International Organization for Standardization (ISO) has produced ISO standard IS 15408. This standard, The Common Criteria for Information Technology Security Evaluation v2.1 (ISO IS 15408) is effectively an evolutionary blending of ITSEC (see below), the Canadian criteria, and the US Federal Criteria.

  It available from http://csrc.nist.gov/cc/ccv20/ccv2list.htm.

• Rainbow Series ("Orange Book") (US)

  An important series of documents are the Rainbow Series, which outline a number of security standards developed in the United States. This series is available at http://www.radium.ncsc.mil/tpep/library/rainbow/.

  Perhaps the most important of these books is the Trusted Computer System Evaluation Criteria (TCSEC, or Orange Book). While this standard has effectively been superseded by other standards outlined above (it is dated 1985), it is nevertheless a useful document. A further document, the US Federal Criteria, was drafted but not adopted in the early 1990's.

  TCSEC can be found at http://www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.html

• Information Technology Security Evaluation Criteria ("ITSEC") (UK)

  The United Kingdom produced the Information Technology Security Evaluation Criteria (ITSEC) in the early 1990's, and this is another important historical evaluation scheme/standard. It builds on the Orange Book scheme to some extent, with greater granularity.

  Details about the scheme are available at http://www.itsec.gov.uk/.

Development

• Capability Maturity Model (CMM)

  The Software Engineering Institute pioneered the development of the Capability Maturity Model, which is method for process maturity assurance. Details are available at http://www.sei.cmu.edu/cmm/cmms/cmms.html.

• System Security Engineering Capability Maturity Model (SSE-CMM)

  A derivative of this work is the System Security Engineering Capability Maturity Model. Details are available at http://www.sse-cmm.org/.

Financial

• AS2805 ("Electronic funds transfer")

  Standards Australia has a standard for electronic payment implementation. The standard is AS2805, specifically AS 2805.4-1985 Electronic funds transfer - Requirements for interfaces - Message authentication and AS 2805.4.1-2001 Electronic funds transfer - Requirements for interfaces - Message authentication - Mechanisms using a block cipher. These standards are available by accessing the Standards Australia OnLine Catalogue and searching on Australian standard number 2805.

International

• ISO 11131 ("Banking and Related Financial Services; Sign-on Authentication")

  ISO 11131:1992 Banking and Related Financial Services; Sign-on Authentication is available by accessing the Standards Australia OnLine Catalogue and searching on ISO standard number 11131.

• ISO 13569 ("Banking and Related Financial Services -- Information Security Guidelines")

  ISO 13569:1997 Banking and Related Financial Services -- Information Security Guidelines (several documents) is available by accessing the Standards Australia OnLine Catalogue and searching on ISO standard number 13569.

Risk

• AS/NZS 4360 ("Risk Management")

  Australian/New Zealand Standard AS/NZS 4360:1999 Risk Management. More information is available by accessing the Standards Australia OnLine Catalogue and searching on Australian standard number 4360.

  Associated documents that may be of interest are HB 231:2000 Information security risk management guidelines and HB 240:2000 Guidelines for managing risk in outsourcing utilizing the AS/NZS 4360 process. More information is available by accessing the Standards Australia OnLine Catalogue and searching on HB 231 and HB 240 respectively.

International

• Acquisition Risk Management (US)

  The Software Engineering Institute has some discussion on Acquisition Risk Management. Details are available at d http://www.sei.cmu.edu/arm/index.html.

Authentication

• AS4539 ("Information technology - Public Key Authentication Framework")

  Public Key authentication systems are governed by several documents that fall under Australian Standard 4539 Information technology - Public Key Authentication Framework. More information is available by accessing the Standards Australia OnLine Catalogue and searching on Australian standard number 4539.

International

• ISO 11131 ("Banking and Related Financial Services; Sign-on Authentication")

  ISO 11131:1992 Banking and Related Financial Services; Sign-on Authentication is available by accessing the Standards Australia OnLine Catalogue and searching on ISO standard number 11131.