Skip to content ↓ | Skip to navigation ↓

“By what standards should an information security program be measured?”  This is a long standing question in our field, and a myriad of experts continue to offer up informed opinions on the matter.

In the absence of a major security event, the ongoing debate provides for the opportunity to compare and contrast competing and congruent ideologies, and for the most part results in a somewhat subjective exploration of the matter, which generates fodder for conference panel sessions and college seminar discussions. In the wake of a major security event, the dynamics of the discussion necessarily turn objective in nature, as liability issues quickly become the focus.

Given that there never has been – and never will be – an attainable state of “absolute security,” every entity that contributes to the establishment and maintenance of a security program assumes a level of culpability. That’s just the nature of the business.

When it comes to determining whether adequate due diligence has been exercised prior to a security event, the measure for our industry will be found in the legal tenet known as a standard of care, a term that will undoubtedly become commonplace in the security industry before long.

Simply put, a standard of care is considered to be an adequate level of prudence displayed in carrying out a set of prescribed responsibilities. In regards to most business activities, it is often measured as the average level of conduct that can be expected when compared to other members of a particular class or category of operations; for example, the average level of sanitation in a food production environment, or the reasonably expected level of durability in a manufacturing context.

Given that in some cases the failure to adhere to a level of prudence can have wide reaching consequences, such as in the examples provided, many notions of a standard of care have been codified in law or regulatory mandates. While there are several widely recognized standards that have evolved from the need to protect sensitive information and the systems on which that data resides, one is emerging as the “defacto yardstick by which corporate security programs can be measured,” according to the Cybersecurity Law Institute.

That standard of care is exemplified in the Twenty Critical Security Controls – also commonly known as the SANS 20 Critical Security Controls, the Center for Internet Security (CIS) 20 Critical Controls, and the Consensus Audit Guidelines (CAG).

The development of  this set of standards was undertaken first in 2008 by the National Security Agency at the behest of the Secretary of Defense in a effort to efficiently direct resources to combating the most common network vulnerabilities that resulted in the greatest number of attack vectors.

While the initiative initially remained classified, access to the control-prioritization strategy was eventually extended to other government entities, the administrators of critical infrastructure, and then opened up to wide variety of stakeholders charged with protecting sensitive data and systems. The standards now represent the mind-share from a broad coalition of experts representing government, private industry, researchers and academia.

Implementing and adhering to the prescriptions outlined in the Twenty Critical Security Controls can be a daunting task, and luckily there are multiple resources available to assist in the endeavor – just search “20 critical security controls” in your browser and you will likely find what you need.

For starters though, we recommend perusing a synopsis of the recently revamped Controls as relayed by Tripwire’s Adam Montville (@adammontville), who does a fine job of breaking down the requirements one by one and providing a road map for this undertaking. Adam’s series is nearly half-way completed, and can be found on The State of Security here.

The Cybersecurity Law Institute will soon hold a session titled Defining the Standard of Care: The SANS 20  as part of a two-day conference in May at Georgetown University which is designed to provide legal practitioners with a comprehensive overview of  cybersecurity issues affecting organizations, and this particular session will be conducted by Tony W. Sager, Director at the SANS Institute and former Chief Operation Officer in the  Information Assurance Directorate at the National Security Agency.

In addition, the SANS Institute is conducting a survey on the adoption and use of the Critical Security Controls, which will help them “get a better understanding of the community that is using the Controls, find early adopters we can all learn from, and identify common barriers,” according to an email from Sager. The survey can be found here.

While some might argue that the Twenty Critical Security Controls are a rehash of the ISO 27001 standards, the fact is that they are not one in the same, and while maintaining compliance under ISO 27001 may go a long ways in establishing and maintaining a standard of care, more and more it is looking like it will specifically be be the Twenty Critical Security Controls that are used to make that determination when and if there is a serious security event.

“Many organizations I work with are looking for ways to avoid mistakes and to reduce the time and effort required to achieve effective security.  Rather than reinventing the wheel, they seek out authoritative guidance they can either adopt outright or easily adjust,” said Tripwire’s CTO Dwayne Melancon (@ThatDwayne).

“I’m pleased to see the increasing adoption of the Critical Security Controls.  They are a tremendous resource because they are well-understood, well-vetted by the security community, and can be used to improve the security posture of virtually any organization.”


Image courtesy of ShutterStock