Standards and Best Practices

The importance of information security in organizations cannot be overstated. It is critical that companies take the needed steps to protect their priority information from data breaches and security threats. Standards and best practices by providing guidance aid organizations to enhance their cybersecurity posture. They also provide a common set of reference points to enable organizations to evaluate whether processes, procedures, and other controls in place meet an agreed minimum requirement. IDmelon, as one of the pioneers in implementing FIDO authentication protocol, follows related information security standards and best practices for managing and protecting valuable data and information assets. In the following, we describe what standards and best practices we implemented for our products and services.

Information Security Management System (ISO/IEC 27001) #

IDmelon has started establishing and implementing the ISO/IEC 27001 standard a while back. We follow the PDCA cycle annually to have a flawless ISMS as possible.

NIST Special Publication 800 series #

The NIST SP 800 series is a set of documents that describe security guidelines for US federal government agencies. IDmelon, as a private organization, is not bound to the NIST SP 800 series, but we already adopted a few of the standards contained therein as part of our business practices, which includes the following:

• NIST SP 800-53 R5 as a reference to supplement our list of security controls in multiple domains.
• NIST SP 800-53A R4 as a complementary guide to provide a checklist consisting of a set of procedures for conducting assessments of security controls.
• NIST SP 800-34 as a reference for developing continuity plans and organizing related team structures.
• NIST SP 800-37 to develop a multi-step process to manage the risks of operating information systems.
• NIST SP 800-30 as a reference for conducting risk assessment to satisfy clause 8.2 (information security risk assessment) of ISO/IEC 27001.
• NIST 800-64 R2 as a reference for Security Considerations that have been taken into account in the System Development Life Cycle.

GDPR for Data Privacy #

The GDPR aims to protect the personal data of all people in the European Union. Due to IDmelon’s presence in the European market, we outlined the standards set by the GDPR to provide a checklist to start implementing the requirements to remain compliant.

Information Security Maturity Model #

Information security maturity models are frameworks and best practices for evaluating and improving cybersecurity. Their main purpose is to help organizations evaluate and make improvements to their cybersecurity programs and strengthen their operational resilience. The IDmelon security team selected C2M2 (Cybersecurity Capability Maturity Model) as the base model for the evaluation of information security maturity. However, implementing ISO/IEC 27001 and also using NIST 800-53 as a supplementary control set lead us to modify C2M2 domains based on our organizational needs.