Best practices for managing compliance with security standards

Financial organizations must learn to tie their compliance efforts to their information security practices. Here are four best practices for managing compliance with industry security standards.

Information security standards can provide your financial organization with tools to strengthen its security posture – if you use them properly. Just as you don't need to invent, design and build a hammer and nail each time you hang a picture, you don't have to build corporate security standards from scratch. However, you do need to make a number of important choices and take the proper steps to adapt these building blocks to meet your financial organization's needs. Here are four best practices that will help you make the most of industry security standards.

Caveat emptor – Understand what you're buying into
There is no "standard" standard. Knowing which standard to choose and what your obligations are as a result of that choice is a key first step in managing compliance.

Some industries and organizations are required to meet information security standards established by laws or regulations. The financial industry is subject to the requirements of the Graham-Leach-Bliley (GLB) Act. Health care providers, health insurers and health information data processors are bound by the Healthcare Insurance Portability and Accountability Act (HIPAA). Publicly traded companies' responsibilities under the Sarbanes-Oxley (SOX) Act include the protection of financial systems from fraud and abuse.

There are also a number of voluntary standards available to financial organizations that wish to benchmark their security programs against industry best practices. Examples of these documents include:

  • Maintained by the International Standards Organization, ISO 17799 is the closest thing to a generally accepted standard for information security. Organizations can choose to become registered as 17799 compliant by engaging an accredited outside auditor to examine their operations.
  • The Standard of Good Practice for Information Security is published by the Information Security Forum, a global group of corporations interested in improving security. The document is available free of charge. The ISF offers its members a range of tools and services connected with the Standard at an additional cost.

Whichever standard you choose (or whichever standard is chosen for you by law), it is important to understand what you do and do not get from these documented best practices. You do get general principles – for example, the standards tell you that access to information should be protected by unique credentials and that critical information should be protected by two-factor authentication. However, the standards don't tell you what information is critical or what kind of two-factor authentication to use. These are questions that the standards are intended to provoke, not answer.

Connect the dots: Tie your policies to the standards
Industry standards supported by information policies customized to your financial organization are a key foundation for success.

Industry standards should serve as an outline and reference during the writing and updating of your organization's security policies. By combining the high-level best practices of the standards with the specific business knowledge distributed throughout your organization, you can develop policies that combine security with business needs.

For example, the ISF Standard of Good Practice states, "Intrusion-detection methods should be supported by specialist software such as host intrusion-detection systems or network intrusion-detection systems. This software should be evaluated prior to purchase."

To convert this best practice to an actionable policy item, a few blanks must be filled in. The corresponding portion of a security policy might read as follows:

"Network intrusion-detection systems shall be placed at points on network ingress and egress. Host intrusion-detection systems shall be implemented on systems that are identified as business critical. Evaluation, testing and selection of intrusion-detection system hardware and software are the responsibilities of the Corporate Information Security Department. Monitoring of intrusion-detection systems and the interpretation, analysis and dissemination of alert information shall be the responsibilities of Security Operations."

Further details, such as lists of approved hardware and software and specific instructions as to how the evaluation, testing, selection, monitoring, interpretation, analysis and dissemination functions are to be carried out would be set forth in operational documents such as Standards, Guidelines and Processes.

Prepare for exceptions
The day will come when a business need conflicts with a security best practice. Being prepared to deal with this situation will save time, money and aggravation.

Every business has different needs and tolerance for risk. At some point, business needs may win out over infosec best practices. You need to have a process in place to allow the organization to:

  • Understand the risks being taken
  • Document these risks and their mitigating factors
  • Make and document an informed decision as to whether to accept a risk
  • Periodically review accepted risks to determine whether new mitigations are available and whether the risk is still acceptable

Having a well defined process to handle exceptions will allow your organization to deal with situations that fall outside of those anticipated when the policies were written.

Translate standards into measurable actions
Hand your business managers a copy of typical infosec standards and they'll probably end up using them – to prop up the short leg on the table in the break room.

Business unit folks want information security folks to provide them with specific instructions on how to make their systems secure. Telling a business unit manager to "use two-factor authentication to protect critical information" is not helpful. You need to provide your users with organization-specific tools, such as criteria for deciding whether information is critical or not, and lists of tested and approved security solutions specifically tied to policies. Remember, policies are not instruction manuals. Policies are high-level statements of the intent of the organization. Specific information as to how to implement policy should be laid out in procedural documents.

The key here is clarity and consistency. You should be able to put the same procedural and policy documents in front of everyone in your organization and have them come to the same conclusions as to the security measures that are needed to meet the standard.

If your organization has an Internal Audit department, these are good people to get involved in the process of developing measurable actions. After all, they will be doing the measuring of compliance, and their experience in other types of audits and standards is a valuable resource. Auditors have the structured approach needed to put this practice to work. If our friends in Washington or your state capital dictate your external standards, get your legal folks involved as well to insure that your measurements will hold up in court.

Industry standards for info security are not a cure all – and I think that this is a good thing on the whole. While legislators and industry groups can tell us a lot about best practices and goals, it is up to the management and infosec professionals in our organizations to come up with solutions that allow business to be conducted with assurance.

About the author
Al Berg, CISSP, is the Director of Information Security for Liquidnet, an electronic marketplace for block trading. Al has been in the information security industry for more than 15 years and has provided consulting services to major corporations and the U.S. Defense Department. Al has spoken at numerous industry conferences in the U.S. and Europe, and has published many articles on networking and security topics.


Dig Deeper on Managing compliance operations