In this video, Kip Boyle explores source controls for a successful information security program. Learn some of the best places to get information security controls for an organization.
- [Instructor] Let's take a look at some specific sources for information security controls. They will become the raw material for meeting your information security program goals and managing risk. Previously, we saw there are many compliance mandates that you could get your controls from. Some mandates, like the Sarbanes-Oxley Act of 2002 tell you what to do, but not how to do it. For example, Section 404 says a publicly traded company must file an annual report on the effectiveness of their internal control structure and procedures for financial reporting.
The implementation details are up to you. Which controls will you implement? How will you assess them? In contrast, the Payment Card Industry Data Security Standard tells you in great detail what to do to protect credit card data. For example, the first thing the standard tells you to do is build and maintain a secure network and systems. It then gives you to broad requirements for doing this. The first one states, "install and maintain a firewall configuration to protect cardholder data," then there are over 15 specific sub-requirements, such as requirement 1.2.3, which as you can see, is quite lengthy and complex.
In either case, the compliance mandates should not be a primary source of controls for your program. They're too narrowly focused on their specific area of interest. They don't directly address all your customers expectations and they aren't designed to fully support your executives and the board of directors and they may not make you broadly resilient to cyber attacks and cyber failures. A better source of controls would be one of the more widely used information security standards.
We'll look at five all together in this video. Let's begin by looking at three that have been published by the organizations who developed the content themselves. Up front, you need to know that while anyone can use these three standards, they work best at larger companies and while each of these standards are thorough, they can also be complicated. The first is COBIT, which stands for Control Objectives for Information Technologies. COBIT is business-oriented. It was created for information technology management and governance.
The basic framework is free online, but you must pay license fees to get access to premium content. It's published by the non-profit independent ISACA organization. Lastly, COBIT is easy for both management and information security analysts to understand and follow. Next is NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations. This standard provides a catalog of security controls and a methodology for selecting ones that are appropriate for you.
It's particularly aimed at U.S. federal information systems, except those related to national security. It's published by the National Institute of Standards and Technology, which is a non-regulatory agency of the United States Department of Commerce. It's freely available to anyone and has a very large number of controls to choose from, but it's aimed at government systems, which may make it difficult for small and medium-sized organizations to use. The ISO 27002 International Standard is a catalog of controls that you can select from based on your needs.
This standard also contains implementation device for ISO 27001, which describes how to construct an information security management system. These standards are a good choice if you do business globally and need to assure your customers of your information security practices. In order to use these standards, you must purchase a license for each person who needs a copy of the ISO documents. By also adopting the 27001 standard, you can pursue certification, which may increase your program maturity and provide your business with a useful marketing tool.
Another good source of controls would be from an information security consensus standard. These have been created through a process involving many stakeholders, mostly information security practitioners from outside the publishing organization. Let's look at two of the most popular ones. First, the Critical Security Controls for effective cyber defense, published by the Center for Internet Security. The 20 security controls on this list were selected because they are the most effective in stopping cyber attacks.
The publication was initially developed by the SANS Institute as the SANS Top 20. Ownership transferred to the non-profit Center for Internet Security in 2015. These controls are highly practical and effective, but they have some drawbacks. The list is almost entirely technical with relatively little about people and process and it can cost hundreds and thousands of dollars to adopt all of it. Unfortunately, the controls have no built-in method of measuring success. The second consensus standard we should review is the NIST Cybersecurity Framework.
It provides guidance for how private sector organizations can assess and improve their ability to prevent, detect, and respond to cyber attacks. It was created by a cross-functional team of experts from government and private industry. It was published by NIST in 2014. It was originally aimed at operators of critical infrastructure, such as electrical generation plants and water distribution systems, however, today it's being used by a wide range of businesses and organizations.
The standard is free for anyone to use. It's organized around cyber resilience and it can scale down or up, depending on organizational size. Based on guidance and the standard, it's difficult to measure how well the controls are implemented and it may not be the best choice if you do business globally and need to assure your non-U.S. customers that you have robust information security practices.
- Goals and components of an information security program
- Measuring and managing information risks
- Reducing risks to an acceptable level
- Using a workflow to organize your work
- Communicating progress with executives and stakeholders
- Demonstrating compliance