PCI DSS, GLBA, SOX, ISO, COBIT, DPA, ITIL – When it comes to compliance with information security laws, regulations, and standards, it’s a veritable alphabet soup. Wading through all those acronyms can cause even the most seasoned IT security managers to throw up their hands in despair and begin mumbling the incomprehensible under their breath.
So what is a security manager to do? Some experts recommend picking one’s ‘poison’ and focusing efforts on complying with one of the many international standards out there. For example, International Organization for Standardization (ISO) 27001 provides an internationally accepted framework for information security best practices. That could perhaps be a place to start.
Others recommend picking standards written in plain language, such as the PCI Data Security Standard (DSS). Still others (not interviewed for this article) advise giving up all together and finding a quiet island somewhere, where no one has heard of information security, or the internet for that matter.
Asking Why?
Lars Davies, founder and chief executive of Kalypton, a UK-based risk and compliance management firm, recommends starting with an existential question – Why?
“It’s not just about keeping and protecting information; it’s going further and understanding why you need to keep it”, Davies tells Infosecurity. “You can then use the answer to that question to work out what you have to keep, for how long, and how.
| "If you take the [PCI] standards and use them as a foundation for a layered security approach, you can reduce your likelihood of data breaches, fines, and other costs" |
| Bob Russo, PCI Security Standards Council |
“Now I can work out what regulations I need to look at, how I interpret them, how I implement an IT architecture and security structure behind the scenes to hold the records and manage them, and how I can evidence them if I am asked to do so,” he says. “That is how you can conform to multi-national requirements”.
The key to cutting through the compliance complexity is finding the principle to which the company must conform, Davies explains. “You’ll find that the principle is the same in any jurisdiction…Once you have that, you can then determine how you apply the French data protection law to your operations in France and the German data protection law to your operations in Germany, and so on”, he adds.
The first principle is to retain and protect data. Then, the company has to look at what type of data is being retained in order to determine what other laws might apply. If it is financial information, then laws and regulations requiring protection of financial information apply. If it is personal information, then personal data protection laws apply, Davies continues.
COBIT or Bust
While starting from a first principle is fine, a number of experts recommend getting more specific and using an internationally recognized information security standard as a baseline.
Rolf von Roessing, president of Swiss consulting network Forfa and past international vice president of the not-for-profit IT security association ISACA, (perhaps unsurprisingly) recommends using the ISACA-developed COBIT standard.
Previously known as Control Objectives for Information and Related Technology, but now just COBIT, the framework provides guidance on information control processes, planning and organization of the IT environment; delivering and supporting services; and monitoring and evaluating security, von Roessing shares.
“I would recommend people look at COBIT because that is, I believe, the most widely recognized international framework on internal controls and security. It covers Sarbanes-Oxley [SOX] as well PCI DSS, and others. COBIT comes with a set of other publications that map it to these other standards”, he explains.
ISACA is working on a new version – COBIT 5 – that is expected to be out early next year. “It will provide the blueprint for approaching all governance risk and compliance questions in a uniform manner”, von Roessing says. “It will help IT security managers to have one single framework, like a Swiss army knife, so that they can pick and choose the right tool to make sure they are complying with whatever standards they have to adhere to by law or regulation.”
The former ISACA VP continues: “The new version employs the lens concept. So if you imagine yourself as well a security manager having to do PCI DSS for a bank that does credit card settlement, you would put the COBIT security lens on, and you would find that there is a fairly sizeable document called ‘COBIT for Security’ under the new framework. If you read that document, it will direct you toward the salient compliance points required for PCI DSS compliance.
“If you follow COBIT and use the terminology and framework, not only will you be able to comply with PCI DSS”, von Roessing adds, “but also auditors will better understand you, whether they be external auditors or internal audit departments”.
ISO-lating Compliance Issues
ISO 27001 on information security best practices is another standard recommended as a baseline for compliance.
International compliance is a “fractured picture”, observes Etienne Greeff, professional services director for SecureData Europe, a UK-based provider of IT and network security products. “What we have seen is people starting to adopt standards like ISO 27001, which is a comprehensive security standard that covers most aspects of information security”, he tells Infosecurity. “At least it is a common international benchmark.”
Greeff notes that various standards use ISO 27001 as the base and then apply it to particular requirements – for example, card holder data in the case of PCI DSS and corporate data in the case of SOX.
“A lot of organizations don’t have a structured way of approaching information and IT security. They handle things on an ad-hoc basis”, he says. “It is a legacy of people buying technology to solve problems. They think a widget will solve the problem, but it is only a tool to enforce a policy.”
Richard Walters, chief technology officer with UK-based risk management firm Invictis, agrees that ISO 27001 is a good starting point for corporate compliance.
| "[Lawmakers] don’t really understand what security is…they leave it to the auditors to figure out what ‘secure the data’ means" |
| David McNeely, Centrify |
“From an information security perspective, there are only a limited number of ways you can slice the information security pie”, he tells us. “Probably the most widely adopted standard of how you do that is ISO 27001.”
Walters explains that the ISO standards can be broken down into 11 areas and mapped to many other laws, regulations, and standards. These 11 areas are security policy; organization of information security; asset management; human resources security; physical and environmental security; communications and operations management; access control; information systems acquisition, development, and maintenance; incident management; business continuity management; and compliance.
“You can reuse a lot of the investment and effort you put into ISO 27001 for compliance with various privacy laws, as well as a wide range of legislative and regulatory controls”, he says.
PCI DSS, If You Don’t Mind
Others support using PCI DSS as the baseline standard. David McNeely, director of product management at US-based identity and access management vendor Centrify, argues that PCI DSS is the easiest of the internationally recognized standards to understand and implement.
“Lawmakers tend to not understand what it means to be secure. They usually point to something else and say – ‘That is the standard’”, McNeely asserts. “For example, SOX is too vague….[Lawmakers] don’t really understand what security is. They just say, ‘You need to secure the financial data’. And they leave it to the auditors to figure out what ‘secure the data’ means”, he adds.
A standard that is often used as a reference in US legislation is the National Institute of Standards and Technology (NIST) 800-53 on information security, which describes in detail what the different levels of security are, McNeely shares. But the document is several hundred pages long, while PCI DSS is less than a hundred pages.
“PCI DSS has taken what is documented in NIST 800-53, which is a fairly lengthy document, and summarizes it in layman’s terms. Any person that understands IT should be able to understand PCI DSS. It is clear cut and describes exactly what you need to do”, McNeely says.
“If you just take the words ‘payment card data’ and swap it out for what you are trying to protect, such as healthcare or customer data, you probably have a pretty good baseline” for compliance with other standards, he concludes.
Bob Russo, general manager of the PCI Security Standards Council, tells Infosecurity that “PCI DSS is proving successful as a strong foundation for overall data security, with research pointing to the PCI standards as effective in efforts to satisfy the European Data Protection Directive, for example”, Russo contends. “PCI standards provide the floor, not the ceiling, for data protection efforts.”
Russo says that companies should focus on improving security, not just complying with regulations and standards. “If you take the standards and use them as a foundation for a layered security approach, you can reduce your likelihood of data breaches, fines, and other costs associated with a breach of card data.”
While technology can aid in compliance, it is not a substitute for best practices, Russo stresses. “Each set of standards has specific requirements about people, processes and technology, because a technology alone cannot immediately make you secure.”
In complying with international information standards, IT security managers need to be expert cooks. They need to start with a few basic ingredients, such as asking the fundamental question – Why? Then, they can add in the stock and vegetables of international standards to make compliance as easy as…making soup.