There are two big philosophies of how to implement information security at organizations; “standards – based” and “best practices-based” infosec programs. The vast majority of America’s companies and agencies follow a standards-based approach, and most of these only strive to achieve a baseline level of standards adherence.
When you hear the word “baseline” you should think of the words “at least” or “at a minimum”. For example, you should “at least” implement physical and logical access controls. Or, you should at “at a minimum” employ a firewall at your network perimeter. That sort of thing. Because that is what “baseline” standards are. They are the minimum level of controls recommended by standards organizations such as NIST and ISO. They were never meant to be ideals. They are only intended to function as starting points.
The problem is that a large number of commercial and public organizations are having trouble reaching even a baseline level of information security. They complain that complying with baseline standards is too expensive; that it takes too much dedicated manpower and interferes with customer service and other business processes. And what they are saying is true in its way; information security is expensive and it does take the cooperation of everyone in the business. But what they are really saying is that infosec is just not a priority and they truly don’t care much about it. This seems to me to be what was behind the Home Depot data breach.
Former company employees have stated that Home Depot had told them to only go for a “C” level of information security. They weren’t to concern themselves with implementing “B” or “A” level security at the organization. And Home Depot keeps credit card information! The Payment Card Industry Data Security Standard (PCI DSS) demands about the strongest level of baseline security out there. And Home Depot reputably was handling unencrypted credit card information on their computer networks?! How did they pass their PCI security assessments? I don’t understand the particulars here. But however this situation came about, the fact is that once again the private financial information of millions of citizens has been compromised. Shouldn’t we be outraged and demanding a higher standard of security for our private information?
That is why everyone should be urging their government agencies and the retailers they do business with to implement information security at the best practices level. Industry standard best practices for information security are just that; they are the best means currently known for protecting IT systems and the information they process. Examples of best practices guidance are the MSI 80/20rule for information security and the Top 20 Critical Controls for Effective Cyber-Security. Sure, it may add 10 cents to the cost of a package of light bulbs to implement best practices, but isn’t worth it? I don’t hear people complaining about the banks buying a bunch of new physical security systems all the time to better protect their money. And really, what is the difference between the two?
This blog post was contributed by John Davis.