Home Depot Data Breach; a Good Argument for Best Practices-Based Infosec

There are two big philosophies of how to implement information security at organizations; standards basedand best practices-basedinfosec programs. The vast majority of Americas companies and agencies follow a standards-based approach, and most of these only strive to achieve a baseline level of standards adherence.

When you hear the word baselineyou should think of the words at leastor at a minimum. For example, you should at leastimplement physical and logical access controls. Or, you should at at a minimumemploy a firewall at your network perimeter. That sort of thing. Because that is what baselinestandards are. They are the minimum level of controls recommended by standards organizations such as NIST and ISO. They were never meant to be ideals. They are only intended to function as starting points.

The problem is that a large number of commercial and public organizations are having trouble reaching even a baseline level of information security. They complain that complying with baseline standards is too expensive; that it takes too much dedicated manpower and interferes with customer service and other business processes. And what they are saying is true in its way; information security is expensive and it does take the cooperation of everyone in the business. But what they are really saying is that infosec is just not a priority and they truly dont care much about it. This seems to me to be what was behind the Home Depot data breach.

Former company employees have stated that Home Depot had told them to only go for a Clevel of information security. They werent to concern themselves with implementing Bor Alevel security at the organization. And Home Depot keeps credit card information! The Payment Card Industry Data Security Standard (PCI DSS) demands about the strongest level of baseline security out there. And Home Depot reputably was handling unencrypted credit card information on their computer networks?! How did they pass their PCI security assessments? I dont understand the particulars here. But however this situation came about, the fact is that once again the private financial information of millions of citizens has been compromised. Shouldnt we be outraged and demanding a higher standard of security for our private information?

That is why everyone should be urging their government agencies and the retailers they do business with to implement information security at the best practices level. Industry standard best practices for information security are just that; they are the best means currently known for protecting IT systems and the information they process. Examples of best practices guidance are the MSI 80/20rule for information security and the Top 20 Critical Controls for Effective Cyber-Security. Sure, it may add 10 cents to the cost of a package of light bulbs to implement best practices, but isnt worth it? I dont hear people complaining about the banks buying a bunch of new physical security systems all the time to better protect their money. And really, what is the difference between the two? 

This blog post was contributed by John Davis.

Leave a Reply