As we have noted in the past, “The nice thing about standards is that you have so many to choose from” teaches Andrew S. Tanebaum in his classic text on Computer Networks.
This adage is especially true when it comes to cybersecurity. We encounter so many standards in the corporate world that in so many cases they become totally ineffective. This is an area requiring continued technical leadership or it will have little impact. But with technical leadership, good security standards can make a world of difference.
Our recommendation is to focus on your business needs first, but then select the right body of standards for your organization and your mission. Once you select your corporate approach to standards, remember you will get what you measure. Enforce your standards.
Here is a high level overview of key cybersecurity standards:
- Critical Security Controls for Effective Cyber Defense (commonly called the Consensus Audit Guidelines or CAG): A publication of best practices in cyber defense consisting of 20 key actions, called security controls, that can reduce/mitigate most threats. These are the easiest to understand, easiest to implement and most effective approaches we know of.
- ISO 27001 and 27002: Focused on helping organizations manage the security of assets including financial information, intellectual property and employee data. If you are a large organization already working ISO processes this may be a worthwhile approach.
- NIST Cybersecurity Standards: NIST has been contributing to best practices and standards for decades. Many of their standards, like their Special Publications 800-12 (overview of controls), 800-14 (common principles), 800-26 (management advice), 800-37 (Risk Management Framework) and 800-53 (security and privacy controls) are aimed at the federal government but can be instructive to companies. Their work on a Cybersecurity Framework is aimed to help industry find more common approaches and a common language for cybersecurity. The benefits of this cybersecurity framework to companies seems to be in helping get everyone on a common wavelength, including suppliers when enforced via contractual mechanisms.
- COBIT 5: Tools, resources and guidance by ISACA.org. COBIT stands for Control Objectives for Information and Related Technology. This framework helps organizations leverage best practices in multiple domains including audit, risk management, regulatory/compliance, government of IT.
- RFC 2196: Published by the IETF, so as you can imagine this is focused on policies and procedures for sites that have systems on the Internet (which means, by the way, all systems these days). Written long ago but still so very valid.
- ISA/IEC-62443/ISA-99: The International Society of Automation (ISA) Security Compliance Institute functions within ISA’s Automation Standards Compliance Institute (ASCI) to provide professional management of this body of standards, which focus on industrial automation control systems.
- IASME: a UK-based standard for information assurance at small-to-medium enterprises (SMEs) based on best practices. Accredited by the UK Government. Supported by certification body companies that can audit and smartly aligned with cybersecurity offerings in ways that may prove to be especially virtuous.
Standards Bodies
It is also good to know your standards bodies. Not every standards body deals with topics of interest to IT focused CTOs. The list below is an extract from the Wikipedia article that only has those groups I think are working topics of interest to CTOs.
- 3GPP – 3rd Generation Partnership Project – Website
- 3GPP2 – 3rd Generation Partnership Project 2 – Website
- AIIM – Association for Information and Image Management – Website
- ANSI – American National Standards Institute
- DMTF – Distributed Management Task Force. develops and maintains standards for systems management of IT environments in enterprises and the Internet.
- Ecma International – Ecma International (previously called ECMA). Computer standards with a business-like approach.
- GS1 – Global supply chain standards (identification numbers, barcodes, electronic commerce transactions, RFID) – Website
- IBTA – Infiniband Trade Association
- IEEE – Institute of Electrical and Electronics Engineers – Website
- IETF – Internet Engineering Task Force – Website
- ISO – International Organization for Standardization – Website
- ITU – The International Telecommunication Union – Website
- Liberty Alliance – Liberty Alliance – Website
- Media Grid – Media Grid Standards Organization – Website
- OASIS – Organization for the Advancement of Structured Information Standards – Website
- OGC – Open Geospatial Consortium – Website
- OMA – Open Mobile Alliance – Website
- OGF – Open Grid Forum (merger of Global Grid Forum (GGF) and Enterprise Grid Alliance (EGA)) – Website
- TM Forum – Telemanagement Forum – TMF Website
- W3C – World Wide Web Consortium – Website
- WSA – Website Standards Association Website
Government Privacy Standards
- GDPR: The most famous of the government compliance standards.
- HIPAA: Focused on patient data privacy.
A note about standards and meeting the compliance requirements of GLBA, SOX, HIPAA or PCI:
Staying in compliance with regulations and requirements of laws like GLBA, SOX, HIPAA or the important industry PCI guidance require constant technical leadership, and many of those requirements also come with specific technical guidance. However all give you a significant degree of leeway in how you meet the requirements. The standards we review above can help you address them. However, more important than standards are your management approach to cybersecurity. This is a favorite topic of ours and is squarely in the sweet spot of our risk mitigation work. We work with Fortune 1000 firms to evaluate management approaches and help meet the needs of compliance and at the same time improve cybersecurity support to business and mission needs. Contact Us for more information.
Special Standards for Federal Government Business Growth
The Three Key Concepts of FISMA, FIPS and FedRamp
FISMA – Federal Information Security Management Act – designed to increase security controls by creating auditable repeatable compliance processes. The reality? Has increased security processes, provides clear benchmarks, but creates mountains of extra work that many believe actually prevent IT professionals from doing their job.
FIPS – Federal Information Processing Standards – define key aspects of how information is used and disseminated government wide. Key standards are 140-2 (security requirements for cryptographic modules), 200 (minimum security requirements for federal information and information systems) and 201-1 (personal identity verification for federal employees and contractors). All the FIPS standards have importance, yet these three are most frequently encountered.
- FIPS 140-2 is most often referenced in terms of mobile. It defines the encryption standards necessary for any device that will connect with systems such as e-mail. It also defines the encryption necessary to protect personally identifiable information (PII) that many agencies have in abundance.
- FIPS 200 is plain and simple the federal requirements necessary for information systems. This defines security standards and more.
- FIPS 201-1 defines how personal identity verification (PIV) systems should function (and who needs them). PIV systems are tethered to Public Key Infrastructure (PKI) encryption and can really provide enhanced security capabilities.
FedRamp – The Federal Risk and Authorization Management Program is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a “do once, use many times” framework that has goals of saving cost, time and staff for government organizations making security assessments. Information on FedRamp is provided at the CIO.gov website.
Related Reading:
Technological Dimensions of Cyber Defense
