# Compliance Standards and Policies

Regulations and compliance refer to the rules and standards that govern various aspects of an enterprise's operations, including those related to software development. Compliance with these rules is essential because failure to adhere to them can result in financial penalties, increased scrutiny, future regulatory constraints, and negative publicity. Compliance is distinct from security, as it focuses on adhering to established rules, even though strict compliance does not necessarily guarantee security.

## Security standards organizations&#x20;

### ISO

ISO stands for the International Organization for Standardization. It is an international organization that develops and publishes standards to ensure the quality, safety, efficiency, and interoperability of products, services, and systems across various industries, including information security.

### IEC

The International Electrotechnical Commission (IEC) is an international standards organization that specializes in developing and publishing standards related to electrical and electronic technologies, components, and systems.

#### ISO/IEC 9126 Quality Characteristics&#x20;

This ISO/IEC standard defines six quality characteristics that can be used to measure the quality of software:

* Functionality
* Reliability&#x20;
* Usability &#x20;
* Efficiency  &#x20;
* Maintainability &#x20;
* Portability

### SAFECode

SAFECode is an industry-supported organization that promotes collaboration among companies to enhance software assurance practices by sharing successful best practices and providing guidance on secure software development.

[**Practical Security Stories**](http://safecode.org/wp-content/uploads/2018/01/SAFECode_Agile_Dev_Security0712.pdf)

### **OWASP**

OWASP is a global, open community dedicated to enhancing application software security by publishing Top Ten vulnerability lists and providing valuable resources on their website ([www.owasp.org](http://www.owasp.org/)) to help organizations create more secure software.

### NIST

NIST, or the National Institute of Standards and Technology, is a federal agency responsible for developing technology, measurements, and standards **aligned with the U.S. economy's interests**. \
\
Within NIST, the Computer Security Division addresses computer security concerns, including compliance with laws like the Federal Information Security Management Act (FISMA). NIST publishes key document types like Federal Information Processing Standards (FIPS) and the Special Publication (SP) 800 series, providing guidelines for information security practices, cryptographic protocols, and risk management frameworks, making them valuable resources for the information systems community

Some important publications are:

* FIPS 200
* FIPS 199
* FIPS 197
* FIPS 186-3
* FIPS 190-4
* FIPS 140 Series
* SP 800-152
* SP 800-107
* SP 800-100
* SP 800-63
* SP 800-53
* SP 800-30
* SP 800-12
* SP 800-218 (SSDF)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.mikaelsamvelian.com/security/compliance-standards-and-policies.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.