👨‍💻
Mike's Notes
  • Introduction
  • MacOs Setup
    • System Preferences
    • Homebrew
      • Usage
    • iTerm
      • VIM
      • Tree
      • ZSH
    • Visual Studio Code
    • Git
    • SSH Keys
  • Developer Productivity
    • How To Measure
  • DevOps Knowledge
    • SRE
      • Scaling Reliably
        • Splitting a Monolith into Microservices
      • Troubleshooting Common Issues
      • Service Level Terminology
      • Toil
      • Monitoring
      • Release Engineering
      • Best Practices
      • On-Call
      • Alerting
    • Containers
      • Docker
        • Best Practices
          • Image Building
          • Docker Development
        • CLI Cheat Sheet
      • Container Orchestration
        • Kubernetes
          • Benefits
          • Cheat Sheet
          • Components
          • Pods
          • Workload Resources
          • Best Practices
    • Developer Portal 👨‍💻
      • Solution Overview 🎯
      • System Architecture 🏗️
      • Implementation Journey 🛠️
      • Cross-team Collaboration 🤝
      • Lessons & Future 🎓
    • Provisioning
      • Terraform
        • Installation
        • Usage
    • Configuration Management
      • Ansible
        • Benefits
        • Installation
    • Build Systems
      • Bazel
        • Features
  • Security
    • Secure Software Engineering
    • Core Concepts
    • Security Design Principles
    • Software Security Requirements
    • Compliance Standards and Policies
      • Sarbanes-Oxley (SOX)
      • HIPAA and HITECH
      • Payment Card Industry Data Security Standard (PCI-DSS)
      • General Data Protection Regulation (GDPR)
      • California Consumer Privacy Act (CCPA)
      • Federal Risk and Authorization Management Program (FedRAMP)
    • Privacy & Data
  • Linux Fundamentals
    • Introduction to Linux
    • Architecture
    • Server Administration
      • User / Groups
      • File Permissions
      • SSH
      • Process Management
    • Networking
      • Diagrams
      • Browser URL Example
      • Network Topologies
      • Signal Routing
      • DNS (Domain Name System)
      • SSL (Secure Sockets Layer)
      • TLS (Transport Layer Security)
  • System Design
    • Process
    • Kafka
      • Advanced Topics
    • URL Shortener
Powered by GitBook
On this page
  • Security standards organizations
  • ISO
  • IEC
  • SAFECode
  • OWASP
  • NIST

Was this helpful?

  1. Security

Compliance Standards and Policies

Regulations and compliance refer to the rules and standards that govern various aspects of an enterprise's operations, including those related to software development. Compliance with these rules is essential because failure to adhere to them can result in financial penalties, increased scrutiny, future regulatory constraints, and negative publicity. Compliance is distinct from security, as it focuses on adhering to established rules, even though strict compliance does not necessarily guarantee security.

Security standards organizations

ISO

ISO stands for the International Organization for Standardization. It is an international organization that develops and publishes standards to ensure the quality, safety, efficiency, and interoperability of products, services, and systems across various industries, including information security.

IEC

The International Electrotechnical Commission (IEC) is an international standards organization that specializes in developing and publishing standards related to electrical and electronic technologies, components, and systems.

ISO/IEC 9126 Quality Characteristics

This ISO/IEC standard defines six quality characteristics that can be used to measure the quality of software:

  • Functionality

  • Reliability

  • Usability

  • Efficiency

  • Maintainability

  • Portability

SAFECode

SAFECode is an industry-supported organization that promotes collaboration among companies to enhance software assurance practices by sharing successful best practices and providing guidance on secure software development.

OWASP

NIST

NIST, or the National Institute of Standards and Technology, is a federal agency responsible for developing technology, measurements, and standards aligned with the U.S. economy's interests. Within NIST, the Computer Security Division addresses computer security concerns, including compliance with laws like the Federal Information Security Management Act (FISMA). NIST publishes key document types like Federal Information Processing Standards (FIPS) and the Special Publication (SP) 800 series, providing guidelines for information security practices, cryptographic protocols, and risk management frameworks, making them valuable resources for the information systems community

Some important publications are:

  • FIPS 200

  • FIPS 199

  • FIPS 197

  • FIPS 186-3

  • FIPS 190-4

  • FIPS 140 Series

  • SP 800-152

  • SP 800-107

  • SP 800-100

  • SP 800-63

  • SP 800-53

  • SP 800-30

  • SP 800-12

  • SP 800-218 (SSDF)

PreviousSoftware Security RequirementsNextSarbanes-Oxley (SOX)

Last updated 1 year ago

Was this helpful?

OWASP is a global, open community dedicated to enhancing application software security by publishing Top Ten vulnerability lists and providing valuable resources on their website () to help organizations create more secure software.

Practical Security Stories
www.owasp.org