The securezoo team is always in search of good security tools and resources that small businesses and organizations of all sizes can use to better protect themselves from cybercriminals. Knowledge and execution of security “best practices” or standards is critical to establishing a solid security program and keeping your small business or organization from being the next hacking statistic.
In this article, we take the mystique out of many of the most popular security standards and guidelines and highlight a few of the key resources available at your fingertips. By implementing some of these best practices, your business will be better prepared to keep your sensitive data safe and protect your brand from cyber attackers.
Highlighted below are six such security standards (or guidelines) you can consider to round out your security program or help build the foundation if you’re just getting started.
1. ISO/ICE 27001
The ISO/ICE 27001 standard was developed and published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Most recently updated in 2013, the new standard ISO/ICE 27001:2013 (aka, “ISO 27001”) is one of the better resources for developing and maintaining a complete security program, also known as information security management system (ISMS).
The ISO 27001 standard consists of 14 security “domains” or groups of controls to include:
- A.5: Information security policies
- A.6: Organization of information security
- A.7: Human resource security (e.g., controls for pre-, current and post-employment)
- A.8: Asset management (e.g., data classification, asset inventory)
- A.9: Access control (e.g., privilege access, access approvals, segregation of duties, logging)
- A.10: Cryptography (e.g., encryption and key management)
- A.11: Physical and environmental security (e.g., physical access control, fire/smoke detection, alarms)
- A.12: Operations security (e.g., configuration management, change management, problem management, malicous software controls)
- A.13: Communications security (e.g., network access controls, firewalls, security monitoring)
- A.14: System acquisition, development and maintenance (e.g., application security, secure development lifecycle)
- A.15: Supplier relationships (e.g., third party security)
- A.16: Information security incident management (e.g., incident response and incident management plans/procedures)
- A.17: Information security aspects of business continuity management (e.g., business continuity, disaster recovery, business impact analysis)
- A.18: Compliance – with internal requirements, such as policies, and with external requirements, such as laws (e.g., adherence to local and regulatory requirements)
The ISO 27001 is often used by security practitioners and companies to assist in more detailed security assessments or establish a solid baseline used to improve security within an organization. Since the ISO standard is so broad, it can often be used to develop complete list of security policies, standards and procedures. Visit ISO.org for more information on ISO 27001 and related standards.
2. SANS (CIS) 20 Critical Security Controls
The Center of Internet Security (CIS) in coordination with the SANS Institute and through a consortium of security experts, U.S. agencies such as the NSA, coordinated the “Critical Security Controls” (CSC) to help simplify and prioritize list of controls that would have the greatest impact to an organization in improving risk posture against cyber threats. Most of the security controls are also mapped back to NIST 800-53 standard (we’ll talk about later), so is meant to complement existing standards already in place.
SANS provides more practical guidance or “quick wins” within each of the 20 CSCs, as well as more advanced controls that organizations may implement to help improve their program.
A complete list of the 20 CSCs is below:
- Inventory of Authorized and Unauthorized Devices
- Inventory of Authorized and Unauthorized Software
- Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
- Continuous Vulnerability Assessment and Remediation
- Malware Defenses
- Application Software Security
- Wireless Access Control
- Data Recovery Capability
- Security Skills Assessment and Appropriate Training to Fill Gaps
- Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
- Limitation and Control of Network Ports, Protocols, and Services
- Controlled Use of Administrative Privileges
- Boundary Defense
- Maintenance, Monitoring, and Analysis of Audit Logs
- Controlled Access Based on the Need to Know
- Account Monitoring and Control
- Data Protection
- Incident Response and Management
- Secure Network Engineering
- Penetration Tests and Red Team Exercises
The National Institute of Standards and Technology (NIST) has developed many security guidelines and publications that are used as standards for many organizations. Examples include Special Publications (or SPs) or Federal Information Processing Standards (FIPS) that have established the security standards often used as minimum requirements needed to protect data. Such standards are also used as minimum safeguards that are needed to meet strict regulatory requirements, not to mention often needed to do new business with vendors or customers.
One of the most popular and widely accepted standards in use today include the SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations. According to NIST, the SP 800-53 “provides a more holistic approach to information security and risk management by providing organizations with the breadth and depth of security controls necessary to fundamentally strengthen their information systems and the environments in which those systems operate — contributing to systems that are more resilient in the face of cyber attacks and other threats.”
Many other standards are in wide use today and establish requirements for many areas such as Cryptographic and Encryption standards (FIPS 140-2 and FIPS 197), Cloud Computing (800-146), Electronic Authentication (SP 800-63-2), and mobile application security (SP 800-163), just to name a few of the NIST standards. To find these and many more, see list of security standards here.
NIST also recommends security practitioners use their security checklists such as the Security Technical Implementation Guides (STIGs) developed by Defense Information Systems Agency (DISA) for the DoD. Some well known examples of the DISA STIGS include those for Windows, UNIX, and Network, just to name a few, that are used to harden and better secure systems from intruders.
4. Cyber Security Framework
To address cybersecurity risks, President Obama issued Executive Order (EO) 16636, “Improving Critical Infrastructure CyberSecurity”, on February 12, 2013. The EO also called for a cybersecurity framework – a set of industry standards and best practices to help manage security risks.
The Cybersecurity framework is broken up into five functions or “Framework Cores” as defined by National Institute of Standards and Technology (NIST) as a “set of activities to achieve specific cybersecurity outcomes, and reference examples of guidance on how to achieve those outcomes.” The framework cores include Identify, Protect, Detect, Respond and Recover.
We summarized how some of these safeguards can help protect businesses in a previous article “5 Good Cybersecurity Lessons Learned From FTC Law Enforcement Actions.”
If your company is in the healthcare business, you probably already know about Health Insurance Portability and Accountability Act of 1996 (HIPAA), the law designed to make it easier for people to keep their health insurance, protect the privacy and security of healthcare information and help control the healthcare industry administrative costs. HIPAA consists of the Privacy, Security and Breach Notification Rules as noted below.
- Privacy Rule: the primary goal of the privacy rule is to “address the use and disclosure of individuals’ health information—called ‘protected health information’ by organizations subject to the Privacy Rule — called ‘covered entities,’ as well as standards for individuals’ privacy rights to understand and control how their health information is used.”
- Security Rule: “The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called ‘covered entities’ must put in place to secure individuals’ ‘electronic protected health information’ (e-PHI).”
- Breach Notification Rule: “requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.”
The HIPAA Privacy and Security Rules have historically focused on health care providers, health plans and other organizations that process health insurance claims. However, the new breach notification rule released in early 2013 expanded those same requirements to business associates that also receive health information, such as third parties, contractors and subcontractors. Small businesses must take special care in protecting e-PHI as noted in these three HIPAA rules.
6. PCI DSS
Does your company process or store any payment card data? The Payment Card Industry (PCI) Data Security Standard (DSS) is a security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures designed to protect customer payment card data.In April of 2016, the latest version of PCI DSS 3.2 was released as an update to previous version 3.1 that was published in April 2015. The PCI DSS “3.x” standard includes 12 security requirements and many of the major revisions included in version 3.0 released in 2013 to replace the prior DSS standard v 2.0 (from 2010). Some of the most noted updates to PCI DSS 3.2 include, but not limited to:
- Revised Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) sunset dates as outlined in the Bulletin on Migrating from SSL and Early TLS
- Expansion of requirement 8.3 to include use of multi-factor authentication for administrators accessing the cardholder data environment
- Additional security validation steps for service providers and others, including the “Designated Entities Supplemental Validation” (DESV) criteria, which was previously a separate document.
- Other notable updates from previous versions (3.0):
- More stringent penetration testing requirements (to ensure effective network segmentation and isolation of cardholder data environment)
- Regular onsite Point of Sale (PoS) inspections to ensure protection from tampering and substitution
- Service providers with remote access to customer premises must use unique authentication credentials for each customer
- Other user authentication mechanisms (e.g., physical/logical security tokens, smart cards, certificates) must be linked to an individual account.
A PCI infographic is also available here.
These six sets of security “best practices” have many similarities between them. You may find some of them more beneficial than others, but hopefully can use these to help complement, build, maintain or improve your security program.