As we have noted in the past, “The nice thing about standards is that you have so many to choose from” teaches Andrew S. Tanebaum in his classic text on Computer Networks.
This adage is especially true when it comes to cybersecurity. We encounter so many standards in the corporate world that in so many cases they become totally ineffective. This is an area requiring continued technical leadership or it will have little impact. But with technical leadership, good security standards can make a world of difference.
Our recommendation is to focus on your business needs first, but then select the right body of standards for your organization and your mission. Once you select your corporate approach to standards, remember you will get what you measure. Enforce your standards.
Here is a high level overview of key cybersecurity standards:
- Critical Security Controls for Effective Cyber Defense (commonly called the Consensus Audit Guidelines or CAG): A publication of best practices in cyber defense consisting of 20 key actions, called security controls, that can reduce/mitigate most threats. These are the easiest to understand, easiest to implement and most effective approaches we know of.
- ISO 27001 and 27002: Focused on helping organizations manage the security of assets including financial information, intellectual property and employee data. If you are a large organization already working ISO processes this may be a worthwhile approach.
- NIST Cybersecurity Standards: NIST has been contributing to best practices and standards for decades. Many of their standards, like their Special Publications 800-12 (overview of controls), 800-14 (common principles), 800-26 (management advice), 800-37 (Risk Management Framework) and 800-53 (security and privacy controls) are aimed at the federal government but can be instructive to companies. Their work on a Cybersecurity Framework is aimed to help industry find more common approaches and a common language for cybersecurity. The benefits of this cybersecurity framework to companies seems to be in helping get everyone on a common wavelength, including suppliers when enforced via contractual mechanisms.
- COBIT 5: Tools, resources and guidance by ISACA.org. COBIT stands for Control Objectives for Information and Related Technology. This framework helps organizations leverage best practices in multiple domains including audit, risk management, regulatory/compliance, government of IT.
- RFC 2196: Published by the IETF, so as you can imagine this is focused on policies and procedures for sites that have systems on the Internet (which means, by the way, all systems these days). Written long ago but still so very valid.
- ISA/IEC-62443/ISA-99: The International Society of Automation (ISA) Security Compliance Institute functions within ISA’s Automation Standards Compliance Institute (ASCI) to provide professional management of this body of standards, which focus on industrial automation control systems.
- IASME: a UK-based standard for information assurance at small-to-medium enterprises (SMEs) based on best practices. Accredited by the UK Government. Supported by certification body companies that can audit and smartly aligned with cybersecurity offerings in ways that may prove to be especially virtuous.
A note about standards and meeting the compliance requirements of GLBA, SOX, HIPAA or PCI:
Staying in compliance with regulations and requirements of laws like GLBA, SOX, HIPAA or the important industry PCI guidance require constant technical leadership, and many of those requirements also come with specific technical guidance. However all give you a significant degree of leeway in how you meet the requirements. The standards we review above can help you address them. However, more important than standards are your management approach to cybersecurity. This is a favorite topic of ours and is squarely in the sweet spot of our risk mitigation work. We work with Fortune 1000 firms to evaluate management approaches and help meet the needs of compliance and at the same time improve cybersecurity support to business and mission needs. Contact Us for more information.