Information Security Double Standards

July 4, 2008

There is an abundance of standards for managing Information Security so many so that it makes it difficult to decide which specific standard to follow! So don’t pick just one. The goal should be to build an Information Security Management System (ISMS) that suits your needs, picking and choosing the parts you need most.

Here are the parts of the most common standards:

ISO 27002 – Information technology – Security techniques – Code of practice for information security management from the International Organization for Standardisation (ISO)

• Security Policy

• Organization of Information Security

• Asset Management

• Human Resources Security

• Physical and Environmental Security

• Communications and Operations Management

• Access Control

• Information Systems Acquisition, Development and Maintenance

• Information Security Incident Management

• Business Continuity Management

• Compliance

Control Objectives for Information and related Technology (COBIT) from the Information Systems Audit and Control Association (ISACA)

Plan and Organise

• PO1 Define a strategic IT plan

• PO2 Define the information architecture

• PO3 Determine technological direction

• PO4 Define the IT processes, organisation and relationships

• PO5 Manage the IT investment

• PO6 Communicate management aims and direction

• PO7 Manage IT human resources

• PO8 Manage quality

• PO9 Assess and manage IT risks

• PO10 Manage projects

Acquire and Implement

• AI1 Identify automated solutions

• AI2 Acquire and maintain application software

• AI3 Acquire and maintain technology infrastructure

• AI4 Enable operation and use

• AI5 Procure IT resources

• AI6 Manage changes

• AI7 Install and accredit solutions and changes

Deliver and Support

• DS1 Define and manage service levels

• DS2 Manage third-party services

• DS3 Manage performance and capacity

• DS4 Ensure continuous service

• DS5 Ensure systems security

  • Management of IT Security

  • IT Security Plan

  • Identity Management

  • User Account Management

  • Security Testing, Surveillance and Monitoring

  • Security Incident Definition

  • Protection of Security Technology

  • Cryptographic Key Management

  • Malicious Software Prevention, Detection and Correction

  • Network Security

  • Exchange of Sensitive Data

• DS6 Identify and allocate costs

• DS7 Educate and train users

• DS8 Manage service desk and incidents

• DS9 Manage the configuration

• DS10 Manage problems

• DS11 Manage data

• DS12 Manage the physical environment

• DS13 Manage operations

Measure and Evaluate

• ME1 Monitor and evaluate IT performance.

• ME2 Monitor and evaluate internal control.

• ME3 Ensure compliance with external requirements.

• ME4 Provide IT governance.

Information Technology Infrastructure Library (ITIL) Security Management from the UK Office of Government Commerce (OGC)

Control

• Implement policies

• Setup the security organization

• Reporting

Plan

• Create Security section for SLA

• Create underpinning Contracts

• Create Operational level agreements

• Reporting

Implement

• Classify and managing of IT applications

• Implement personnel Security

• Implement Secure Management

• Implement Access control

• Reporting

Evaluate

• Self assessment

• Internal Audit

• External audit

• Evaluation based on security incidents

• Reporting

Maintain

• Maintenance of Service level agreements

• Maintenance of operational level agreements

• Request for change to SLA and/or OLA

• Reporting

NIST Special Publication 800-53 Security Controls for Federal Information Systems from the US National Institute of Standards and Technology (NIST)

• Access Control

• Awareness and Training

• Audit and Accountability

• Certification, Accreditation, and Security Assessments

• Configuration Management

• Contingency Planning

• Identification and Authentication

• Incident Response

• Maintenance

• Media Protection

• Physical and Environmental Protection

• Planning

• Personnel Security

• Risk Assessment

• System and Services Acquisition

• System and Communications Protection

• System and Information Integrity

The Standard of Good Practice for Information Security from the Information Security Forum

Security Management

• SM1 High-level direction 15

• SM2 Security organisation 16

• SM3 Security requirements 17

• SM4 Secure environment 18

• SM5 Malicious attack 20

• SM6 Special topics 22

• SM7 Management review 24

Critical Business Applications

• CB1 Business requirements for security 25

• CB2 Application management 26

• CB3 User environment 28

• CB4 System management 29

• CB5 Local security management 30

• CB6 Special topics 31

Computer Installations

• CI1 Installation management 32

• CI2 Live environment 33

• CI3 System operation 35

• CI4 Access control 37

• CI5 Local security management 38

• CI6 Service continuity 40

Networks

• NW1 Network management 41

• NW2 Traffic management 43

• NW3 Network operations 44

• NW4 Local security management 46

• NW5 Voice networks 47

Systems Development

• SD1 Development management 48

• SD2 Local security management 49

• SD3 Business requirements 50

• SD4 Design and build 51

• SD5 Testing 53

• SD6 Implementation 54

End User Environment

• UE1 Local security management 55

• UE2 Corporate business applications 57

• UE3 Desktop applications 58

• UE4 Computing devices 59

• UE5 Electronic communications 60

• UE6 Environment management 62

The PCI Data Security Standard (PCI DSS) from the PCI Security Standards Council

• Build and Maintain a Secure Network

• Protect Cardholder Data

• Maintain a Vulnerability Management Program

• Implement Strong Access Control Measures

• Regularly Monitor and Test Networks

• Maintain an Information Security Policy