Choosing a Security Best Practice Standard for Your Organization
Information security and corporate network defense is tough. In a constantly changing and advancing industry, it can be hard to figure out where to start when you’re trying to build or improve a corporate security program. Standards and benchmarks are not a sexy or exciting topic, but when you need a starting place to figure out how to navigate the infosec climate, the right security best practice standard can be just what your organization needs. Basing strategic decisions on a combination of best practice guidance, knowledge of your organization’s risk profile, and expert advice is a recipe for a successful security program. But, there’s a lot of healthy discussion around which set of security standards are better or easier to use. The truth is, though, there isn’t one security best practice standard that fits all and they’ve all got pros/cons.
Why Do You Need a Security Best Practice Standard?
A framework or guide of information security best practices is analogous to a road-map for your organization. If you’re not using anything to guide your strategic security decisions or inform your tactical configurations, how do you know if they’ll have the impact you expect? You’ll quickly find yourself lost without a “road-map,” leading to an unorganized path forward that can leave aspects of your organization’s security woefully under-managed. While you’ve still got to customize your approach to all of the frameworks we’ll discuss here, it’s incredibly valuable to have a starting point when jumping in.
What Security Best Practice Standards Are Out There?
When you’re looking at which framework is right for your organization, it may seem overwhelming at first, as there’s not really a centralized location to inform your decision regarding which might fit your needs best. Let’s look at a couple of the most popular and why you might decide to use them:
CIS Top 20
The Center for Internet Security provides a set of security best practice standards they refer to as the Top 20. These twenty items or categories of security controls are what they recommend for any organization, and the order in which they recommend they be implemented. This standard is widely used across the industry and is meant to be accessible for businesses of all sizes. Most of the time, this is the standard we use to perform strategic-level assessments of your security program.
In addition to the Top 20, the CIS also provides a robust set of security benchmarks to use when hardening systems and devices on our network. These benchmarks are an integral starting point for anyone looking to implement configuration lockdowns and hardening throughout their network. If you don’t have a more specific framework that your organization has to manage to (i.e. PCI, HIPAA, NIST), then the CIS Top 20 is probably a great place to start.
NIST Cybersecurity Framework
The National Institute of Standards and Technology (NIST) was directed by Executive Order to develop a voluntary framework that organization’s could adopt to address risks to their computer infrastructure. They came up with the Cybersecurity Framework, or CSF. While this set of standards and best practices was developed to protect critical infrastructure, it has quickly been adopted by a variety of government and commercial entities. This framework takes a unique approach by addressing controls as the maturity of your security program increases, giving you a good gauge of where your business is at compared to others. Unsurprisingly, we see this implemented at government contractors most frequently.
ISO 27001
The International Organization for Standardization (ISO) released their 27000 family of standards as an internationally recognized information security management benchmark many years ago. The singular goal of 27001 is to help small, medium, and large businesses protect their information assets. While this is a large, robust, and globally recognized standard, it is also one of the most cumbersome and inaccessible of the standards that we’ve discussed so far. With that, ISO 27001 also has its own certification and accreditation standard that can be used by third-parties to assess organizations trying to adhere to it, but the certification process for an individual to become an auditor is also fairly painstaking. Still, this security best practice standard is the de facto choice for companies that are operating globally or have third-party assessment regulatory requirements.
PCI DSS
The last security best practice standard that we’ll discuss here (although there are many more out there) is the Payment Card Industry Data Security Standard (PCI DSS). This one has a little more specific application than any of the others we’ve noted. This standard was developed by the credit card brands as a data security standard for any merchants or service providers that interact with or affect the security of consumer cardholder data (i.e. credit card numbers). Now, your bank will let you know if you need to adhere to this standard and prove compliance, but many organizations choose to adopt this security standard, even when they’re not mandated to. It has a lot of great, common-sense controls for data security of any kind, and parallels can easily be drawn from protecting cardholder data to protecting electronic health data, for example. For example, the PCI DSS stresses the importance of network segmentation, which can and should be employed in any industry.
As I mentioned, these are only a handful of the security best practice standards that are out there. Many more options are available that may fit your organization better. Or, you may prefer to combine elements of more than one of these standards when developing your strategic vision and corporate security roadmap. Whatever the case may be, reach out if you need help or just want to discuss some options in this realm.