[BreachExchange] When it comes to security standards, one size doesn't fit all

[Inga Goddijn]

http://www.computerworld.com/article/3054556/security/when-it-comes-to-security-standards-one-size-doesnt-fit-all.html

The Defensive Security Podcast
<http://www.defensivesecurity.org/defensive-security-podcast-episode-155/>
talked last week about comments made by the California attorney general in
releasing a study of data breaches in that state. While the report itself
did not include any earth-shattering insights, a related comment has caused
quite a stir in the information security community. The AG indicated that
those organizations not implementing the 20 controls discussed in the Center
for Internet Security's Critical Security Controls
<https://www.cisecurity.org/critical-controls.cfm> document would not be
considered to have "reasonable security."

Now, I have great respect for the Center for Internet Security. In a
perfect world, everyone would have already implemented all 20 controls, and
we would live in a better world. Sadly, reality is somewhat different.

The need to implement 20 controls does not sound like a real problem on the
surface. If you examine the 20 controls in the Center's document, however,
you will quickly realize that each one has five to 10 sub-points. Overall,
a large, well-funded company would not find them an insurmountable
challenge to implement. But for those in the small and midsize business
world, full implementation would be extremely difficult, at best.

 The California attorney general's comments obviously do not apply outside
of California, and they are not considered binding in any way (yet). This
is part of a trend we are seeing across the country, however. Public
officials are searching for solutions, and, finding no easy answer, they
adopt some formal set of security standards and attempt to make all those
organizations they regulate follow them. We have seen this, for example,
with the FTC citing NIST standards
<http://www.computerworld.com/article/3033161/security/security-standards-sorting-through-the-alphabet-soup.html>
in its enforcement actions.

 A real-world example for me involves a smaller insurance company, which is
HIPAA <http://www.hhs.gov/hipaa/>-regulated. I am helping the company with
privacy policies in preparation for an OCR <http://www.hhs.gov/ocr/> audit.
It knows enough to have a designated privacy officer, a very sharp
attorney, but it doesn't have a big privacy or security team, given its
size. In preparing for the audit, however, it is clear that the company's
size doesn't matter to the regulators. It has a number of hoops through
which it must jump, one way or the other.

Another of my customers, this one a small, level 1 PCI
<https://www.pcisecuritystandards.org/pci_security/> company, must
implement the same controls as the largest credit card processors in the
county.

 I am not against standard like HIPAA or PCI. They do serve a useful
purpose. That being said, their failure lies in their inability to provide
appropriate flexibility based on the size of the organization. While the
goals of each -- improved information security -- are important, they do
not serve society well if they put smaller companies out of business in the
process.

 If your smaller organization is in one of the regulated industries, at
least for the time being you have no choice but to meet the full regulatory
requirements. My best advice is to find competent help to meet the
standards.

If you do not fall under one of the large bodies of regulations or
guidelines, you are not off the hook. The industry is seeing increased
scrutiny from a wide variety of federal and state agencies and industry
groups. While they may not hold organizations to a particular standard,
they will expect you to have a structured and documented approach to
information security and risk management.

This same requirement applies if you want a cyber-insurance policy that
will actually pay off when needed. This is achievable without a large staff
or big budget, but it takes some work. Consider the following approach:
Examine your risks

Every company is different and, as such, will have different risks. For
example, an e-commerce company has a completely different risk profile than
a manufacturer that sells products through channels. You need to understand
your specific risks, so you know what to focus on. This doesn't have to be
an extremely formal process, but does need to be recorded and updated. I
suggested a simplified approach in The Dreaded Risk Assessment
<http://www.computerworld.com/article/2992252/it-management/the-dreaded-risk-assessment.html>.

Implement Controls

Once you know what risks to focus on, figure out how you will address the
higher priorities. In the security/compliance world, we call these
controls. If you run an e-commerce business, for example, you might decide
that a high risk was someone hacking into your Web server. As a control,
you might implement monthly vulnerability scans by a third party, and have
a documented approach to managing your patches.

A variety of published standards, including Critical Security Controls
mentioned above, provide great guidance on controls for particular risks.
Controls don't necessarily have to be complicated, as long as they do the
job.
Write them down

Once you have controls established, record them in written form, and share
them with everyone in your organization. If you get a visit from a
regulator, having this material in writing will help your case.
Follow them

This seems like it goes without saying, but I have seen some assume that
just having the controls In writing solves the problem. To be safe and
survive scrutiny, you must follow the controls, and be able to offer
evidence that you are following them. Logs or other documents showing that
you have implemented them are a must.
Review

Information security is a volatile field. As such, your risk profile,
controls and their effectiveness must be periodically reviewed, and
adjusted as required. Again, this does not have to be a highly structured
process. For a smaller company, you must just get the key people in a room,
talk through your process and agree to changes.

Bottom line: Security standards like the Critical Security Controls provide
great guidance to organizations of all sizes. Fully implementing them in a
smaller business can be impractical. Such organizations can, however, have
a structured, documented approach to compliance that will stand up to
scrutiny.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160413/09f5f09c/attachment.html>