There are many standards in different sectors that have to be followed, and to which organizations are required to be compliant, in order to perform certain business operations or to ensure the security of their information. For example, most payment gateways, or any payment-related functionality, are required to be tested against the PCI standard to be considered secure.
The following are some of the standards in the market to which relevant organizations are expected to be compliant:
- ETSI Cybersecurity technical committee (TC CYBER)
- ISO/IEC 27001 and 27002
- CISQ
- DoCRA
- NERC
- NIST
- ISO 15408
- RFC 2196
- ANSI/ISA 62443 (formerly ISA-99)
- The ISA Security Compliance Institute (ISCI) Conformity Assessment Program
- ISCI Certification offerings
- ISO 17065 and Global Accreditation
- Chemical, oil, and gas industries
- IEC 62443
- IEC 62443 Certification programs
- IASME
- Banking Regulators
Auditors create a checklist to identify the gaps against an industry standard baseline, thus allowing the organization to work on filling in the gaps to become compliant and certified. The compliance module in Nessus works in a similar fashion. It works to identify configuration gaps, data leakage, and compliance against various benchmarks.
The Nessus compliance module provides default audit files to check compliance against benchmarks for operating systems, network devices, software, and services running. Nessus has preloaded audit files for theĀ Center for Internet Security (CIS), Health Insurance Portability and Accountability Act (HIPAA), and Tenable Network Security (TNS). It also allows the user to write a custom audit file using Nessus Attack Scripting Language (NASL). We will look at the customization of this in Chapter 7, Understanding the Customization and Optimization of Nessus and Nmap.