A Rough Guide to (some) Information Security Standards

For sure, cyber-security is a vast field these days with more terminology than you can shake a stick it. Witty banter aside – I wanted to put together a post summarising some key learnings I’ve picked up so far.

Stuff I think we should all know about….

Before we get started – here are a few books I’ve found invaluable to my own learning journey. It’s a mixed combo as I’ve found you can’t just learn the technical stuff, you need to understand process stuff too. Equally, you can’t be the world’s expert on firewall configuration if you ignore the various principle frameworks that have been create to help us out.

blog-piccie

No pressure to buy these or anything – just some books to ask Santa for….

The bullet points below are in no particular order but overall they should provide some decent tent-poles on which to hang your knowledge of information security.

What is Information Security?

Basics right – the principle that information is not made available or disclosed to unauthorised individuals, entities or processes. It also includes integrity – the property of safeguarding the accuracy and completeness of information. And, availability – that it is accessible & usable on demand from an authorised user.

Threats, Vulnerabilities, Risks & Impacts?

Not a new superhero show. A threat is simply something that could happen & cause some unwanted consequence. Vulnerability is a weakness that could be exploited to cause some unwanted consequence. I spend a lot of time thinking about & searching for vulnerabilities. Risk is that a given threat will exploit a vulnerability – it’s a combo of threat & vulnerability.

Impact gets a section on its own – it’s all about impact baby. Where do you focus your time with limited resources – where the impact is most significant – think damage to data, people, legal requirements, business continuity…

IS027001

ISO27001 specifies the requirement standards for an information security management system – it’s a framework of policies & procedures. Your organisation can be certified against the standard. Its approach is top-down, risk-based & technology neutral. It won’t tell you how to configure your firewall.

It outlines a range of different controls that need to be in place & documented including physical controls (locked doors/secure cabinets), procedural controls (checks on references) & product or technical controls (passwords/encryption).

So, also think codes of conduct, information security policies, developing a security culture, segregation of duties, user control mechanisms & any awareness training.  The standard has a little sister called ISO27002 that contains best practice recommendations of information security controls & some further definitions.

ISO22301

Another certified standard but this time one that focuses on business continuity management. It specifies the requirements for a management system to protect against, reduce the chances of and ensure that business can recover from disruptive incidents.

Think ‘what happens if’ scenarios.

Ransom ware has kept this standard busy in the last year or so.

PCI-DSS

The Payment Card Industry Data Security Standards are like that the geeky brother to the above standards. In my opinion, they’re more widely known, very detailed and well-established in the card payments industry but not particularly outside.

Also PCI-DSS doesn’t have a girlfriend or anything…

It’s a series of principles around the storage, processing & storage of card details. Think secure network requirements, secure access controls & Cylon-like encryption.

 GPDR

If you haven’t heard of this mammoth chunk of data protection legislation then you must have been either living on the moon or at least under the sea.

The General Data Protection Regulation is now in force & is part of the data landscape in the UK alongside the new Data Protection Act 2018.

Complex? You bet but in simplistic terms it’s a series of principles designed to protect personal data & covers usage of data, breach notifications etc. The area I’ve had most experience with is ‘mailing preferences’ & opting in. If you have anything to do with prospect & customer data then the GDPR will have dominated your life this year.

Right – that’s what I’ve learnt so far….

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s