We are always in search of good security tools and resources that small businesses and organizations of all sizes can use to better protect themselves from cybercriminals. Knowledge and execution of security “best practices” or standards is critical to establishing a solid security program and keeping your small business or organization from being the next hacking statistic.
In this article, we take the mystique out of many of the most popular security standards and guidelines and highlight a few of the key resources available at your fingertips. By implementing some of these best practices, your business will be better prepared to keep your sensitive data safe and protect your brand from cyber attackers.
Highlighted below are five such security standards (or guidelines) you can consider to round out your security program or help build the foundation if you’re just getting started.
1. CIS Controls
The Center of Internet Security (CIS) in coordination with the SANS Institute and through a consortium of security experts, U.S. agencies such as the NSA, coordinated the CIS Controls (formerly known as “Critical Security Controls” or CSC) to help simplify and prioritize list of controls that would have the greatest impact to an organization in improving risk posture against cyber threats.
Most of the security controls are also mapped back to NIST 800-53 standard (we’ll review later) and is meant to complement existing standards already in place.
A complete list of the CIS Controls v8 is listed below:
- Inventory and Control of Enterprise Assets
- Inventory and Control of Software Assets
- Data Protection
- Secure Configuration of Enterprise Assets and Software*
- Account Management
- Access Control Management*
- Continuous Vulnerability Management
- Audit Log Management
- Email Web Browser and Protections
- Malware Defenses
- Data Recovery
- Network Infrastructure Management
- Network Monitoring and Defense
- Security Awareness and Skills Training
- Service Provider Management
- Application Software Security
- Incident Response Management
- Penetration Testing
Also, SANS has provided a nice comparison of what has changed between versions 7 and 8 of the CIS controls.
As noted in bold above (*), Secure Configuration of Enterprise Assets and Software (4) replaces two other CIS version 7 CIS controls (‘Secure Configuration’ and ‘Secure Configuration of Network Devices’). Also, Access Control Management (6) now replaces former CIS version 7 controls ‘Control of Admin Privileges’ and ‘Controlled Access Based on Need to Know.’
The National Institute of Standards and Technology (NIST) has developed many security guidelines and publications that are used as standards for many organizations. Examples include Special Publications (or SPs) or Federal Information Processing Standards (FIPS) that have established the security standards often used as minimum requirements needed to protect data. Such standards are also used as minimum safeguards that are needed to meet strict regulatory requirements, not to mention often needed to do new business with vendors or customers.
One of the most popular and widely accepted standards in use today include the SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations. According to NIST, the SP 800-53 “provides a more holistic approach to information security and risk management by providing organizations with the breadth and depth of security controls necessary to fundamentally strengthen their information systems and the environments in which those systems operate — contributing to systems that are more resilient in the face of cyber attacks and other threats.”
Many other standards are in wide use today and establish requirements for many areas such as Cryptographic and Encryption standards (FIPS 140-3 and FIPS 197), Cloud Computing (800-146), Electronic Authentication (SP 800-63-2), and Mobile Application Security (SP 800-163), just to name a few of the NIST standards. To find these and many more, see list of NIST security standards here.
NIST also recommends security practitioners use their security checklists such as the Security Technical Implementation Guides (STIGs) developed by Defense Information Systems Agency (DISA) for the DoD. Some well known examples of the DISA STIGS include those for Windows, UNIX, and Network, just to name a few, that are used to harden and better secure systems from intruders.
If your company is in the healthcare business, you probably already know about Health Insurance Portability and Accountability Act of 1996 (HIPAA), the law designed to make it easier for people to keep their health insurance, protect the privacy and security of healthcare information and help control the healthcare industry administrative costs. HIPAA consists of the Privacy, Security and Breach Notification Rules as noted below.
- Privacy Rule: the primary goal of the privacy rule is to “address the use and disclosure of individuals’ health information—called ‘protected health information’ by organizations subject to the Privacy Rule — called ‘covered entities,’ as well as standards for individuals’ privacy rights to understand and control how their health information is used.”
- Security Rule: “The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called ‘covered entities’ must put in place to secure individuals’ ‘electronic protected health information’ (e-PHI).”
- Breach Notification Rule: “requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.”
The HIPAA Privacy and Security Rules have historically focused on health care providers, health plans and other organizations that process health insurance claims. However, the new breach notification rule released in early 2013 expanded those same requirements to business associates that also receive health information, such as third parties, contractors and subcontractors. Small businesses must take special care in protecting e-PHI as noted in these three HIPAA rules.
4. PCI DSS
Does your company process or store any payment card data? The Payment Card Industry (PCI) Data Security Standard (DSS) is a security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures designed to protect customer payment card data.
In April of 2016, PCI DSS 3.2 was released as an update to previous version 3.1 that was published in April 2015. The PCI DSS “3.x” standard includes 12 security requirements and many of the major revisions included in version 3.0 released in 2013 to replace the prior DSS standard v 2.0 (from 2010). Some of the most noted updates to PCI DSS 3.2 include, but not limited to:
- Revised Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) sunset dates as outlined in the Bulletin on Migrating from SSL and Early TLS
- Expansion of requirement 8.3 to include use of multi-factor authentication for administrators accessing the cardholder data environment
- Additional security validation steps for service providers and others, including the “Designated Entities Supplemental Validation” (DESV) criteria, which was previously a separate document.
- Other notable updates from previous versions (3.0):
- More stringent penetration testing requirements (to ensure effective network segmentation and isolation of cardholder data environment)
- Regular onsite Point of Sale (PoS) inspections to ensure protection from tampering and substitution
- Service providers with remote access to customer premises must use unique authentication credentials for each customer
- Other user authentication mechanisms (e.g., physical/logical security tokens, smart cards, certificates) must be linked to an individual account.
Moreover, PCI released the latest version 3.2.1 in May of 2018.
A PCI Quick Reference Guide for DSS v. 3.2.1 is also available here.
5. ISO/ICE 27001
The ISO/ICE 27001 standard was developed and published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Most recently updated in 2013, the new standard ISO/ICE 27001:2013 (aka, “ISO 27001”) is one of the better resources for developing and maintaining a complete security program, also known as information security management system (ISMS).
The ISO 27001 standard consists of 14 security “domains” or groups of controls to include:
- A.5: Information security policies
- A.6: Organization of information security
- A.7: Human resource security (e.g., controls for pre-, current and post-employment)
- A.8: Asset management (e.g., data classification, asset inventory)
- A.9: Access control (e.g., privilege access, access approvals, segregation of duties, logging)
- A.10: Cryptography (e.g., encryption and key management)
- A.11: Physical and environmental security (e.g., physical access control, fire/smoke detection, alarms)
- A.12: Operations security (e.g., configuration management, change management, problem management, malicous software controls)
- A.13: Communications security (e.g., network access controls, firewalls, security monitoring)
- A.14: System acquisition, development and maintenance (e.g., application security, secure development lifecycle)
- A.15: Supplier relationships (e.g., third party security)
- A.16: Information security incident management (e.g., incident response and incident management plans/procedures)
- A.17: Information security aspects of business continuity management (e.g., business continuity, disaster recovery, business impact analysis)
- A.18: Compliance – with internal requirements, such as policies, and with external requirements, such as laws (e.g., adherence to local and regulatory requirements)
The ISO 27001 is often used by security practitioners and companies to assist in more detailed security assessments or establish a solid baseline used to improve security within an organization. Since the ISO standard is so broad, it can often be used to develop complete list of security policies, standards and procedures. Visit ISO.org for more information on ISO 27001 and related standards.
These fives security “best practices” have many similarities between them. You may find some of them more beneficial than others, but hopefully can use these to help build, maintain or improve your security program.
Update: This article was originally published June 6, 2017 and updated September 18, 2021.