Skip to content

The Great Thing About Standards…

October 22, 2008

“…is that there are so many of them to choose from”, or at least so goes the old saying. Information security is no exception; the byzantine tangle of best practices, standards, frameworks, and various governmental and industry mandates that are either dedicated to information security or contain security-related requirements shows no sign of abatement or unification anytime soon. Of course, if you’re a person who’s responsible for implementing all that stuff in your environment, you’re probably feeling some pain. Establishing common controls to meet compliance is a well-tested approach to meeting compliance, but where to begin?

Fortunately, some standards and frameworks for managing security are really starting to mature, to the point where they can become a starting point for building risk-driven common controls that easily map to regulations and other compliance drivers. Most of these frameworks and standards have been around for a number of years but through a combination of broad adoption, continuous feedback from adopters, and a mature management and improvement process, they are rapidly becoming a great starting point for building comprehensive information security. Here are three that I believe are well-balanced (addressing both technical and logical controls), risk-based (where the implementation of some or all controls is based on an analysis of risk to systems and data), and can be implemented across any industry:

  • · PCI Security Council (PCI) Data Security Standard (DSS) 2.0 – Recently released, the 2.0 version of the PCI-DSS standard focuses on a solid combination of static, pre-defined technical controls (e.g., minimum password lengths and complexity requirements), risk-based technical controls (e.g., business continuity infrastructure), and logical controls (e.g., written policies and procedures, and separation of duty). Although designed specifically for securing chain of custody around credit card data, PCI-DSS is rapidly becoming a standard of controls that organizations are applying to different types of data.
  • · ISACA Control Objectives for Information Technology (COBIT) 4.1 – The COBIT framework has long been a framework for managing information security. With a focus on processes – not just technology – COBIT has become the standard high-level framework used by global auditing firms to audit against compliance with SOX Sections 302/404, J-SOX, and other major financial regulations that address financial controls. Like other frameworks, COBIT is relatively light on technical controls (although there are some specific technical controls defined for applications, such as event auditing and monitoring); instead, the goal of COBIT is to provide a framework for using risk-based decisions to build and maintain a complete IT management program.
  • · International Standards Organization (IS) 27002:2005 – One of many IT-related best practice documents issued by ISO, ISO27002 (formerly known as ISO17799) is geared toward helping an organization establish risk-based decisions to build and maintain a security program. Unlike COBIT, which is focused on general IT controls, ISO27002 focuses very squarely on information security. Being part of the ISO family, ISO27002 is augmented with additional ISO-delivered guidance to help certain verticals – healthcare and financial services, for example – implement specific controls that are not only ISO27002 compatible, but compatible with other industry-specific laws and guidance.
No comments yet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: