Over the years numerous people have asked me various questions about Information Security standards. In the main I get asked the same questions. I thought it would be a good idea to try and summarise them here for others to benefit from.
Can you explain what a security standard is?
A security standard is like any other standard within any other industry. A standard is “a published specification that establishes a common language, and contains a technical specification or other precise criteria and is designed to be used consistently, as a rule, a guideline, or a definition”. Further, according to ISO, standards “contribute to making life simpler, and to increasing the reliability and effectiveness of the goods and services we use”.
In essence a standard is a common set of rules, definitions and agreed “regulations” that all parties can refer to for common reference. A standard would be a set of minimum requirements that an organisation must meet in order to claim to be compliant with the standard.
Why do we need standards?
Standards provide us with a common set of reference points to enable us to evaluate whether an organisation has processes, procedures and other controls in place that meet an agreed minimum requirement. If an organisation is compliant/meets a certain standard then it gives third parties such as customers, suppliers and partners confidence in that organisation’s ability to deliver to that standard. It can also provide an organisation with a competitive advantage over other organisations. For example an organisation that is compliant with a security standard may have an advantage over a competitor who does not when customers are evaluating their products or services.
In other cases certain regulatory and legal requirements may specify certain standards that must be met. For example if your company processes credit cards then you must be compliant with the PCI DSS Data Security Standard. This standard is a standard specified by the major credit card companies such as VISA & Mastercard. If you are not compliant with this standard then you can either be fined, face higher processing charges or indeed those credit card companies may refuse to do business with you.
In addition if you are meant to be compliant to a standard but are not and suffer a security breach then you could face potential law suits from those customers impacted by that breach. TJX, the parent company of TK Maxx, suffered a security breach resulting in over 45 million credit card details being accessed by hackers. TJX was meant to be PCI compliant but was not and is now facing lawsuits from impacted customers.
Standards can also help organisations meet with regulatory requirements such as the Data Protection Act, SOX, HIPAA etc. By using a standard to create a strong foundation for managing and securing your systems you will find it easier to meet existing and new regulatory requirements easier than an organisation that does not.
Can you tell me more about ISO 27001?
The following excerpt from a pevious Blog post titled “Why use ISO 27001?” provides more details on ISO 27001;
ISO 27001 is a vendor and technology neutral internationally recognised standard which provides companies with a risk based approach to securing their information. It provides organisations with independent third party verification that their Information Security Management System meets an internationally recognised standard. This provides a company, and its customers and partners, with the confidence that they are managing their security in accordance with recognised and audited best practises.
However, in my opinion companies that have implemented an ISO 27001 based ISMS can demonstrate many efficiencies and other benefits such as;
Increased reliability and security of systems:
Security is often defined as protecting the Confidentiality, Integrity and Availability of an asset. Using a standards based approach, which ensures that adequate controls, processes and procedures are in place will ensure that the above goals are met. Meeting the CIA goals of security will also by default improve the reliability, availability and stability of systems.
Having stable, secure and reliable systems ensures that interruptions to those systems are minimised thereby increasing their availability and productivity. In addition to the above, a standards based approach to information security demonstrates to customers that the company can be trusted with their business. This can increase profitability by retaining existing, and attracting new, customers.
A standards based approach to information security ensures that all controls are measured and managed in a structured manner. This ensures that processes and procedures are more streamlined and effective thus reducing costs.
Some companies have found they can better manage the tools they have in place by consolidating redundant systems or re-assigning other systems from assets with low risk to those with higher risk.
Compliance with legislation:
Having a structured Information Security Management System in place makes the task of compliance much easier.
Knowing what is in place and how it should be managed and secured makes it easier to manage information resources within a company.
Improved Customer and Partner Relationships:
By demonstrating the company takes information security seriously, customers and trading partners can deal with the company confidently knowing that the company has taken an independently verifiable approach to information security risk management.
ISO 27001 can be implemented within an organisation as a framework to work against or indeed the organisation can seek to gain certification against the standard.
What kind of security standards are available?
There are numerous standards available. These can be broken down into three main sections;
- Business Standards
- Product Standards
- Individual Standards
On my Blog the post “List of Security Certifications” outlines all the certifications that I am aware of within the information security industry. As you can see they are many and varied.
You can be assessed and certified against any of the above to demonstrate that you meet the minimum requirements to satisfy the standard. If you meet those requirements then you can be certified against that standard.
So a business standard would apply to an organisation and state they meet the requirements for the organisation to satisfy the standard. Product standards mean when you purchase a product you know it has been independently accessed as being secure according to a predefined criteria. If you are hiring someone as a member of staff or as a consultant you can determine if they have the minimum knowledge that you require for that role by looking at the standards the have earned.
The following post on my Blog give some of my thoughts on certification schemes
How can we obtain the standards?
In order to obtain a standard I suggest you;
- Determine which one is suitable to you and/or your organisation or product.
- Become familiar with that standard. You can obtain a copy of that standard from the organisations who develop the standard or it may be available from other third parties.
- Engage someone with knowledge of that standard, either in-house use an external consultant.
- Determine what gaps currently exist within your organisation against the standard and develop a plan to address those gaps.
- Engage with a certification body to achieve the standard.
Is there a difference between security standards?
Yes there are differences. Some are more respected than others, some are more stringent than others. This is especially so in the individual certifications/standards where some of them would be seen as entry level qualifications.
How do standards get implemented?
The normal process to meet a standard goes along the following lines;
- Implement the standard.
- Engage a third party to audit you against the standard.
- That third party determines if you meet the standard and whether or not you achieve certification against the standard.
- Select the standard you wish to achieve.
- Submit your product to the company authorised to test your product against that standard.
- Have your product tested and if passed it will be certified (note that this can be a very costly exercise)
- Select the standard/certification you wish to achieve.
- Study against the requirements.
- Sit an exam
- Pass the exam. Some certifications require verifiable work experience in the field on top of passing the exams.
What does it cost to implement a standard?
That can depend. In most cases the biggest costs is in the time and people involved in trying to get the standard.
Does it make a difference if you are a small business or large corporation when you put security standards in place?
It makes no difference. The standards apply to all companies of all sizes. In some cases it may be wise to implement a standard when the company is small so the standard is ingrained as part of the culture of the company. Often big companies may also have to “re-educate” themselves in how to do things in accordance with the standard and break bad habits that may be in place already.
What happens if you don’t have security standards in place?
Not having security standards in place may have the following implications;
- If you need to be compliant with certain standards, e.g. PCI DSS, then you may face financial penalties and also loss of business.
- You may find it more difficult to meet new regulatory and legal requirements as you may have to “reinvent” the wheel for each of these requirements, whereas complying with a standard can give you a solid foundation to meet these new requirements.
- You may lose business to competitors that are compliant with the standards as they may be viewed as being more reliable by potential customers.
Do all businesses need them?
It depends. For example, if you operate in certain industries then you may need them or if you process credit cards you need to be compliant with the PCI DSS standard. In general though it would be viewed as good business practise for your company to be compliant with a security standard, similar to your company being compliant with the ISO 9000 quality standard.
What can potentially go wrong with your security standard?
The biggest problem is paying “lip service” to the standard. This often happens if companies simply go for the standard for a marketing exercise or simply just to achieve the standard. This then results in what I call “Tick List Security”.
Tick List Security is where a company just implements security controls simply to meet a certain standard. The company does not really care about being secure but simply wants to tick all the boxes on the requirements to meet the standard. This can be a dangerous play as the organisation thinks they are secure but in reality they are not.
In my experience companies that go for standards for solid business reasons such as improving their processes, procedures and ultimately their security tend to be more successful and get more benefit from the exercise.
The other issue I often see if companies not maintaining their required documentation and record keeping for the standard.
How often do they have to be updated?
That depends on the standard and on your requirements. If you achieve ISO 27001 you have a series of continuous audits to ensure you are still compliant with the standard. From time to time the bodies setting the standards may also update/change the standard to keep them in line with the modern environment.
Where can you find out more about security standards and how do you find the one which is right for your business?
Most of the standards are available from the bodies that determine them and in many cases there are third party websites available to provide more guidance and information.
What is involved in being audited against a standard?
Dr. Gary Hinson, founder of Global Security Week and owner of the NoticeBored Blog, has an excellent “Frequently Avoided Questions About IT Auditing” page on his website. Gary does more justice to this than I possibly could.
I hope my above thoughts offer some insight into the world of information security standards. I would be very interested to hear your own thoughts and experiences regarding standards.