Chapter 106 · Security Program Management

Security Standards

Password standards, access control standards, physical security standards, and encryption standards — the specific technical and procedural requirements that translate security policies into enforceable organizational rules.

Confidential
Report ID: SS-2024-001Domain: Security Program ManagementTopic: Password & Access Control Standards

Password and Access Control Standards

Security standards are specific, measurable requirements derived from security policies. Where a policy states "passwords must be secure," a standard specifies "passwords must be at least 12 characters and include three of four character classes." Standards bridge the gap between policy intent and technical implementation.

Password Standards

Password standards define the specific technical requirements for credentials used to authenticate users to organizational systems. A comprehensive password standard addresses:

Password storage must use hashed + salted values, never plaintext or reversible encryption. If credentials are breached and stored in plaintext, every user account is immediately compromised. Hashing limits the damage to offline cracking attempts.

Access Control Standards

Access control standards define how access to systems and data is granted, managed, and removed. The standard must specify the access control model and the processes that support it.

ModelHow Access Is DeterminedTypical Use
MAC (Mandatory Access Control)System-enforced labels (Top Secret, Secret, Unclassified); users cannot grant access beyond their clearanceGovernment/military; high-security classified environments
DAC (Discretionary Access Control)Resource owner grants access at their discretion (file owner sets permissions)Consumer OS (Windows/Linux standard permissions)
RBAC (Role-Based Access Control)Access determined by job role; users inherit permissions of their role(s)Enterprise environments; most common organizational standard
ABAC (Attribute-Based Access Control)Access determined by multiple attributes: user attributes + resource attributes + environment (time, location)Cloud environments; fine-grained access requirements

Access control standards must also address: the approval process for granting access (who approves access requests and at what level), and removal procedures for termination/expiry/contract end — access must be removed immediately upon separation, not when someone gets around to it.

Confidential
Report ID: SS-2024-002Domain: Security Program ManagementTopic: Physical Security Standards

Physical Security Standards

Physical security standards define the controls required to protect facilities, equipment, and assets from physical threats. Physical security is layered: outer perimeter controls limit who can enter the building; interior controls limit who can access specific areas; equipment controls protect individual devices.

Personnel Classification for Physical Access

Physical security standards must differentiate access levels based on the trust and verification level of the individual:

Visitors must always be escorted. An unescorted visitor in a server room or secure area is a physical security violation regardless of how friendly or familiar they appear.

Physical Access Controls

Standards specify the types of physical access controls required for different areas:

Physical Security and the Insider Threat

Physical security standards must account for the insider threat: employees who have legitimate physical access but misuse it. Controls include: least privilege physical access (employees only access areas required for their role), visitor escort requirements even for familiar-looking individuals, tailgating prevention (anti-passback systems, mantrap/airlock entries), and regular access reviews to ensure access is appropriate for current job functions.

Confidential
Report ID: SS-2024-003Domain: Security Program ManagementTopic: Encryption Standards & Frameworks

Encryption Standards and Security Frameworks

Encryption Standards

Encryption standards specify which algorithms, key lengths, and protocols are approved for protecting organizational data. Standards must address data in three states:

Data StateDefinitionStandard Requirements
Data at restStored data on disks, databases, backups, USB drivesAES-256 for full-disk encryption (BitLocker, FileVault); database encryption; encrypted backups. Encryption key management standards.
Data in transitData moving across networks or between systemsTLS 1.2 minimum (TLS 1.3 preferred); deprecated protocols (SSL, TLS 1.0/1.1) prohibited; VPN for remote access; certificate standards.
Data in useData being actively processed in memoryEmerging area; hardware-based trusted execution environments (TEE); secure enclaves. Many organizations do not yet have formal data-in-use standards but the concept is tested.

Different systems may have different encryption requirements based on data sensitivity. A standard may require AES-256 for systems processing PII or financial data, while permitting AES-128 for less sensitive internal systems. The key principle: the encryption requirement must match the sensitivity of the data being protected.

Password Storage Encryption Standard

Password storage is a specific encryption standard requirement: passwords must be stored using a one-way hashing algorithm with salt, not in plaintext or with reversible encryption. Current recommended algorithms: bcrypt, Argon2, PBKDF2. The salt is a unique random value added to each password before hashing, preventing rainbow table attacks (where an attacker pre-computes hashes for common passwords). Each user's password has a unique salt, so even identical passwords produce different hashes. MD5 and SHA-1 are deprecated for password storage due to speed (makes brute force faster) and known vulnerabilities.

ISO/IEC 27001

ISO/IEC 27001 is the international standard for information security management systems (ISMS). It provides a framework for establishing, implementing, maintaining, and continually improving information security within an organization. Key characteristics:

NIST Frameworks for Standards

NIST publications provide detailed standards guidance used by US government agencies and widely adopted in private industry:

ISO 27001 is internationally certified. NIST frameworks are US government guidance widely adopted privately. Organizations may align to one or both. Neither replaces the other; they address different audiences and serve different compliance contexts.