Are Standards worth the paper they are printed on? - Part 1
Mike Thompson
There are several Information Security Standards in the marketplace that are designed to assist information technology security (ITS) practitioners in protecting their organisation’s information and systems. I argue, and have done for many years, that they actually do quite the opposite. They confuse practitioners and do not work towards the (assumed) goal of improving information security. Here’s why.
The Check-list Approach
I am often asked if we can certify an organisation as ISO 27002 compliant. My answer is “No - that it is impossible”, because the ISO doesn’t actually stipulate any specific controls or requirements with which to comply.
The ISO is really just a check-list of areas you need to consider for your business, with the risk profile of your business dictating which of those elements you implement and to what extent. You can only be accurately audited for compliance by looking at whether the controls in place actually match your organisation’s risk profile.
I will be discussing Risk Management in more detail in Part 2 (coming soon) but the essence of the problem is that the ISO 27001 certification process relies on the use of unworkable risk management standards such as ISO 27005 to determine what actual controls described in ISO 27002 are appropriate for your organisation. ISO 27002 also refers to business continuity. This may have been relevant in the past, but ISO 22301 is now the correct standard that should be applied for business continuity.
ISO 27001 certification actually is more about compliance to a high level generic process with a risk assessment as the backbone, but no practical and effective risk assessment methods are actually provided beyond motherhood statements. Certification will not provide reliable assurances that you are secure, only that you have completed a set of generic steps. You certainly won’t get a clean bill of health with that.
Don’t get me wrong, ISO 27002 is a great check-list of things you should consider, but it doesn’t specifically say what you should implement. You will still need to adopt a quality risk assessment method to determine the appropriate controls to use in your organisation. Unfortunately ISO 27005 and other generic risk assessment techniques are not the answer.
Old World vs New World
The Australian Government Information Security Manual started out as a standard for use in the Department of Defence and, slowly but surely, made its way into other government areas, including state governments.
While this document and associated references contain some useful material, I’m highly critical of it for two reasons - it re-invented the wheel instead of using or referring to available ISO standards such as ISO 27002 and ISO 22301, and it’s still full of outdated concepts, such as using the document-centric and confidentiality-biased classification scheme as the basis for determining information security needs.
The classification scheme is also applied to controls, assets and equipment which is, quite frankly, a ridiculous concept. It should only apply to data and it should include other equally important sensitivity criteria including integrity. In many cases it doesn’t matter who can see the information, but rather, the accuracy of what they see. For example, if a government agency is publishing details on acceptable levels of chlorine in public pools, I would hope the decimal point was in the right place before my kids went for a swim.
Recently the document has gone through a fresh coat of paint and has begun to recognise the need for a less prescriptive risk-based approach, but it still looks more like a face-lift than a rethink. Some of the concepts may work well for Defence, but are a very poor fit for most other organisations.
Base-line Standards
PCI
The PCI Standard applies to the use of payment cards and uses a base-line approach. This mandates a foundation set of controls that organisations should have in place if they are managing payment card data. The problem is that a baseline approach encourages the assumption that just implementing the PCI Standard will ensure you are covered, but ask the ex-CIO and ex-CEO of Target in the US if that worked for them.
It is OK to establish the PCI Standard as the fall-back position, but you run the risk of under-protecting key assets and, in some cases, over-protecting lesser assets if you use a baseline approach. There is no such thing as a ‘one size fits all’ approach for security.
NIST, CSC and ASD Strategies
The National Institute of Standards and Technology (NIST) provides the American Federal Standards for Information Security. It is a very good, practical description on the range of controls you would typically have available and gives an indication of where you would apply those controls, for example, which controls would be relevant in a high-risk environment.
The Critical Security Controls for Effective Cyber Defence (CSC) is another useful reference that describes a simplified set of basic controls that protect against the majority of common threats. The Australian Signals Directorate (ASD) Strategies to Mitigate Targeted Cyber Intrusions also includes similar targeted advice.
I would encourage organisations to have a look at references like these and get some good common-sense, general protection in place quickly.
The recommendations are generally very practical, for example, it always makes sense to regularly patch, but it can still leave you poorly protected in critical areas. The base-line approach encourages organisations to bypass the risk profiling process. It provides an easy way out, but potentially leaves them exposed. While baseline standards can score some quick wins they don’t give you the whole picture. You will still need to perform analysis to profile your organisation’s specific needs.
Relying solely on standards as your blue-print for information security will leave you exposed, they only offer generalised considerations, baseline estimates, or are outdated and misleading. Standards simply lack practical and specific guidance on how to work out the appropriate security for your organisation.
Next month, in Part 2, we will look at privacy and risk standards and what you can do to make sure you achieve better security outcomes.
This article is brought to you by Enex TestLab, content directors for CSO Australia.