Using a Security Control Framework
By Brian Boyd (CISM), Director at i-confidential
I’m sure there are smarter people than me out there who understand this road sign. For everyone else, it means, ‘Vehicles carrying explosives prohibited.’ I need to come back to this...
In a previous article, Do it Yourself?, I talked about the importance of getting the right people to carry out a DIY security review. This time it’s about what they use, where industry standards come to the fore, and a heads up on a classic ‘gotcha.’
Assuming you’ve already decided who will carry out your assessment, how should they go about it and what should they use to review against? In some ways, the answer to ‘what’ you use will determine the ‘how.’ If you have nothing currently, then you are probably looking at an all-encompassing security standard. But which one?
Today’s standards are better than ever, but they can still be complex and opaque. ISO27001:2013 has 114 controls in it. Each of those controls has subsections that may or may not be applicable. I like the fact that the control framework we use at i-confidential is a combination of standards based on real world knowledge. All the standards out there, however, have something to offer, and I appreciate how some approach aspects of security in unique ways. We build that into our own framework, and if you are more experienced then you should too.
Choosing a standard, or combination of standards, should help clarify how you break down the assessment to look at all the different security controls and attributes. For example, if you use ISO you will have sections such as Asset Management, Human Resource Security, and Access Control. If you were to use ISF Standards of Good Practice, you may have sections aligned to Systems Development or End User Environment.
i-confidential's framework is built around how organisations are structured. This ensures we get the right information for the right sections and can tell the whole story for a given risk.
In the case of Asset Management, it’s a fundamental control for several areas within security, but viewed in isolation it’s difficult to show the risk of not having a good process in place. Combine it with Compliance Management or Anti-Virus Deployment though and it takes on a whole new level of importance. It also allows us to report in a more meaningful way, such that ownership of any identified risk becomes an easier conversation to have.
Onto the classic gotcha. One factor that often trips up organisations when carrying out a review is that some controls may be managed or owned by third parties. It could be a service that is provided or maybe an outsourcing agreement. This can be difficult to deal with if there is no ‘right to audit’ clause in the contract. You may find that the third party is not interested in answering your questions or may even charge you. This potential scenario should be considered from the outset.
So, getting back to the road sign... what’s my point?
Well, during reviews, I regularly get asked why I’m enquiring about a specific aspect of security. Usually, it’s because they have never thought about a particular control, or at least not in the way I’m interested in it.
As drivers, we know there is a highway code, and we generally understand what it means. Very few people know every detail though and get along just fine. That is, until they don’t. Under certain circumstances, without the right experience and knowledge, we might not ask the right questions or interpret the answers in the right way.
I mentioned at the start that the ‘what’ will determine the ‘how.’ In the next article, I’ll talk about how the people you selected, and the control standard you decided on, can now be used to carry out the actual review.