<div dir="ltr"><a href="http://www.computerworld.com/article/3054556/security/when-it-comes-to-security-standards-one-size-doesnt-fit-all.html">http://www.computerworld.com/article/3054556/security/when-it-comes-to-security-standards-one-size-doesnt-fit-all.html</a><br><p>
The <a href="http://www.defensivesecurity.org/defensive-security-podcast-episode-155/">Defensive Security Podcast</a>
talked last week about comments made by the California attorney general
in releasing a study of data breaches in that state. While the report
itself did not include any earth-shattering insights, a related comment
has caused quite a stir in the information security community. The AG
indicated that those organizations not implementing the 20 controls
discussed in the <a href="https://www.cisecurity.org/critical-controls.cfm">Center for Internet Security's Critical Security Controls</a> document would not be considered to have "reasonable security."
</p><div id="drr-left">
<div class="">
<span class=""></span>
</div>
</div><p>
Now, I have great respect for the Center for Internet Security. In a
perfect world, everyone would have already implemented all 20 controls,
and we would live in a better world. Sadly, reality is somewhat
different.
</p><p>
The need to implement 20 controls does not sound like a real problem on
the surface. If you examine the 20 controls in the Center's document,
however, you will quickly realize that each one has five to 10
sub-points. Overall, a large, well-funded company would not find them an
insurmountable challenge to implement. But for those in the small and
midsize business world, full implementation would be extremely
difficult, at best.
</p><p>
The California attorney general's comments obviously do not apply
outside of California, and they are not considered binding in any way
(yet). This is part of a trend we are seeing across the country,
however. Public officials are searching for solutions, and, finding no
easy answer, they adopt some formal set of security standards and
attempt to make all those organizations they regulate follow them. We
have seen this, for example, with the <a href="http://www.computerworld.com/article/3033161/security/security-standards-sorting-through-the-alphabet-soup.html">FTC citing NIST standards</a> in its enforcement actions.
</p> <p>
A real-world example for me involves a smaller insurance company, which is <a href="http://www.hhs.gov/hipaa/">HIPAA</a>-regulated. I am helping the company with privacy policies in preparation for an <a href="http://www.hhs.gov/ocr/">OCR</a>
audit. It knows enough to have a designated privacy officer, a very
sharp attorney, but it doesn't have a big privacy or security team,
given its size. In preparing for the audit, however, it is clear that
the company's size doesn't matter to the regulators. It has a number of
hoops through which it must jump, one way or the other.
</p><p>
Another of my customers, this one a small, level 1 <a href="https://www.pcisecuritystandards.org/pci_security/">PCI</a> company, must implement the same controls as the largest credit card processors in the county.
</p><p>
I am not against standard like HIPAA or PCI. They do serve a useful
purpose. That being said, their failure lies in their inability to
provide appropriate flexibility based on the size of the organization.
While the goals of each -- improved information security -- are
important, they do not serve society well if they put smaller companies
out of business in the process.
</p><p>
If your smaller organization is in one of the regulated industries, at
least for the time being you have no choice but to meet the full
regulatory requirements. My best advice is to find competent help to
meet the standards.
</p> <p>
If you do not fall under one of the large bodies of regulations or
guidelines, you are not off the hook. The industry is seeing increased
scrutiny from a wide variety of federal and state agencies and industry
groups. While they may not hold organizations to a particular standard,
they will expect you to have a structured and documented approach to
information security and risk management.
</p><p>
This same requirement applies if you want a cyber-insurance policy that
will actually pay off when needed. This is achievable without a large
staff or big budget, but it takes some work. Consider the following
approach:
</p><h3>Examine your risks</h3><p>
Every company is different and, as such, will have different risks. For
example, an e-commerce company has a completely different risk profile
than a manufacturer that sells products through channels. You need to
understand your specific risks, so you know what to focus on. This
doesn't have to be an extremely formal process, but does need to be
recorded and updated. I suggested a simplified approach in <a href="http://www.computerworld.com/article/2992252/it-management/the-dreaded-risk-assessment.html">The Dreaded Risk Assessment</a>.
</p><h3>Implement Controls</h3><p>
Once you know what risks to focus on, figure out how you will address
the higher priorities. In the security/compliance world, we call these
controls. If you run an e-commerce business, for example, you might
decide that a high risk was someone hacking into your Web server. As a
control, you might implement monthly vulnerability scans by a third
party, and have a documented approach to managing your patches.
</p><p>
A variety of published standards, including Critical Security Controls
mentioned above, provide great guidance on controls for particular
risks. Controls don't necessarily have to be complicated, as long as
they do the job.
</p><h3>Write them down</h3><p>
Once you have controls established, record them in written form, and
share them with everyone in your organization. If you get a visit from a
regulator, having this material in writing will help your case.
</p><div id="drr-mod-1"><div class=""><form action="/resources/search" method="get">
</form>
</div>
</div><h3>Follow them</h3><p>
This seems like it goes without saying, but I have seen some assume that
just having the controls In writing solves the problem. To be safe and
survive scrutiny, you must follow the controls, and be able to offer
evidence that you are following them. Logs or other documents showing
that you have implemented them are a must.
</p><h3>Review</h3><p>
Information security is a volatile field. As such, your risk profile,
controls and their effectiveness must be periodically reviewed, and
adjusted as required. Again, this does not have to be a highly
structured process. For a smaller company, you must just get the key
people in a room, talk through your process and agree to changes.
</p><p>
Bottom line: Security standards like the Critical Security Controls
provide great guidance to organizations of all sizes. Fully implementing
them in a smaller business can be impractical. Such organizations can,
however, have a structured, documented approach to compliance that will
stand up to scrutiny.
</p><br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><br></div></div></div></div></div></div></div></div>
</div>