Using a Security Control Framework
Brian Boyd
Head of Technical Delivery at i-confidential
I’m sure there are smarter people than me out there who understand this road sign. For everyone else, it means, ‘Vehicles carrying explosives prohibited.’ I need to come back to this...
In a previous article, Do it Yourself?, I talked about the importance of getting the right people to carry out a DIY security review. This time it’s about what they use, where industry standards come to the fore, and a heads up on a classic ‘gotcha.’
Assuming you’ve already decided who will carry out your assessment, how should they go about it and what should they use to review against? In some ways, the answer to ‘what’ you use will determine the ‘how.’ If you have nothing currently, then you are probably looking at an all-encompassing security standard. But which one?
Today’s standards are better than ever, but they can still be complex and opaque, with large numbers of controls and corresponding subsections that may or may not be applicable. At i-confidential, we base our Security Health Check on the ISF's Standard of Good Practice (SOGP). It is a comprehensive, globally adopted security framework, which is also aligned with a wide variety of other external standards and frameworks, including ISO, NIST, and the CSA Cloud Control Matrix.
All the popular standards out there, however, have something to offer, and it's beneficial to appreciate how some approach aspects of security in unique ways. We build that into our own security thinking, and if you are more experienced then you should too.
Choosing a standard, or combination of standards, should help clarify how you break down the assessment to look at all the different security controls and attributes. For example, if you use ISO you will have sections such as Asset Management, Human Resource Security, and Access Control. If you were to use SOGP, you may have sections aligned to Systems Development or End User Environment.
It's important that the framework you use takes into account how organisations are structured. This ensures you get the right information for the right sections and can tell the whole story for a given risk.
In the case of Asset Management, it’s a fundamental control for several areas within security, but viewed in isolation it’s difficult to show the risk of not having a good process in place. Combine it with Compliance Management or Anti-Virus Deployment though and it takes on a whole new level of importance. It also allows you to report in a more meaningful way, such that ownership of any identified risk becomes an easier conversation to have.
Onto the classic gotcha. One factor that often trips up organisations when carrying out a review is that some controls may be managed or owned by third parties. It could be a service that is provided or maybe an outsourcing agreement. This can be difficult to deal with if there is no ‘right to audit’ clause in the contract. You may find that the third party is not interested in answering your questions or may even charge you. This potential scenario should be considered from the outset.
So, getting back to the road sign... what’s my point?
Well, during reviews, I regularly get asked why I’m enquiring about a specific aspect of security. Usually, it’s because they have never thought about a particular control, or at least not in the way I’m interested in it.
As drivers, we know there is a highway code, and we generally understand what it means. Very few people know every detail though and get along just fine. That is, until they don’t. Under certain circumstances, without the right experience and knowledge, we might not ask the right questions or interpret the answers in the right way.
Selecting the right security framework to assess your organisation is a vital step in the DIY approach, but how you use it matters just as much, and will greatly impact your results.