Bookmark and Share

Recent Posts

IT Security Standards

April 09, 2018

This week, I continue the computer security topic with a discussion of security standards used by security professionals. An example is ISO/IEC 27001, a standard that specifies a management system that is intended to bring information security under explicit management control. This standard is part of a growing family of information security management standards. For some people, standards are abstractions that don’t always seem relevant to their day-to-day jobs. However, security standards are both practical and useful.
Focus, Scope and Tactics
Instead of jumping right into specific standards, let’s step back for a discussion of FST—focus, scope and tactics. The focus of security standards is to define how to protect individuals, organizations and consumers in a computer environment. “Cyber environment” is a better phrase for that computer environment because the focus is on more than just computers. A discussion of what is covered by a standard engages the question of scope. By necessity, a comprehensive scope is needed to cover networks, devices, software and other elements in addition to people. Tactics used to deploy a security policy are as wide ranging as the scope of the job itself, involving guidelines, tools, training and technologies. The ideal standard (or family of standards) would present a systematic solution to the challenge of cyber security. It might include a base (something every organization needs) and support plug-ins for specific needs like those for finance. Does such a family exist?

NIST Cybersecurity Framework
According to a recent survey, 70 percent of organizations view NIST's framework as a security best practice. However, 50 percent see the high level of investment that it requires as a barrier to adoption. The NIST framework was the most popular choice of security frameworks to be implemented over the next year, the study found. So, what is the NIST Framework?

The framework consists of standards, guidelines and best practices to manage cybersecurity-related risk. The framework explains a prioritized, flexible and cost-effective approach that helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security. Here is the first paragraph of the standard itself, which sets a serious tone.

“The national and economic security of the United States depends on the reliable functioning of
critical infrastructure. Cybersecurity threats exploit the increased complexity and connectivity of
critical infrastructure systems, placing the nation’s security, economy and public safety and
health at risk. Similar to financial and reputational risk, cybersecurity risk affects a company’s
bottom line. It can drive up costs and impact revenue. It can harm an organization’s ability to
innovate and to gain and maintain customers.”

Organization of the NIST Standard

The standard covers a complex topic, yet its overall structure is straightforward. The standard has just five functions at its center—identify, protect, detect, respond and recover. Within each function, there are key categories (and subcategories not shown in the table) like those for identify, including asset management, business environment, governance, risk assessment and risk-management strategy.

Table 1. NIST Function and Category

If you are new to NIST, open the standard itself and just read the figures and tables. You’ll get the big picture. It you want more, explore this site, where you will find online learning.

What’s Next?
Next week, I’ll finish the computer security topic with a focus on data in the context of computer security. According to Techopedia, data security refers to protective digital privacy measures that are applied to prevent unauthorized access to computers, databases and websites. Data security also protects data from corruption.

Posted April 09, 2018 | Permalink

comments powered by Disqus