Saying “My company is secure” is like saying “My team scored 27 tonight”. The metric doesn’t matter if you have nothing to compare it against.
Enter the framework.
A framework is a standardized methodology for selecting, implementing, testing, and maintaining a set of security metrics, also called security controls. There are many frameworks to choose; NIST, ISO, NERC, PCI, etc., etc. The point is that you want to compare yourself against a known yardstick.
Without this comparison, it is very easy to enter a never-ending cycle of buying the next security wiz-bang product, implementing the wrong controls for your environment, or hiring a consultant to test something that really doesn’t need to be tested. Frameworks are like a lighthouse in the middle of fog as they help guide you to your objective, overall security, by steering you around would be obstacles. So how do you choose a framework?
Often the framework is chosen for you. Maybe you have credit card data (PCI), health information (HIPAA), or are a publicly traded company (SOX) in which it is mandated that you comply. There may be a push from upper management to appease a customer or the latest hack has scared them straight. In that case, you need to establish the framework that fits your corporation best. Choosing the framework is outside the scope of this article, but there are many sources on choosing a framework.
Once you have chosen a framework the real work begins. Each framework is unique, but they all follow the same basic pattern. Select the security controls for your environment, implement those controls, test the effectiveness of the controls, and finally make sure that controls are persistent as the environment inevitably changes.
Selecting a Security Framework
In this portion of the process, we will be selecting which controls apply to your environment. For example, let’s say we process credit cards. While one company may take the credit card data and use it in a self-developed system to acquire information, another may never see that data by using a point to point encryption device. This would completely change how to apply the PCI framework to our environment. The framework will provide instructions and rules on how to apply the framework to your environment and what should be included or not but, ultimately it will be an interactive process with data owners and security.
The rubber meets the road at this stage. Here we will be applying the security control requirements to the pertinent systems. This is not going to be a step by step guide. Remember the framework is built so that many different organizations with different technologies can apply the recommendations to their environment. This will require converting phrases such as “the organization approves and monitors non-local maintenance and diagnostic activities” into auditing SCOM events.
Far too many people jump to this stage of the process. In fact, many consider testing the definition of information security. Penetration testing, vulnerability scans, social engineering; these are all sexy (as sexy as information security can be) and do produce volumes of “look what we did” reports. However, a stack of paper defining what should be done at this moment is not a plan, it’s a band-aid. The question is, what is the use of trying to follow a framework and implementing a slew of security controls only to say, “I think it’s working”. We must verify.
Now for the boring phase. This is the day to day assurance that what you have put in place is working. Think “who watches the watchers”. We are wanting to put in place the tools that will alert us to any deviation to the plan. True security is not a point in time analysis of what is now, it is looking ahead to what could be and be planning for as many contingencies as possible. Monitoring is a critical step in not only establishing our security program but, the success of that program over time.
By using a framework, we are converting information security from something that is at best a hodgepodge of duct tape into a strategy. Strategy takes us from reaction to prevention and that takes us from front news to boring company that protects their customer’s data. In security, you want to be boring.
Cybriant is a holistic cybersecurity service provider which enables small and mid-size companies to deploy and afford the same cyber defense strategies and tactics as the Fortune 500. We design, build, manage, and monitor cybersecurity programs. Follow Cybriant @cybriantmssp and cybriant.com.
Not sure where to start?
Schedule a conversation. We are really nice cybersecurity experts. We’ll walk you through the process and if you would like to use our services, great. If not, that’s fine, too. We are here to help.