I’ve been at the confluence of some interesting events over the last few weeks. First, I’ve been responding to an extremely comprehensive controls questionnaire sent to Tripwire by one of our large customers in the financial services industry.
This questionnaire consists of close to 120 questions touching on a broad range of potential risks that they’re concerned about as they satisfy their compliance requirements. We receive similar questionnaires from a number of customers and prospective customers on a fairly regular basis. No doubt many of you either send or receive (or likely both) similar questionnaires.
Second, on September 17, I attended a webinar presented by Richard Hunter, VP and Distinguished Analyst at Gartner, titled The Future of Global Information Security. In this webinar, Hunter explores four potential scenarios that he believes will influence the direction of information security over the next five years as a result of two strong, uncertain forces.
First, will the target of malicious activity be the Enterprise, as it has been in the past, or shift to the Individual? Second, will the source of authority during this time-frame be, as Hunter refers to it, “monolithic,” historically focused on governments as the source of authority, or “tribal,” where governments are just one of multiple powerful actors exercising authority?
So, how do these separate events – responding to a controls questionnaire and listening to a Gartner webinar – come together?
Because they got me to thinking about the large number of IT security frameworks used today, such as NIST, SANS CSC, HITRUST, COBIT, and others, and how much easier it would be for me, and potentially for many of you, if we had a standard security framework that would simplify our communication with one another, akin to the way the Generally Accepted Accounting Principles (GAAP) and increasingly the International Financial Reporting Standards (IFRS) have simplified production and communication of financial data between organizations on a global basis.
Rather than each organization producing their own unique compliance questionnaire that the recipients need to uniquely respond to, they could simply request that you send them a copy of your most recent “security statements” that comply with “Generally Accepted Security Principles (GASP)/International Security Reporting Standards (ISRS).”
So, I’m interested in what you think. Would we be better or worse off with “ISRS” and oversight by an “International Security Standards Board?” What tradeoffs do you see for your organization and for information security, as a whole?
What would it take to achieve this? Does the evolution of authority towards either “monolithic” or “tribal,” to borrow Hunter’s terminology, make it either more or less likely that we could or would develop and adopt this single accepted security framework?
Feedback welcome in comments below…
- Announcing Tripwire Enterprise Policy Manager
- No Patch, No Problem?
- Configuration Compliance and Patch Management Processes
- Understanding What You Know You Don’t Know
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock