A security policy based on actual use cases has been documented, as have the components of the ecosystem. Before devising a practical implementation and configuration plan, one more assessment should be done involving the application of best practices and compliance mandates.
Best practices are informative rule sets to provide guidelines for acceptable use, resource optimization, and well-known security protections. These rules may be derived from those commonly accepted in the information technology industry, from vendor recommendations and advisories, legislation, and specific business mandates.
In the more formal sense, best practices are outlined in frameworks built from industry standards. These standards define system parameters and processes as well as the concepts and designs required to implement and maintain them. Standards-based best practices can be used as guidelines, but for many entities, their application is mandatory.
Well-known open standards applicable to IT governance, security controls, and compliance are:
ISO/IEC 27000 (Replicated in various country-specific equivalents)
The Code of Practice for Information Security Management addresses control objectives and focuses on acceptable standards for implementing the security of information systems in the areas of:
- Asset management
- Human resources security
- Physical security
- Access control
- IT acquisition
- Incident management
The 27000 framework is outlined in two documents:
27001 – the certification standard for measuring, monitoring, and security management control of Information Security Management Systems
27002 – security controls, measures, and code of practice for implementations and the methodologies required to attain the certification defined in 27001
Control Objectives for Information and Related Technology is a recognized framework for IT controls and security. It provides guidance to the IT audit community in the areas of risk mitigation and avoidance. It’s more focused on system processes than the security of those systems through control objectives defined in four domains: Planning and Organization, Acquisition and Implementation, Delivery and Support, and Monitoring and Evaluation.
The Payment Card Industry Security Standards Council (PCI SSC) defines Payment Card Industry (PCI) security standards with a focus on improving payment account security throughout the transaction process. The PCI DSS is administered and managed by the PCI SSC, an independent body created by the major payment card brands (Visa, MasterCard, American Express, Discover, and JCB). These payment brands and acquirers are responsible for enforcing compliance and may fine an acquiring bank for compliance violations.
While also based on best practices, these frameworks focus on industry specific security controls and risk management. Compliance is mandatory and monitored by formal audits conducted by regulatory bodies to ensure certification is maintained in accordance with the industry and any legislation defined in a governing act. Failure to satisfy the criteria can leave an entity open to legal ramifications, such as fines and even jail time. Often standards-driven best practices documents, such as ISO 27002, are the foundation for application of requirements defined in each act.
Three of the most common regulatory and legislative acts are:
GLBA (Gramm-Leach-Bliley Act)
Primarily used by the U.S. financial sector and covers organizations engaging in financial activity or classified as financial institutions that must establish administrative, technical, and physical safeguard mechanisms to protect information. The act also mandates requirements for identifying and assessing security risks, planning and implementing security solutions to protect sensitive information, and establishing measures to monitor and manage security systems.
HIPAA (Health Insurance Portability and Accountability Act)
Applies to organizations in the health care sector in the U.S. Institutions must implement security standards to protect confidential data storage and transmission, including patient records and medical claims.
SOX (Sarbanes-Oxley Act)
Also known as the U.S. Public Company Accounting Reform and Investor Protection Act, it holds corporate executives of publicly listed companies accountable in the area of establishing, evaluating, and monitoring the effectiveness of internal controls over financial reporting. The act consists of 11 titles outlining the roles and processes required to satisfy the act, as well as reporting, accountability, and disclosure mandates. Although the titles don’t address security requirements specifically, title areas calling for audit, data confidentiality and integrity, and role-specific data access will require the implementation of a security framework such as ISO 27000 and/or COBIT.
Even if an organization doesn’t need to satisfy a formal mandate, understanding the content of well-defined security frameworks can ensure no critical data handling processes and policies are missed. If a formal framework is required, it will influence the tools and best practices methods used for policy implementation as well as monitoring and reporting requirements. These topics will be covered in the final two installments of this blog series.