The Defensive Security Podcast talked last week about comments made by the California attorney general in releasing a study of data breaches in that state. While the report itself did not include any earth-shattering insights, a related comment has caused quite a stir in the information security community. The AG indicated that those organizations not implementing the 20 controls discussed in the Center for Internet Security's Critical Security Controls document would not be considered to have "reasonable security."
Now, I have great respect for the Center for Internet Security. In a perfect world, everyone would have already implemented all 20 controls, and we would live in a better world. Sadly, reality is somewhat different.
The need to implement 20 controls does not sound like a real problem on the surface. If you examine the 20 controls in the Center's document, however, you will quickly realize that each one has five to 10 sub-points. Overall, a large, well-funded company would not find them an insurmountable challenge to implement. But for those in the small and midsize business world, full implementation would be extremely difficult, at best.
The California attorney general's comments obviously do not apply outside of California, and they are not considered binding in any way (yet). This is part of a trend we are seeing across the country, however. Public officials are searching for solutions, and, finding no easy answer, they adopt some formal set of security standards and attempt to make all those organizations they regulate follow them. We have seen this, for example, with the FTC citing NIST standards in its enforcement actions.
A real-world example for me involves a smaller insurance company, which is HIPAA-regulated. I am helping the company with privacy policies in preparation for an OCR audit. It knows enough to have a designated privacy officer, a very sharp attorney, but it doesn't have a big privacy or security team, given its size. In preparing for the audit, however, it is clear that the company's size doesn't matter to the regulators. It has a number of hoops through which it must jump, one way or the other.
Another of my customers, this one a small, level 1 PCI company, must implement the same controls as the largest credit card processors in the county.
I am not against standard like HIPAA or PCI. They do serve a useful purpose. That being said, their failure lies in their inability to provide appropriate flexibility based on the size of the organization. While the goals of each -- improved information security -- are important, they do not serve society well if they put smaller companies out of business in the process.
If your smaller organization is in one of the regulated industries, at least for the time being you have no choice but to meet the full regulatory requirements. My best advice is to find competent help to meet the standards.
If you do not fall under one of the large bodies of regulations or guidelines, you are not off the hook. The industry is seeing increased scrutiny from a wide variety of federal and state agencies and industry groups. While they may not hold organizations to a particular standard, they will expect you to have a structured and documented approach to information security and risk management.
This same requirement applies if you want a cyber-insurance policy that will actually pay off when needed. This is achievable without a large staff or big budget, but it takes some work. Consider the following approach:
Examine your risks
Every company is different and, as such, will have different risks. For example, an e-commerce company has a completely different risk profile than a manufacturer that sells products through channels. You need to understand your specific risks, so you know what to focus on. This doesn't have to be an extremely formal process, but does need to be recorded and updated. I suggested a simplified approach in The Dreaded Risk Assessment.
Once you know what risks to focus on, figure out how you will address the higher priorities. In the security/compliance world, we call these controls. If you run an e-commerce business, for example, you might decide that a high risk was someone hacking into your Web server. As a control, you might implement monthly vulnerability scans by a third party, and have a documented approach to managing your patches.
A variety of published standards, including Critical Security Controls mentioned above, provide great guidance on controls for particular risks. Controls don't necessarily have to be complicated, as long as they do the job.
Write them down
Once you have controls established, record them in written form, and share them with everyone in your organization. If you get a visit from a regulator, having this material in writing will help your case.
This seems like it goes without saying, but I have seen some assume that just having the controls In writing solves the problem. To be safe and survive scrutiny, you must follow the controls, and be able to offer evidence that you are following them. Logs or other documents showing that you have implemented them are a must.
Information security is a volatile field. As such, your risk profile, controls and their effectiveness must be periodically reviewed, and adjusted as required. Again, this does not have to be a highly structured process. For a smaller company, you must just get the key people in a room, talk through your process and agree to changes.
Bottom line: Security standards like the Critical Security Controls provide great guidance to organizations of all sizes. Fully implementing them in a smaller business can be impractical. Such organizations can, however, have a structured, documented approach to compliance that will stand up to scrutiny.
This article is published as part of the IDG Contributor Network. Want to Join?