Don’t recreate the wheel — that’s what we have been taught since our first steps into the business world. It is great wisdom, yet it is rarely heeded, especially in IT. I often see IT managers and others in charge of information security stumbling to keep up; yet, the very solutions they need are right under their noses, in the form of international standards and frameworks.
The more popular and widely-accepted standards are:
COBIT – a widely-accepted framework for governance and management of enterprise IT with a focus on audit. COBIT 5 for Information Security is a security standard. www.isaca.org/COBIT/Pages/default.aspx.
ISO/IEC 27002:2005 – a “code of practice” for IT security management. In essence, it is comprehensive IT security practices applicable to businesses of all sizes. It costs about $225, but it is well worth it. www.iso.org/iso/catalogue_detail?csnumber=50297.
NIST 800-53 – Security and Privacy Controls for Federal Information Systems and Organizations is a widely-accepted standard for government and private industry. http://csrc.nist.gov/publications/PubsSPs.html.
Open Web Application Security Project (OWASP) Top Ten Project – a collection of the top security risks and solutions for Web applications, a great resource for software developers. www.owasp.org/index.php/Category:OWASP_Top_Ten_Project.
OWASP Mobile Security Project – a collection of the top security risks and solutions for mobile applications, which is becoming an important area of focus for IT and business. www.owasp.org/index.php/OWASP_Mobile_Security_Project.
Note that many of these standards date back several years, but that is OK; in fact, that proves that the IT challenges we face are changing rapidly, but that information security principles are not. James Martin’s book, Security, Accuracy, and Privacy in Computer Systems underscores this reality. The book dates to 1973, but it is still relevant to today’s security challenges. Our biggest problem is not implementing the tried-and-true principles we know have been working for decades.
One of the best things you can do for your business is to align IT security initiatives with one of the above standards. Doing so can drastically reduce the time and effort it takes to establish information security policies and procedures. It can also help drive down the costs of managing information security and compliance in coming years. Another benefit is that your business partners and customers will recognize what you are working with and it will show that management takes security seriously.
Government and industry regulations such as HIPAA, GLBA and PCI Data Security Standard (DSS) can help with your IT security efforts as well. In fact, if you focused solely on the prescriptive guidance found in the PCI DSS, you will be way ahead of the curve in your IT security program.
If your business must be compliant with several regulations at once (i.e. PCI DSS, HITECH and HIPAA, which is pretty common), it will prove to be difficult to focus on and incorporate each of the regulations into business processes. That’s where ISO/IEC 27002 or NIST 800-53 can come in handy — their guidance is at a high enough level that it can apply to practically every regulation across the board. In most situations, managing risks at a high level using one of these global-recognized standards is the recommended approach for managing compliance.
If you are looking for a real shortcut, why not turn to these global IT security standards? Implementing one, or a hybrid of several, will make your job easier. It’s also what’s best for the business.
Kevin Beaver is an information security consultant, expert witness, author and professional speaker with Atlanta-based Principle Logic LLC. With more than 23 years experience, he specializes in performing independent security assessments to minimize information risks. He has authored/co-authored 10 books on information security, including Hacking For Dummies and the newly-released Implementation Strategies for Fulfilling and Maintaining IT Compliance. He’s the creator of the Security On Wheels information security audio books and blog. Reach him at www.principlelogic.com, follow him on Twitter at @kevinbeaver and connect to him on LinkedIn.