“Cyberspace, as we know, is a complex environment consisting of interactions between people, software and services, supported by worldwide distribution of information and communication technology (ICT) devices and networks,” said Maria Lazarte, ISO spokesperson. The ISO points out that collaboration among those stakeholders is essential to ensure a safe online environment, but it so often never happens. So, “the new standard addresses security gaps arising from the lack of communication between the different users and providers of cyberspace,” she said.
Specifically, the new ISO/IEC 27032 offering provides a framework for information sharing, coordination and incident handling within the context of online, website-based communication, to facilitate secure and reliable collaboration that protects the privacy of individuals.
“Devices and connected networks that support cyberspace have multiple owners – each with their own business, operational and regulatory concerns,” explained Johann Amsenga, convenor of the working group that developed the standard. “Not only do the different users and providers share little or no input, but each has a different focus when dealing with security. Such a fragmented state opens up vulnerabilities in cyberspace. ISO/IEC 27032 will provide an overarching, collaborative, multi-stakeholder solution to reduce these risks.”
The standard has been in draft form since the summer, born from a need to consider information security risks that are truly unique to cyberspace. According to the ISO, the standard sprung from the fact that “cyberspace” is a difficult concept to conceptualize, considering that it’s a complex, highly variable or fluid virtual online environment, making it difficult to pin down the associated information security risks.
Things like network and system hacking, spyware and malware, cross-site scripting, SQL injection, social engineering, plus information security issues relating to Web 2.0, and the cloud computing and virtualization technologies that typically underpin virtual online environments and applications could be classed as normal or conventional system, network and application security risks, it noted: “And in practice, [existing standards are largely concerned with information security risks associated with the Internet, rather than ‘the cyberspace’ per se].”
ISO/IEC 27032 focuses on detecting, monitoring for and responding to attacks such as social engineering attacks in texts, emails and other messages; website-based hacks and pushing of malware and spyware; and other unwanted software. Meanwhile, Section 7 of the standard distinguishes threats to personal and organizational assets, which essentially deal with compromises of privacy/identity and corporate information, respectively.