Skip to content ↓ | Skip to navigation ↓

Often in the security field we hear the question asked, “Who’s watching the watchers?” It occurred to me recently that one might make a similar rhetorical quip about other aspects of our field – in particular, the question of “Who’s standardizing the standards?”

I wrote a piece last month, titled SANS Twenty Critical Controls as an Information Security Standard of Care. The article was inspired by several conversations I had been having with some lawyer types regarding how the legal system is starting to catch up with information security, and how the notion of a standard of care is becoming a major factor in evaluating an organization’s level of liability in a post-security event scenario.

There are dozens of standards that address issues of adequate information security, some of which are general and meant to be applied widely and some which are specific to a particular industry vertical. While compliance mandates have legal teeth of their own, to an extent it is still largely up in the air as to which of the standards the courts will turn to when determining if an organization was making good faith efforts to maintain a minimally acceptable security program.

In the article, I noted that the Twenty Critical Security Controls – also commonly known as the SANS 20 Critical Security Controls, the Center for Internet Security (CIS) 20 Critical Controls, and the Consensus Audit Guidelines (CAG) – may have emerged as a leading contender after the Cybersecurity Law Institute recently anointed it as being the “defacto yardstick by which corporate security programs can be measured.”

A friend who happens to be the CSO for a large Fortune 500 company shot me a somewhat terse but friendly series of emails inquiring as to why – between my article and the series my associate Adam Montville is doing on the 20 Critical Controls – we as a company were so enamored with the SANS 20.

“You have a voice in the industry. People are listening. You and Tripwire have a responsibility to do the right thing,” they advised. “We need to think and then act. Not just blindly trust because it’s something that we think that we know, but have never truly verified.”

While I would not go so far as to say we as a company are wholly invested in the  the 20 CSC, we are in a unique position after our acquisition of nCircle to boldly assert that we are the leading network security provider with solutions to address the first four of the 20 CSC, a point which I relayed to my associate. After a series of impassioned exchanges, I asked if they would consent to a guest post or interview on the matter. As much as they wanted to, they could not due to extenuating circumstances, some of which I can not go into here.

“Unfortunately, cybersecurity is a very sensitive issue for my public affairs team and we’re at the crossroads to possible regulation in many sectors, including mine, so I can speak with you, but not officially and you can’t directly quote me,” they said.

They did however consent to my using some of the exchange if attributed anonymously. Aside from the fact that the 20 CSC are mainly being promoted by a for-profit organization with a stake in their adoption, my friend’s main gripe is that the 20 CSC are merely technical controls and not holistic enough to address the issues facing organizations where information security is concerned.

“For many years, we have all come to know and trust the SANS Top 20 as a point of reference for good technical controls to address the security problem. A Technology only approach won’t really help in the long run,” they said. “We all know that security is a balance of People, Process, and (then) Technology.”

While that is absolutely true, this sentiment is coming from a professional who administers a program at a much more mature stage than most organizations. As I mentioned in the previous article, this set of standards was developed by the NSA at the request of the Defense Department in a effort to remediate the most common network vulnerabilities that accounted for the greatest number of attacks, which makes the 20 CSC the best place for an organization to start.

They then pointed out that the 20 CSC were not meant to be an all-encompassing standard, which is quite true. “It was never meant to be a standalone body of work. OWASP Top 10 works with it. So do PROCESS-oriented security frameworks such as FISMA, COBIT, and ISO 27001,” my CSO friend explained.

“ISO 27001 is doable by most if they took the same time to implement it like they would the CAG, it’s much more holistic, and truly internationally adopted. The governments of Germany, Japan, etc. have adopted ISO,” they continued.

And they are right, ISO has a tremendous presence internationally. So that got me wondering why the ISO standards have not gained more ground here in the U.S., and given that they are more holistic in nature as my CSO pal pointed out, why it was the 20 CSC seemed to be gaining ground over ISO with the American legal community.

I was out to dinner in London with some associates during the week of the Infosecurity Europe conference last month when I brought the topic up to Dan Houser, a well known mover and shaker in the industry with a string of letters after his name as long as my arm, and who also happens to be a sitting member of the (ISC)2 Board of Directors.

I joked that 2013 had yet to be christened as “The Year of…” something, and suggested perhaps this is the year of the standard. Much to my surprise, Dan responded that I might be on to something – proving once again there is always a first time for anything.

Over several subsequent conversations, Dan and I tossed around the idea of doing a series of articles examining not only the various standards that have evolved over the last twenty years, but the entire process of standardization that the industry is going through, and will continue to go through for who knows how long.

Dan’s very apt observation was that it is akin to the process in other disciplines, and he pointed to the fact that the art of medicine is thousands of years old, but it was only one century ago that it actually became “standardized,” which plays directly into my original premise of defining an infosec “standard of care.”

We are not sure exactly where we will end up going with this series, and that is kind of the point. This is a young industry, and although the effort to set standards began almost on day one, there is still a lot of room for dialogue, consensus and disagreement – as illustrated by my to-remain-unnamed CSO friend.

We will be tapping many bright and knowledgeable folks for this series, and if at anytime you want to contribute to the conversation, feel free to send a tweet to me (@AnthonyMFreed) or Dan (@SecWonk) with the hashtag #SecStandard, and we will see where the conversation take us…

 

Image courtesy of ShutterStock

Hacking Point of Sale
  • Jim Westlake

    Interesting piece, and great timing for me.

    As a physical security bod (you know, an old fashioned lock, key and burglar alarm type), it's clear to me that my industry has yet to fully adopt standards in some areas. After over a century of burglar alarms we are still writing standards for them, and I'm not just talking about revising old ones in light of new technology. The question then is, what makes you think infosec will do any better?

    My world is now being deeply affected by yours and how that will alter standards is anybodies guess. It is certain that physical security practitioners like me are struggling to understand the ramifications of that little Ethernet port on their devices, I'm lucky that my work means I talk to infosec people, but most of my peers don't.

    Timing? Well, I'm putting a dissertation together about information sharing in the security world, and infosec just has to be a big part of that, doesn't it? :-)

  • Jim,

    The world of infosec is merely an extension of the world of physical security in may respects – the locks and caches have evolved, but the principles are the same: Protect valuable stuff from the bad guys. Standards will always be in flux to an extent as technology, circumstances, and the techniques of our adversaries change. It is the process driving the standards that is most interesting here, and open dialogue and debate are useful in understanding where we are coming from and where we are headed. I appreciate your mention of what a long and still ongoing process it has been to create standards in your field, and I welcome any more insight you can provide on the matter. I am sure your dissertation will be quite interesting – let me know if you need any good infosec experts to tap – I know more than a few top shelf thinkers in this arena…

    • Jim Westlake

      Anthony,

      Thanks for the offer, sadly my deadline is this weekend for finishing and passing to the printer. So it's all over bar the polishing now; it would have been good to have some more insight in that world but maybe next time?

  • Jim,

    Best of luck!