Compliance has been top of mind for most organizations during the past few years, although many small and medium-sized businesses (SMBs) have been able to skirt the heavy lifting that large, public companies must handle. Yet with the emergence of the Payment Card Industry (PCI) Data Security Standard, compliance is front and center for all organizations. Many SMB technologists get analysis paralysis when considering what they need to do to stay on the right side of the compliance Gods.
So here is the $64,000 question -- how do you get to a strong security posture? There are a number of information security frameworks that will set the foundation for a security program.
The information security frameworks
There are two leading frameworks that will help define at least the categories of assets and controls that need to be implemented in a comprehensive security environment:
- ISO 27001: This ISO 17799 standard successor "provide[s] a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System" (source). It uses the plan-do-check-act model.
- CobiT: A set of best practices, measures and other methods for information security -- defined by the IT Governance Institute and the Information Systems and Audit Control Association.
These information security frameworks are very broad and very extensive, yet not really specific. Even though each lays out a vision of broad enterprise security, there are a lot of ways to get there. Thus, the framework is a start but isn't going to give you a step-by-step cookbook for what needs to be done.
Unfortunately that's pretty consistent with any discussion of frameworks. I haven't found a way to avoid doing the hard work to figure out what needs to be protected before building a plan to get there. In reality, the breadth of the framework is usually overkill for most organizations.
If you are publicly traded, CobiT will be a good place to start because many Sarbanes-Oxley Act auditors tend to have a rather strong grounding with CobiT. Likewise, if your organization has embraced ISO certification (like ISO 9001 for quality), then the ISO 27001 framework could make sense.
I always opt on the side of doing things, rather than just planning them. Sure you need a structured and a programmatic approach, but you can't sell an auditor on information security frameworks. So here is a six-step approach to making some good, initial progress on your security program.
- Establish priorities. Get out from behind your desk and go talk to the senior executives in your business. Figure out what is important to them. Which systems do they think are critical to your organization? Which business processes, if affected, would cost them their jobs?
- Set a baseline. Do a penetration test or a risk assessment. Identify holes big enough to drive a supertanker through, and then use that baseline to both set the bar and show progress towards that bar.
- Triage. Fix those gaping holes and do it now. If you discover you've already been compromised, fix that and then put a plan in place to make sure it doesn't happen again.
- Plan. Build a plan to achieve your objectives. This will involve building a high-level security architecture and then a funding request to get the resources implemented.
- Operate your environment. A lot goes into operating a secure environment, but the most important thing to focus on is how you determine something is wrong. Since we have no idea where the next attack is coming from, you had better be able to react faster to possible issues.
- Document. Make sure anything you do can be documented and that you can substantiate any of the controls and/or processes you have in place to identify security issues. Auditors like reports (or so I've heard).
Sounds easy, right? Of course it's not. But you need to start somewhere, and most SMBs should opt for quick and dirty, rather than heavy and comprehensive. Once you have a base level of protection in place, you can get fancy and look at larger information security frameworks.
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and author of The Pragmatic CSO: 12 Steps to Being a Security Master. Get more information about The Pragmatic CSO at www.pragmaticcso.com, read Rothman's blog at http://blog.securityincite.com, or reach him via email at mike.rothman (at) securityincite (dot) com.