As an information security consultant and payment card industry (PCI) qualified security assessor (QSA), I often have conversations and hear ‘I must comply’ or ‘must be compliant‘ when working with PCI data security standard (DSS), ISO27001.
When I ask why, a pause often follows with a vague answer that initially doesn’t support the business or indicates that the standard is being followed because ‘it’s the standard’.
After exploring ‘why’ further and the business justification becoming clearer, on some occasions compliance requirements are not required, effort is duplicated or implementation does not support the business and is applied wrongly, requiring a change.
Information security standards should support and enable the business. If security standard controls feel wrong or a hinderance, they should be reviewed to make sure they are fit for purpose to mitigate the risk whilst still enabling your business to function securely.
Below are some key principles that will help when applying information security standards to your business.
Wear your business head
When reviewing information security standards, it’s key to apply a business mindset and assume the role of the business owner, executive director and/or service manager. For example, if this was your business, what would you do? Each standard will have a primary objective or goal and applicable requirements will need to be considered in terms of how they would be applied and benefit the business. Some key questions to ask yourself when reviewing some of the non-obvious security controls:
- How will this benefit the business in the medium to long term?
- Is there hidden commercial benefit?
- What positive impact can be applied to business operations?
- What risks will be introduced or mitigated?
- How will this impact the budget, now and on-going?
- Can this make your business stand out from the competition?
- If you don’t apply this standard, what will be the impact?
- Who will be impacted if I do apply this standard?
Information security standards should align and support the business strategy. For example, security standards applied today should support the business today and tomorrow.
Become familiar with laws of the land that impact your business
Some laws apply information security responsibilities to the business. The laws describe intent of behaviour or activity expected when handling information or systems that process information but do not state how the intent is applied in a practical sense.
Note: when reviewing laws, it’s advisable for a suitable qualified legal person to provide assistance to help understand the intent, especially if the legal subject is unfamiliar or the wording ambiguous.
Some of the laws include:
- Data Protection Act (DPA) 2018, derived from EU General Data Protection Regulation (GDPR);
- Computer Misuse Act 1990; and
- Network and Information Systems Regulations 2018, (commonly known as NIS or NISD).
For an example of how these apply to information security standards, let’s take a look at the DPA.
DPA section 66(1) states: Each controller and each processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks arising from the processing of personal data.
For each organisation, the ‘appropriate technical and organisational measures to ensure a level of security appropriate to the risks’. This will be different for each organisation.
For this law, a record of processing activity (DPA section 61) and privacy impact assessment is required and will help to determine the business risk and with selecting the appropriate security measures.
Selecting the Information Security Standard(s) for your business
Some of the common security standards used today are:
- ISO27001 – Internationally recognised information security management system (ISMS) based on implementing security controls to mitigate risk.
- NIST – National institute of Standards and Technology, US department of commerce lead programme, including a framework for security controls.
- PCI DSS – Payment Card Industry Data Security Standard, used by merchants taking card payments.
- Cyber Essentials – Small to medium business security standard and prerequisite for engaging with UK government bodies.
There are many specific industry sector standards that share common goals to the above.
Based on the previous DPA example, ISO 27001 would be a good fit to demonstrate appropriate controls as the standard is risk based and high level controls can be applied to mitigate risk. ISO 27701, a privacy extension, can be applied to the ISO27001 standard. Other standards such as PCI DSS provide very prescriptive controls and can also be used to support the ISO27001 risk assessment.
If multiple standards are to be applied, consider how these will be implemented and maintained by the business. For example, during audits evidence demonstrated for one standard should be sufficient for another standard. If you can keep the implementation of the standards simple, it will be easier to maintain and for staff to understand.
Corporate policies and alignment to information security standards
When creating or developing corporate policies, they should mandate executive management intent. Supporting business standards (based on external information security standards) will demonstrate how executive management intent can be applied within the business, i.e. setting the business rules.
Supporting procedures will demonstrate how standards are applied to the business units or service areas.
Ownership of documentation can be tiered, for example:
- Policies – Executive Management;
- Standards – Head of Service; and
- Procedures – Service Managers/Team Lead.
Do staff know how to behave the way in which you want them to?
Information security and awareness training programmes are key to making sure staff know what is expected, so they work within corporate policies and standards. Programmes are continuous and staff should attend upon hiring as well as annually to confirm their understanding. Supplemental awareness communications can include emails, quizzes, posters, login messages, etc. during the year to inform about new threats or to re-enforce security awareness behaviour.
Successful programmes have executive management buy-in to endorse behaviours expected and are demonstrated by attending the programme. If executive management is reluctant to attend, direct them to ‘big phish’ or ‘whale phishing’; but this is a bigger subject for another blog.
This simplistic view forms the basis for most implementations of security standards. Remember, information security standards are there to help and protect rather than hinder the business, if applied correctly.