If you are a CISO, DISO or security practitioner, you’ve likely been drawn into the beleaguered topic of security and risk-reduction standards. You probably also know that a sure fire way to single out the security wonks at your next meeting, conference or cocktail reception, is to simply muse aloud: “I wonder which standard is most effective in reducing risk and improving practice, compliance and audit?”.
Spanning information, cyber, supply chain, asset-driven or non-IT approaches, standards often bring forth many diverging and polarizing opinions from security professionals. Quickly the conversation will be peppered with alpha-numerics, acronyms and barely decipherable anecdotes on which standard is better, with no clear winner in the end.
In practice, what defines the best standard for an organization are its identified assets, security requirements, tolerance for risk and mitigation of what is probable. However, rather than devising the appropriate standards by individual asset, there is substantial value in assessing and analysing all organizational assets and then letting the collective requirements drive the solution.
For that reason, I decided rather than pitch one standard against another in this column, I would focus on exploring the benefits of advanced integration of standards and what to keep in mind when weighing their value.
Start with what you know
Ambiguity of terms and definitions have plagued standards for some time. At Nortel in the mid-90s, I was assigned to oversee our departmental ISO certification and later became an ISO auditor. Even then it was clear that while one standard was not enough too many were cumbersome, redundant and expensive.
Hybridizing and streamlining standards were a viable and reasonable alternative (we did the same with methods from RUP, OMT and Booch, because it made them manageable and it worked). While the effort required to streamline and eliminate redundancy was time-consuming, it was a long-term cost and time saver that also helped maintain higher degrees of integrity and governance.
Where common sense dictates ‘less is more’, we can see the value in adopting a few valid, robust standards applied to several applicable assets rather than many valid standards customized to many assets (Heinlein may have been right when he said, “specialization is for insects”). Plainly put, higher integration is simply relying on one standard to govern as many assets as possible by mapping capabilities to the specific security needs of the organization.
Like any organizational initiative worth undertaking, understanding security objectives, goals, and requirements are paramount: what you need to secure, when you secure it, under what conditions and what you monitor, improve and correct. Sounds simple. So why does it get so complicated? Not sure, but it could be the lack of philosophy around why we’re adopting standards in the first place.
The pivotal role of assets
At the conceptual level, it’s easy to forget that standards aim to control, protect and preserve the things that mean the most – the organizational assets. Assets are defined as entities that are crucial to the viability of the organization as a whole, making asset assessment and evaluation, in order to understand their value and impact, essential.
Asset value and impact will vary not only by asset but also by organization type, sector, and industry. For example, private sector assets are tied to revenues generated by consumables or services in competitive market environments; this contrasts with the public sector where assets are the core of government service delivery, mandates, and legislation. Similarly, an unclassified asset may become classified when integrated with other assets, or were sensitive documentation may evolve into a physical prototype.
Ensuring that state and security level changes dictate the required flexibility of the governing standards, along with detailed requirements driven by objectives and process commonality, will help track assets that exist in IT and non-IT domains or span multiple domains.
There is no ‘Standard’ standard
Organizational asset assessment and evaluation is one of two parts; the other is to determine the robustness of contending standards by performing a comparative analysis and assessment and evaluation by mapping asset and security requirements to controls and control areas within standards.
Mastering the concepts of ISO, ITSG-33 and NIST and their related publications is a lot like learning a new language: if you know one, learning another is easier. Still, it can take several reads to identify overlapping and common methods, especially with revisions and new domains always under development. Regardless, whether a standard was developed for information, privacy or asset security, there will always be elements of compatibility.
In comparing ISO, NIST and ITSG-33, overlap and compatibility is apparent. ISO 27001 details a management control system for information security with 114 controls that span information security policies, human resource security, asset management, access control, physical and environmental security and operations security. Extending from this, ISO 27002 provides an outline or “good practice” guide for cybersecurity management and ISO 15408 addresses common criteria for secure software and hardware integration and testing.
Similarly, NIST 800, in particular, SP800-53r4, “Security and Privacy Controls for Federal Information Systems and Organizations”, identifies nearly 200 cross-domain, security controls that enhance system security posture and reduce risk. More domain-specific publications, such as The Cybersecurity Framework, focus on critical infrastructure, management principles and practices, self-assessment, and operational control areas (Important to note, ITSG-33 and NIST 800 controls have almost a one-to-one relationship).
Recently I performed a comparative analysis on GoC supply chain security using the above standards, as well as the UK’s Cyber Security Essentials Program, NATO’s Draft Policy on Security Enforcing Products and the US’ Department of Defence Systems Engineering Methodology. In the past, supply chain vendors were assessed on certification and compliance; now, the focus is shifting to compliance of controls within supply chain and vendor systems.
The criteria ranged from the existence of a complete methodology, detailed methods, security and control profiles, compatible processes, certification, training, and extensibility. Then, these were assigned weights and scores, as well as a functional baseline. Based on the preliminary requirements, those that met the threshold were further assessed based on their ability to assure vendor networks met a minimum level of security.
While tedious, this provided operational, technical, management and administrative recommendations for supply chain control, meeting several classifications. (For an unclassified summary, send an email to firstname.lastname@example.org. Alex Benay, GoC CIO, took me up on the offer – hope it was useful!)
It’s all in the planning – from the 30,000-foot view
Again, no one standard is likely to address all asset and security needs for an organization and no standard will prescribe specific safeguards (that’s what practitioners are for). However, proper organizational and strategic planning can put the right standards, or a hybridized model, in place that will define security profiles and security controls to maintain the required security posture.
By applying a project-to-program approach to assess risk-reduction standards, an organization’s immediate and longer-term strategic objectives can be met, providing efficiencies and overall value. While the upfront cost and work effort may be greater, as is always the case in solution analysis, the end result will help deliver higher maintainability, sustained risk management, and security posture. If it does that while reducing redundancy and inefficiencies, all the better.