Don’t recreate the wheel — that’s what we have been taught since our first steps into the business world. It is great wisdom, yet it is rarely heeded, especially in IT.
I often see IT managers, compliance officers and others in charge of information security stumbling to keep up with it all. Yet the very solutions they need are right under their noses, in the form of international standards and frameworks. The more popular and widely-accepted standards are:
COBIT – a widely-accepted framework for the governance and management of enterprise IT with a focus on audit. There’s also an IT security-focused standard called COBIT 5 for Information Security www.isaca.org/COBIT/Pages/default.aspx.
ISO/IEC 27002:2005 – a “code of practice” for information security management. In essence, it is a comprehensive set of IT security practices applicable to businesses of all sizes. It costs about $225, but it is well worth it www.iso.org/iso/catalogue_detail?csnumber=50297.
NIST 800-53 is entitled Security and Privacy Controls for Federal Information Systems and Organizations. It is a widely-accepted standard for government and private industry http://csrc.nist.gov/publications/PubsSPs.html.
Open Web Application Security Project (OWASP) Top Ten Project – a collection of the top security risks and solutions for Web applications that has proven to be a great resource for software developers www.owasp.org/index.php/Category:OWASP_Top_Ten_Project.
OWASP Mobile Security Project – a collection of the top security risks and solutions for mobile applications, which is becoming an important area of focus for IT and business www.owasp.org/index.php/OWASP_Mobile_Security_Project.
Note that many of these standards date back several years, but that is OK; in fact, that proves that the IT challenges we face are changing rapidly, but that information security principles are not. James Martin’s book, Security, Accuracy, and Privacy in Computer Systems underscores this reality. The book dates to 1973, but it is still relevant to today’s security challenges. Our biggest problem is not implementing the tried-and-true principles we know have been working for decades.
One of the best things you can do for your business is to align IT security initiatives with one of the above standards. Doing so can drastically reduce the time and effort it takes to establish information security policies and procedures. It can also help drive down the costs of managing information security and compliance in coming years. Another benefit is that your business partners and customers will recognize what you are working with and it will show that management takes security seriously.
Government and industry regulations such as HIPAA, GLBA and PCI Data Security Standard (DSS) can help with your IT security efforts as well. In fact, if you focused solely on the prescriptive guidance found in the PCI DSS, you will be way ahead of the curve in your IT security program.
If your business must be compliant with several regulations at once (i.e. PCI DSS, HITECH and HIPAA, which is pretty common), it will prove to be difficult to focus on and incorporate each of the regulations into business processes. That’s where ISO/IEC 27002 or NIST 800-53 can come in handy — their guidance is at a high enough level that it can apply to practically every regulation across the board. In most situations, managing risks at a high level using one of these global-recognized standards is the recommended approach for managing compliance.
If you are looking for a real shortcut, why not turn to these global IT security standards? Implementing one, or a hybrid of several, will make your job easier. It’s also what’s best for the business.
Today’s Homework: Download and study these widely-accepted IT security standards
If you work in IT in any capacity, it would be wise to study these standards. Purchase and/or download the documents and at least read them during lunch or at the end of the day. Keep them handy and put it on your calendar to re-review the standards every month or so. Walking the walk requires talking the talk — develop a plan to incorporate one or more standards into your day-to-day IT operations next year. Even if you are not directly responsible for IT security and compliance, just being on the same page as those who are when these conversations come up can be extremely helpful.
Kevin Beaver is an information security consultant, expert witness, author and professional speaker with Atlanta-based Principle Logic, LLC. With more than 23 years of industry experience, he specializes in performing independent security assessments to minimize information risks. He has authored/co-authored 10 books on information security including the best-selling Hacking For Dummies as well as the newly-released Implementation Strategies for Fulfilling and Maintaining IT Compliance. In addition, he’s the creator of the Security On Wheels information security audio books and blog. Reach him at www.principlelogic.com, follow him on Twitter at @kevinbeaver and connect to him on LinkedIn.
