What security standards are there with regard to hosting and why do I need them?
A webshop owner has a legal responsibility to keep customer data safe and to respect the privacy of people who visit the shop. Cybersecurity is the general term used to describe all the physical, technical and procedural measures taken to make sure that your responsibilities are fulfilled. Security is therefore a means to an end: a way of protecting your customers and making sure that you comply with the law.
You need security because, without it, you run the risk of losing the confidence of your customers and getting into trouble with the authorities.
But how can you tell whether your webshop is secure? Unfortunately you can't tell for certain. What you can do (usually with the help of your hosting service provider) is make sure that you've taken all the precautions that security experts agree are needed. That's where standards come in. Various international bodies have drawn up standards, defining what precautions should be taken. Those standards serve to guide security professionals. They also provide the basis for certification bodies to check whether security management systems are up to scratch.
In the hosting industry, the key security standard is ISO 27001, which defines what needs to be done to manage security threats. It's important to understand that ISO 27001 is non-prescriptive. In other words, it says what has to be taken care of, not how it has to be taken care of. For example, it requires that adequate physical security is provided; it doesn't specify what kind of locks you need on the doors. Think of the standard as a checklist of the points that you and/or your hosting service provider need to cover.
To help with the practicalities of providing security, ISO 27001 has a sister standard: ISO 27002. ISO 27002 contains best practice recommendations on security policies, the organisation of information security, the human resource management aspects of security, asset management, access control, cryptography, physical security and so on.
Wider and deeper coverage of the control topics defined in ISO 27002 is available from the Standard of Good Practice for Information Security, published by the Information Security Forum (ISF). The SoGP includes information security 'hot topics' such as consumer devices, critical infrastructure, cybercrime attacks, office equipment, spreadsheets and databases and cloud computing.
Another valuable resource is the IETF's RFC 2196, which describes how to develop security policies and procedures for information systems connected on the Internet. RFC 2196 is concerned with the day-to-day practicalities of subjects such as network security, incident response and security policy.
Only large businesses with their own security and/or quality management personnel can realistically expect to get to grips with the nuts and bolts of the standards described above. Most SMEs have to effectively contract out large parts of their cybersecurity to hosting service providers, software suppliers and content managers. It's nevertheless important that you understand where their responsibilities end and yours begin.
Smaller businesses are also the target audience for the IASME standard, which sets out criteria for cybersecurity readiness in SMEs. IASME was created to enable SMEs to achieve an accreditation similar to ISO 27001, but with reduced complexity and administrative burden and at a lower cost.