Let’s take a look at some specific sources for cybersecurity controls. They will become the raw material for meeting your cybersecurity program goals and managing risk.
There are Many Sources
There are many compliance mandates from which you could derive your controls.
Some, like the Sarbanes-Oxley Act of 2002, tell you what to do, but not how to do it.
For example, Section 404 says a publicly traded company must file an annual report on the effectiveness of their internal control structure and procedures for financial reporting. The implementation details are up to you:
- Which controls will you implement?
- How will you assess them?
Some are Very Detailed
In contrast, the Payment Card Industry Data Security Standard (or “PCI-DSS”) tells you in great detail what to do to protect credit card data.
For example, the first thing the standard tells you to do is “Build and Maintain a Secure Network and Systems.”
It then gives you two broad requirements for doing this. The first one states “Install and maintain a firewall configuration to protect cardholder data.”
And it has over 15 specific sub-requirements, such as Requirement 1.3, which as you can see is quite lengthy and complex:
- Prohibit direct public access between the Internet and any system component in the cardholder data environment.
- Implement a demilitarized zone (DMZ) to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.
- Limit inbound Internet traffic to IP addresses within the DMZ.
- Implement anti-spoofing measures to detect and block forged source IP addresses from entering the network.
- Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.
- Permit only “established” connections into the network.
- Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks.
1.3.7 Do not disclose private IP addresses and routing information to unauthorized parties.
Altogether, the PCI standard has well over 200 detailed, technical requirements around the systems that store and process cardholder data.
Avoid Compliance Mandates
In either case, these compliance mandates should not be a primary source of controls for your program because they:
- Are too narrowly focused on their specific area of interest
- Don’t directly address all of your customers’ expectations
- Aren’t designed to fully support your executives and the Board of Directors
- May not make you broadly resilient to cyber-attacks and cyber failures
A better source of controls would be one of the more widely-used Information Security Standards. We’ll quickly look at five altogether in this post.
Use Caution When Choosing Your Cybersecurity Standards
While anyone can use these three standards, they work best for larger companies. And, while each standard is thorough, these standards can also be complicated.
Let’s begin by looking at three that have been published by the organizations who developed the content themselves.
Control Objectives for Information Technologies (COBIT)
The first is COBIT, which stands for Control Objectives for Information Technologies. COBIT is business-oriented rather than technology-oriented.
It was created for information technology management and governance. The basic framework is available online for free.
But you must pay license fees to get access to premium content. It is published by the nonprofit, independent ISACA organization, which is an international professional association focused on IT governance.
COBIT is easy for both management and InfoSec analysts to understand and follow.
National Institute of Standards and Technology Special Publication (NIST SP) 800-53
Next is NIST Special Publication 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations..”
This standard provides a catalog of security controls and a methodology for selecting those appropriate for you.
Particularly aimed at U.S. federal information systems, except those related to national security, it’s published by the National Institute of Standards and Technology. Which is a non-regulatory agency of the United States Department of Commerce.
This standard is freely available to anyone and it includes a very large number of controls to choose from.
But, again, it’s aimed at government systems, which may make it difficult for medium to small organizations to use.
The ISO 27002 international standard is a catalog of controls that you can select from based on your needs.
This standard also contains implementation advice for ISO 27001, which describes how to construct an Information Security Management System. These standards are a good choice if you do business globally and need to assure all your customers of your security practices.
To use the standards, you must purchase a license for each person who needs a copy of the ISO documents.
Also, by adopting the 27001 standards, you can pursue certification which may increase your program maturity and provide your business with a useful marketing tool.
Other Useful Control Sources
Another good source of controls would be an Information Security Consensus Standard.
These have been created through a process involving many stakeholders, mostly Information Security practitioners from outside the publishing organization.
Let’s look at two of the most popular sources:
The “Top 20”
First, let’s take a look at the Critical Security Controls (CSC) for Effective Cyber Defense published by the Center for Internet Security (CIS).
The 20 security controls on this list were selected because they are the most effective at stopping cyber-attacks. The publication was initially developed by the SANS Institute as the “SANS Top 20.” Ownership was later transferred to the nonprofit Center for Internet Security (CIS) in 2015.
These controls are highly practical and effective, but there are some drawbacks:
- The list is almost entirely technical with relatively little information about people, process, and management controls.
- And it can cost hundreds of thousands of dollars and years of effort to adopt the full list.
- Unfortunately, the controls have no built-in method of measuring success.
National Institute of Standards and Technology (NIST) Cybersecurity Framework
The second consensus standard we’ll review is the NIST Cybersecurity Framework.
The NIST Framework provides guidance for how private sector organizations can assess and improve their ability to prevent, detect, and respond to cyber-attacks. It was created by a cross-functional team of experts from private industry, and published by the NIST in 2014.
This framework was originally aimed at operators of critical infrastructures, such as electrical generation plants and water distribution systems. However, today it’s used by a wide range of businesses and organizations, and the adoption rate is expected to reach 50% by 2020.
The standard is free for anyone to use and it’s organized around cyber resilience.
It can scale down or up depending on organizational size, which is a great feature.
Based on guidance in this standard, it’s difficult to measure how well the controls are implemented. And it may not be the best choice if you do business globally and need to assure your non-US customers that you have robust cybersecurity practices.