Cybersecurity standards and guidelines -- are you just checking the boxes?

While it is important for any organization to adopt a cybersecurity standard, just checking all of the boxes on one will not make you secure.

cybersecurity boards
Thinkstock

As an increasing number of industries and organizations begin to fully recognize the cybersecurity crisis, they have issued a variety of standards, guidelines and road maps designed to help organizations prevent data breaches. While well-intentioned, the wide variety of sometimes overlapping standards can be quite confusing to the organizations that need them the most. 

In my experience, organizations usually fit into one of two categories with regard to their adherence to standards. Many organizations, either through blind ignorance or willful neglect, ignore all standards and guidelines and just do their own thing. If you are responsible for security or IT in such an organization, I suggest you stop reading this now, pick an appropriate standard and begin applying it to your business. When finished, come back and read the balance of this article. 

The second group of organizations has "officially" adopted such a standard or guideline, and have made some effort to apply it. If you are in such an organization, I commend you. If, however, you just check off all the boxes and feel secure, I am forced to burst your bubble. There is no standard or guideline of which I am aware that will ensure that you are secure, even if you can honestly check off all of the boxes. 

Some years ago, I coined the phrase (at least I think it was me): “Standards can be an excuse for mediocrity.” This statement applies particularly well to information security. If we meet all of the requirements of a particular standard, and don't consider how they uniquely apply to our organization, we will end up with full compliance, but mediocre security. 

The basis for any good security/compliance program is a risk assessment. Sadly, that term usually strikes fear in the hearts of mortal information security folks. While the term is scary, the process is not, as I pointed out in "The dreaded risk assessment." It is simply a process of taking a formal look at the risks common to a particular organization, and augmenting the particular standard with any additional requirements necessary to minimize the applicable risk. 

While, as I suggested above, adherence to a given standard or guideline can produce incomplete results from a security perspective, ignoring all standards and trying to do your own thing will produce results that are even worse. Some oversight organizations, including the FTC and the California Attorney General, require that organizations they oversee to achieve “reasonable” security. While they don't provide specific guidance as to what is “reasonable,” adherence to an appropriate standard can demonstrate a reasonable attempt to achieve a secure operation. 

Additionally, cyber-insurance companies will typically require that a company follow an appropriate standard, in a documented fashion, before they will issue a policy. In the event of a claim, they will review compliance with the standard as part of their basis for deciding to pay out against the claim. Sadly, we live in a world where cybeR-insurance is now a necessity for any organization. 

Hopefully, you are convinced of the need to select and follow a standard, and to consider what you need to do beyond the chosen standard to achieve to achieve good and reasonable security. If so, the following is a basic road map: 

Choose a standard

The number of standards and guidelines is already a bit dizzying, and more are being added each month. I generally recommend that organizations adopt a standard appropriate to their industry.

For example, healthcare organizations are usually mandated to follow HIPAA. Organizations accepting credit cards will be mandated to adhere to PCI DSS. Those in the financial services industry will have a variety of standards to consider, as outlined in a good publication by the SANS Institute

Document your selection

To demonstrate that you have made the effort to comply with an appropriate standard, your choice and commitment need to be documented. A good place for this is your Information Security Policy document. It is a good idea to have your board or governing body affirm this selection. 

Conduct your risk assessment

Following an appropriate methodology, such as the one I suggested above, conduct an initial risk assessment. Document any additional measures you need to ensure good security. 

Implement appropriate measures

Implement security measures to address any identified requirements that you are not meeting, or that are incomplete. 

Repeat

In order to remain compliant and secure, your security program must be a living effort, including renewed risk assessments at least yearly. Document all aspects of your assessments and remediation, which may be needed as evidence that you have made every effort to achieve reasonable security in the event of a breach. 

Bottom line: Compliance does not ensure good security, even if you can check off all of the boxes. Good information security requires a living effort, including periodically taking a hard look at your specific issues, and adapting your compliance to address those needs. Achieving this living program does not guarantee that you will avoid a breach, but such a program will give you the best defense possible.

Copyright © 2017 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!