| A Prioritized Approach for Compliance |
|
A recent trend in the information security industry has been the concept of a prioritized approach to implementing security controls and standards. With any of the standards or compliance requirements (FISMA, SOX, HIPAA, NIST, GLBA, ISO and PCI) it can be difficult for organizations to meet all of the requirements. All organizations have limited time and resources and are forced to choose to implement as many measures as possible and leave some undone. The current economic situation is increasing pressure to cut budgets which in turn furthers the lack of resources available to protect information and systems. Organizations are often left wondering where they can cut or hold off implementation of security controls. With increasing requirements and finite resources something is going to have to give.
In order to find out what security measures can "wait" we need to determine the risk of not having the control in place has for our organization. We can determine the risk by researching recent attack patterns. We can then determine which attacks are most likely and which controls are most likely to prevent those attacks. We should look at the probability or likelihood of the attack and the impact of the attack on the organization. We can chart the results out into a four quadrant graph and rank each vulnerability as High, Moderate or Low. See the simple chart below.
 Based on risk we can now determine which controls are "most" important now. This does not get the organization off the hook for any compliance standards because typically all the controls in the compliance standard are compulsory. A prioritized approach will make sure the organization is spending time and resources where they are needed most and will lead the organization down the path of compliance.
For example, in the news has been an increase in SQL Injection attacks on websites. We could rate this as high for probability based on the increase in this type of attack and the ease to which it can be executed. We also know that SQL Injection attacks have been widely successful in compromising millions of records containing personally identifiable information. We can rate the impact as high based on the millions of records lost and the millions of dollars organizations have spent dealing with these data breaches. Controls that can prevent such attacks should be given a top priority and organization should increase testing of those controls.
Recently the PCI Standards Council and the National Institute of Standards and Technology released guidance on implementing a prioritized approach to implementing their respective standards. These approaches recognize the limited resources of organizations and focus on implementing the most crucial controls first and continue on to implement the remaining controls. This does not mean an organization is PCI or FISMA compliant; it simply addresses the reality of limited resources.
A prioritized approach to implementing information security will not lead you to compliance today, it will however, ensure the organization focuses its resources where they are needed the most and where they will do the most good.
Brought to you by Maze & Associates, a leading Northern California Accounting Firm specializing in Municipal & Nonprofit Audit, Tax for individuals and all types of entities, Information System Audits, Security Reviews, as well as PCI Scans and certified training. Maze & Associates is a PCI ASV - Approved Scanning Vendor.
Disclaimer: The views expressed here are those of the author and do not represent those of Maze & Associates.
|
Subscribe to LearnSecurity Blog using your favorite feed reader by 
Latest News
| Remember Contra Costa County Property taxes are due April 10th and December 10th. |