question
4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 1/42
7
Security Compliance Using Control Frameworks
The cautious seldom err.
Confucius, 551–479 BC
Security Control Frameworks Defined
Control frameworks and security standards are often interchangeable
terms depending upon the creator. Just to confuse things further, ISO
27001, from the International Organization for Standardization, posits an
information security management “system” (ISMS) and the controls are
contained within the ISO 27002 Code of Practice (ISO, 2005). The National
Institute of Standards and Technology (NIST) Special Publication 800-53
(NIST, 2009), titled Recommended Security Control for Federal
4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 2/42
Information Systems, breaks the controls into 18 control families and 3
classes (managerial, operational, and technical) of controls. COBIT,
Control Objectives for Information and related Technology framework,
defines a control framework as a tool for business process owners that fa-
cilitates the discharge of their responsibilities through the provision of a
supporting control model. Alternatively, COBIT defines a standard as a
business practice or technology product that is an accepted practice en-
dorsed by the enterprise or information technology (IT) management
team.
COBIT adapted the control from the Committee of Sponsoring
Organizations of the Treadway Commission (COSO) report “Internal
Control-Integrated Framework” (COSO, 1992) to mean “the policies, proce-
dures, practices, and organizational structures designed to provide assur-
ance that business objectives will be achieved and that undesired events
will be prevented or detected and corrected.”
For the purposes of this discussion, control frameworks, controls, and
standards are interchangeable, as the intent of each of them is to provide
some definition to a practice or set of practices that if performed will pro-
tect the organization’s information assets. These consist of documented,
4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 3/42
executed, tested, implemented, and monitored controls that reduce the
risk of threats succeeding against company vulnerabilities.
Security Control Frameworks and Standards Examples
The following are some examples of the control frameworks and stan-
dards that address information security requirements.
Heath Insurance Portability and Accountability Act (HIPAA)
The Heath Insurance Portability and Accountability Act (HIPAA) final rule
for adopting security standards was published February 20, 2003, which
required a series of administrative, technical, and physical security pro-
cedures for entities to use to assure the confidentiality of protected health
information (PHI). The standard was intentionally nontechnology specific
and intended to provide scalability to small providers and large providers
alike.
Federal Information Security Management Act of 2002 (FISMA)
4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 4/42
Primary purpose of the Federal Information Security Management Act
(FISMA) is to provide a comprehensive framework for ensuring the effec-
tiveness of security controls over information resources that support fed-
eral operations and assets. The law also provided funding for NIST to de-
velop the minimum necessary controls required to provide adequate se-
curity. The government publishes an annual report card based upon its
assessment of compliance with the framework.
National Institute of Standards and Technology (NIST) Recommended Security Controls for Federal Information Systems (800-53)
The NIST Special Publication 800-53 standards and guidelines reference
the minimum set of controls that must be implemented to protect the fed-
eral system based upon the risk level determined. Implementation of the
18 families of security controls establishes a level of “security due dili-
gence” for federal agencies and the contractors that perform work for the
government. These standards are very comprehensive, freely available,
and an excellent resource to supplement other control frameworks.
Federal Information System Controls Audit Manual (FISCAM)
4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 5/42
Issued by the U.S. Government Accountability Office (formerly known as
the U.S. General Accounting Office), the Federal Information System
Controls Audit Manual (FISCAM) provides guidance for information sys-
tems auditors to evaluate the IT controls used in support of financial
statement audits (GAO, 1999). This is not an audit standard, but is in-
cluded here because auditors are typically testing the control environ-
ment in government audits using this standard. There has been increased
emphasis on the use of NIST 800-53 controls and the NIST 800-53A assess-
ments. However, FISCAM is still utilized by government auditors, and,
therefore, it is worthwhile to understand the contents.
ISO/IEC 27001:2005 Information Security Management Systems—Requirements
ISO/IEC 27001:2005 provides a model for establishing, implementing, op-
erating, monitoring, reviewing, maintaining, and improving an informa-
tion security management system (ISMS). This was an evolution from
British Standard (BS) 7799-2 and ISO 17799.
The UK Department of Trade and Industry Code of Practice (CoP) for in-
formation security, which was developed from support of industry in
4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 6/42
1993, became BS 7799 in 1995. The BS 7799 standard was subsequently re-
vised in 1999 to add certification and accreditation components, which
became part 2 of the BS 7799 standard. Part 1 of the BS 7799 standard be-
came ISO 17799 and was published as ISO 17799:2000 as the first interna-
tional information security management standard by the ISO and
International Electrotechnical Commission (IEC). ISO 17799 standard was
modified in June 2005 as ISO/IEC 17799:2005 containing 134 detailed in-
formation security controls based upon the following 11 areas:
Information security policy
Organizing information security
Asset management
Human resources security
Physical and environmental security
Communications and operations management
Access control
Information systems acquisition, development, and maintenance
Information security incident management
Business continuity management
Compliance
4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 7/42
ISO standards are grouped together by topic areas and the ISO/IEC
27000 series has been designated as the information security manage-
ment series. For example, ISO 27002:2005 Information Technology—
Security Techniques—Code of Practice for Information Security
Management replaced the ISO/IEC 17799:2005 Information Technology—
Security Techniques—Code of Practice for Information Security
Management document. This is consistent with how ISO has named other
topic areas, such as the ISO 9000 series for quality management. ISO/IEC
27001:2005 was released in October 2005 and specifies the requirements
for establishing, implementing, operating, monitoring, reviewing, main-
taining, and improving a documented information security management
system taking into consideration the company’s business risks. This man-
agement standard was based on the BS 7799 part 2 standard and provides
information on building information security management systems and
guidelines for auditing the system.
ISO/IEC 27002:2005 Information Technology—Security Techniques—Code of Practice for Information Security Management
4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 8/42
ISO/IEC 27002:2005 provides 11 security control clauses, as noted earlier.
The code of practice specifies the controls necessary and the implementa-
tion guidance by specifying the controls with may be chosen to build the
ISMS specified through application of ISO/IEC 27001:2005.
Control Objectives for Information and Related Technology (COBIT)
COBIT is a framework and supporting toolset that allow managers to
bridge the gap with respect to control requirements, technical issues, and
business risks, and then communicate that level of control to stockhold-
ers. COBIT can be used to integrate other standards as an umbrella
framework.
COBIT is published by the IT Governance Institute and contains a set of
34 high-level control objectives, one for each of the IT processes, such as
define a strategic IT plan, define the information architecture, manage
the configuration, manage facilities, and ensure systems security. Ensure
systems security has been broken down further into control objectives
such as manage security measures, identification, authentication and ac-
4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 9/42
cess, user account management, data classification, and firewall
architectures.
The COBIT framework examines the effectiveness, efficiency, confiden-
tiality, integrity, availability, compliance, and reliability aspects of the
high-level control objectives. The model defines four domains for gover-
nance, namely, planning and organization, acquisition and implementa-
tion, delivery and support, and monitoring. Processes and IT activities
and tasks are then defined within these domains. The framework pro-
vides an overall structure for IT control and includes control objectives,
which can be utilized to determine effective security control objectives
that are driven from the business needs.
COBIT gained increasing popularity through implementation to demon-
strate compliance with Sarbanes-Oxley regulations, which were enacted
in 2002 to require management and the external auditor to report on in-
ternal controls over financial reporting.
Payment Card Industry Data Security Standard (PCI DSS)
4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 10/42
The Payment Card Industry Data Security Standard (PCI DSS) is a set of
comprehensive requirements for enhancing payment account security,
formed by several major credit card issuers, to facilitate the broad adop-
tion of a comprehensive security standard designed to protect cardholder
data. The standard applies to all parties that are involved in credit card
processing, such as merchants, processors, acquirers, issuers, and service
providers as well as other entities that store, process, or transmit card-
holder data. The standard contains requirements to address each of the
following areas:
Build and maintain a secure network (proper network device
configuration)
Protect cardholder data (storage and encrypted transmission across
open networks)
Maintain a vulnerability management program (e.g., secure systems,
antivirus software)
Implement strong access control measures (logical and physical access,
need to know)
Regularly monitor and test networks (regularly test, track, and monitor
access)
4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 11/42
Maintain an information security policy (maintain a policy that ad-
dresses information security for all personnel)
The reviews are to be performed annually to ensure that cardholder
data is protected. Depending upon the size of the entity participating in
the program, the review may need to be conducted by an external
assessor.
Information Technology Infrastructure Library (ITIL)
The Information Technology Infrastructure Library (ITIL) is a set of books
published by the British government’s Stationary Office between 1989
and 1992 to improve IT service management. The framework contains a
set of best practices for IT core operational processes such as change, re-
lease, and configuration management; incident and problem manage-
ment; capacity and availability management; and IT financial manage-
ment. ITIL’s primary contribution is showing how the controls can be im-
plemented for the service management IT processes.
Security Technical Implementation Guides (STIGs) and National Security Agency (NSA) Guides
4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 12/42
Security Technical Implementation Guides (STIGs) and National Security
Agency (NSA) Guides are configuration standards for the Department of
Defense Information Assurance. They are freely available and used as the
basis for technical standards for many private organizations. These stan-
dards, if implemented, support many of the high-level requirements spec-
ified within requirements such as FISMA, HIPAA, PCI, NIST, COBIT, ISO
27001, and GLBA (Gramm-Leach-Bliley Act).
Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook
The Federal Financial Institutions Examination Council (FFIEC) is empow-
ered to provide uniform principles, standards, and reporting forms for
the examination of financial institutions by the Board of Governors of the
Federal Reserve System (FRB), the Federal Deposit Insurance Corporation
(FDIC), the National Credit Union Administration (NCUA), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift Supervision
(OTS). Several booklets have been issued by the council, including Audit,
Business Continuity Planning, Development and Acquisition, Electronic
Banking, Management, Operations, Outsourcing Technology Services,
4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 13/42
Retail Payment Systems, Supervision of Technology Service Providers,
Wholesale Payment Systems. Information Security was also added as a
booklet in July 2006, which includes guidance for the security process,
risk assessment, security strategy, security controls implementation, and
security monitoring as well as the examination procedures and related
laws. The handbook issued by the FFIEC serves as a supplement to the
member agencies expectations for meeting the GLBA 501(b) require-
ments. These documents provide the detail necessary to evaluate an in-
formation security program.
The World Operates on Standards
The fact about standards is that they are useful and the world is made up
of many of them, from the minimum weight in the passenger seat that
must be met before the airbag protection will become active, to the speci-
fication of the size of a #8 screw, to the standard formats for electronic
data interchange of electronic transactions between healthcare
providers, payers. and clearinghouses. Standards ensure that products
are built to specifications and allow us to simplify the complexity of the
world by creating a common deliverable and common language. Imagine
4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 14/42
if every time a manufacturer wanted a product built they had to design a
screw that could be potentially different from any other screw a manu-
facturer created. Not only would this process be very expensive, it would
also be very time consuming for the customer and the supplier, and
would be very error-prone. Nonstandardized processes also slow the de-
livery of the product or service. Henry Ford recognized many years ago
that there were efficiencies and increases in quality by creating vehicles
that looked the same and were painted the same color (black). Although
the cars were available in other colors, the primary color produced was
black for efficiency. Imagine if stoplights were each made with different
colors to represent stop, slow down, and go. Imagine roadways that used
different types of striping to indicate passing versus nonpassing lanes
based upon the state in which you live. The world would be very chaotic
with each individual interpreting the colors and passing lanes as they
drove, many times potentially making the wrong decision.
Sometimes we like the standards, sometimes we do not. Sometimes
they just do not make intuitive sense to us nor do they seem effective. For
example, the Transportation Security Administration (TSA) originally did
not allow nail clippers on the airplane and reversed the decision in 2005
4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 15/42
after negative public opinion (however, there are varying accounts as to
whether it was the TSA that banned nail clippers or if thee ban was pre-
TSA). Lighters were also subsequently allowed in July 2007 by the Federal
Aviation Administration. Laws, regulations, and the standards that sup-
port them are sometimes developed without the extensive analysis of
their necessity, or in reaction to a major event and the need to do some-
thing, only to be rescinded later for their lack of effectiveness. This is un-
derstandable, as government and private industry must react to new situ-
ations, making decisions on the data available at the time. In defense of
the TSA, decisions to limit what was brought on an airplane had to be
made quickly on the heels of September 11, 2001, and its focus was on ob-
jects that had the potential to harm. Thus, the standard of no nail clippers
was enacted. As time went on, this standard was modified to reflect a
reevaluated risk. Liquid restrictions such as being able to carry only a 1
quart bag of 3.4 oz bottles of shampoo and other liquids on board were
placed on travelers due to an incident with liquid explosives (TSA, 2009).
Standards Are Dynamic
4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 16/42
Over time, the standards evolve, and they change to meet the societal and
technological needs. Although the intent of many security standards ap-
pears to stay the same over time, the underlying technologies that must
be supported are constantly changing. Just as in the “no liquids” ban on
airplanes was first introduced, and then evolved into “as long as the liq-
uids are 3 oz or less and fit in a 1 qt plastic bag,” and then may morph
into “no requirements at all” due to investments in more advanced scan-
ning technology, information security standards also need to change.
Alternatively, increased protections may be added, such as the x-ray body
scanners and pat downs, which were added at most airports in late 2010.
Most control frameworks are written at a higher, broader level, which
provides flexibility to implement controls to satisfy the specific technolog-
ical request. For example, the ISO 27002:2005 Information Technology—
Security Techniques (Code of Practice) control 10.5.1d indicates that “the
back-ups should be stored in a remote location, at a sufficient distance to
escape any damage from a disaster at the main site.” This leaves much in-
terpretation up to the implementer of the standard. How far away is far
enough? Before Hurricane Katrina inflicted extensive damage on New
Orleans, Louisiana, and other surrounding areas in 2005, many individu-
4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 17/42
als felt that storage a few miles away was sufficient. Today, when compa-
nies are assessing their business continuity plans, they typically point to
Katrina and quickly decide that 50 to 100-plus miles away would greatly
reduce the risk. Others have invested in new replication technologies and
the availability of inexpensive storage to ensure availability of the
information.
Changing environments necessitate the ability to change the implemen-
tation strategies to meet the lower cost of technology, increased effective-
ness of controls, and conformance to emerging regulations.
The How Is Typically Left Up to Us
As the aforementioned example illustrates, the good news is that the stan-
dards may be written to be flexible over time. The bad news is that they
are written to be flexible over time. In other words, standards often lack
the specificity of the ‘how’ that would be useful to implementing the stan-
dard. Obviously, this is by design. However, it leaves the implementer of
the standard to figure out, based upon the available alternatives, what
4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 18/42
the best method of implementation should be for their particular envi-
ronment and cost constraints.
The best practices terminology has received criticism over the past sev-
eral years, as the beauty is in the eye of the beholder. A practice that
works for one organization may not fit for another. One organization
may implement a policy banning USB drives due to their small size,
whereas another may allow them as long as the contents are automati-
cally encrypted with the company-approved software. Still another may
prohibit their use by policy to most users, but allow adoption by those
who establish a business need (as specified in ISO 27002:2005 10.7.1f), as
well as taking the additional step of controlling access through active di-
rectory authorization and a vendor product. Which is the best practice? It
depends on the organizational culture, appetite for risk, cost constraints,
and so forth. It may also be the case that the individuals within the orga-
nization do not have access to sensitive information, thus limiting the
exposure.
Therefore, the best practice for an organization must take in many fac-
tors not defined within the individual standard. Typically, an organiza-
tion would be prudent to follow the trends within their particular vertical
4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 19/42
industry, and pay attention to what the “herd” is doing. If 70% of the
sheep are heading for the hills, it may be worth heading in that direction.
It is also important to understand why another 10% is going in another
direction (assuming 20% are standing still) and may be headed to a better
best practice. In the tape backup example, maybe the 10% that are utiliz-
ing online, high-speed compressed disk-to-disk backup strategies are the
best practice that is right for the organization.
Whatever these practices are named for our individual organizations,
each must recognize that the practices must satisfy the standard and
where they do not, sufficient business justification and risk acceptance
must be documented. In this manner, the standards become the reference
point for making informed business decisions.
Key Question: Why Does the Standard Exist?
Before deciding how to implement the standard, it is a useful exercise to
examine the selected control within the standard and analyze why the
control exists in the first place. What threat is it addressing? What would
the risk be to my organization if I decided to ignore addressing the con-
4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 20/42
trol? In other words, how is implementing the control increasing the se-
curity, protection, or information assurance of the information assets
within the organization? Understanding the “what if I don’t” can quickly
lead to a deeper understanding of the intent of the control versus trying
to ensure compliance with every detail of the control.
For example, if there is a control within the standard that says that logs
of activity to the system must be retained for 1 year and access must be
restricted to only those with a need to know, understanding why this
standard exists will contribute to how it should be implemented. If the in-
tent of the control is to be able to go back and analyze incidents, then the
individuals who need read access are the systems security operations
team or those responding to the incidents. The files may also need to be
online if there is a frequent occurrence of investigation. Alternatively, the
logs may not be able to be reviewed due to resource (human) constraints
and may necessitate the investment in a Security Information and Event
Management (SIEM) tool that aggregates and correlates the information.
Understanding the intent of the control also assists in interpreting the
terminology used within the control. Many different organizations, com-
mittees, and geographic representations promulgate the standards. The
4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 21/42
NIST uses terminology in the 800-53 standard (Recommended Security
Controls for Federal Information Systems) with roots in the government
sector that would be familiar to many accustomed to working for or con-
tracting with government agencies. Contrast that with the IT Governance
Institute’s COBIT framework (ITGI, n.d.), which is reviewed by an interna-
tionally represented committee.
Compliance Is Not Security, But It Is a Good Start
Checking off each of the controls specified within a standard is analogous
to completing the weekend honey-do list at home—it may be done at the
end of the weekend, but wait for the household auditor to see if it was
done well. When HIPAA, GLBA, FISMA, PCI DSS, and other regulations ar-
rived on the scene, some organizations reviewed the “compliancy with
the standard” as the primary goal and subsequently created a checklist
approach to satisfying the controls with the minimum that would be
needed for compliancy, without the benefit of a real risk assessment. The
danger in this is that the security controls implemented may prove to be
ineffective to addressing the vulnerabilities of the organization and the
threats that they face.
4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 22/42
However, even though compliance with standards may not be suffi-
cient to mitigate the risk level to an acceptable level for the organization,
the fact that the organization is adopting a control framework provides
the opportunity to create a baseline and enhance the security level over
time. Without such a framework in place, there is less chance that the en-
vironment will be secure, as items can be missed too easily.
Integration of Standards and Control Frameworks
Each of the standards and control frameworks contributes in their own
way and the astute security professional will become familiar with each
of them. COBIT provides an excellent overall governance framework that
ties together business goals, governance drivers, business outcomes, and
IT resources, processes, and goals. ISO 27001 provides a nice control
framework for establishing an ISMS, ensuring that risks are assessed,
controls are implemented, management is actively involved, and the doc-
umentation is up to date. NIST 800-53 provides the detailed controls with
tailored enhancements with the specifications for assessing the controls
(800-53A document). The HIPAA Final Federal Security Rule provides the
framework for implementing protection for the healthcare vertical indus-
4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 23/42
try. FISMA relies on the controls specified by NIST to comply with the reg-
ulation instead of creating a new set of controls. The ITIL provides the
control areas for providing effective and efficient service delivery, and
overlaps the security areas specified in the other control areas.
Several organizations, such as NIST and the IT Governance Institute,
have recognized the commonality of these standards as evidenced by
their work in mapping controls between HIPAA, NIST 800-53, COBIT,
FISMA, ITIL, and others. Although the wording, level of the control, and
measures for assessment may have different criteria, there is much com-
monality amongst the controls. For example, controls regarding configu-
ration management and the need to develop baselines may not be specifi-
cally called out in HIPAA and FISMA as they are in ISO27001 and NIST,
however, the need for securing the computing devices are represented
within the controls for technical controls and the implementation of sys-
tems security plans.
Auditing Compliance
4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 24/42
Once a control framework or set of standards has been chosen and imple-
mented, it is imperative that the framework be internally and externally
audited on a regular basis. Gaps in process are typically uncovered dur-
ing these audits, and if these gaps are mitigated quickly, the security pro-
gram becomes more complete over time. Care must be taken to address
reasonable risk, as it is rare that an organization will execute every con-
trol every time. What is important is that there are mitigating or compen-
sating controls that catch the anomalies before they become major issues,
and prompt follow-up and correction actions are taken. Audit testing of
the control frameworks will take many forms including interviewing, de-
termining and testing samples, performing vulnerability assessments, re-
view of policies and procedures, and conducting external penetration
tests. Each audit should be viewed as an opportunity to determine the ef-
fectiveness of the control framework and potentially modify the existing
controls. Preparing for the auditing of the controls is covered in more
depth in Chapter 11.
Adoption Rate of Various Standards
4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 25/42
Whatever the industry, it seems that there are always many standards
from which to choose. Each standard has occurred due to a lack of secu-
rity in a certain area, and laws or rules were put in place. HIPAA emerged
due to a concern about creating electronic medical records/ claims infor-
mation and the privacy concerns that would result over aggregating the
data. PCI emerged as cardholder information was being stored and not
properly protected. FISMA was enacted to provide a common evaluation
of the security across government agencies and their contractors.
ISO 27001/2 Certification
The aforementioned laws needed standards containing a listing of con-
trols that could be implemented, such as ISO 27001/2, NIST-800-53
Controls, COBIT, PCI, ITIL, and HITRUST (Health Information Trust
Alliance), to protect the information assets that were being targeted (gov-
ernment, financial, healthcare, or all industries). However, the adoption
rates of the different standards have varied from organization to organi-
zation. For example, some organizations are basing their security pro-
gram on ISO27001/2, whereas others use COBIT as a framework, and oth-
ers still are using NIST 800-53 controls. Others, such as those in health-
care, might be using the NIST 800-53 controls mapped to HIPAA (as avail-
4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 26/42
able from the NIST website in document 800-66) to satisfy the require-
ments of HIPAA. Others yet are using the HITRUST model to determine
compliance. So, this begs the question, why isn’t everyone using NIST 800-
53? Or ISO 27001/2?
To answer this question, it is useful to look at the number of companies
that are currently ISO 27001 certified, which varies greatly by country.
For example, Japan has the most number of certifications (3720), followed
by India (509), China (494), United Kingdom (455), Taiwan (401), and then
the list drops off with Germany at 145 and so forth. The United States has
approximately 100 companies that are certified in its information secu-
rity management system. With the number of years that the ISO security
standard has been around (approximately 20 years), one would think the
adoption rate would be much higher. The reality is that many companies
are utilizing the standard to frame their security programs; however,
they have not taken the step to obtain certification. The rationale, anecdo-
tally expressed at numerous security conferences, is (1) it can be a timely,
rigorous process involving extra (unnecessary) expense; (2) the benefit of
certification is not easily determined, as the auditors will still pull sam-
ples and audit according to their audit program; and (3) there is currently
4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 27/42
no law or mandate requiring that ISO 27001/2 be utilized and certified as
the control standard. Without a law requiring its use, organizations have
chosen the ISO 27001/2 standard to demonstrate compliance with areas
such as HIPAA, Sarbanes-Oxley Act of 2002 (Section 404), GLBA, SAS070
requirements, but have stopped short of pursuing certification. Audits are
expensive in terms of audit time, business interruption time, and cost,
and an ISO audit represents an extra expense over and above the other
required audits.
NIST Certification
U.S. government agencies are all too familiar with NIST 800-53 controls,
as they are required by FISMA to be implemented by all federal agencies
and their contractors. There is no requirement that the federal agencies
implement the set of ISO 27001/2 controls; however, they are mapped to
the NIST 800-53 controls as a reference. There is much overlap in these
controls. However, the NIST controls are at a more detailed level than the
ISO controls. In fact, the NIST controls are an excellent supplement to the
ISO controls if this is the framework that is selected. There does not exist,
at this time, a NIST security “certification” per say of the 800-53 controls;
4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 28/42
however, there is a process by which the government certifies the sys-
tems security plan and risk assessment, which embody the 800-53 con-
trols and how they are implemented within the general support system
defined by the systems security plan.
NIST 800-53 controls and guidance offer an excellent integration oppor-
tunity to supplement the ISO and COBIT controls in building the informa-
tion security program. Although the controls are required for use in fed-
eral agencies, they are also very applicable to the private sector and best
of all they are freely available for download from the NIST site on the
Internet.
Control Framework Convergence
Why can’t we have just one standard? On the surface, this appears to be a
simple, logical question. As Eckhart Tolle (2005) promotes in his book A
New Earth that individuals create stress in their lives by not accepting
“what is.” The reality is that laws and regulations will continue to emerge
from different organizations, and as security professionals, adapting to
the emerging laws and regulations and applying the appropriate stan-
4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 29/42
dards and control frameworks will be key. This is not to say that efficien-
cies cannot be gained, as controls can be implemented that would sup-
port multiple control frameworks. Sometimes, a control only needs to be
tweaked to satisfy multiple controls and standards.
Over time, the practices that are common do emerge and become gen-
erally accepted. Even as recent as a few years ago, laptops were not uni-
versally encrypted by companies, with IT departments citing the expense,
complexity, lack of necessity, files stored on the network by company pol-
icy, and so on. So what was the tipping point that changed the practice to
companies encrypting the laptops? It was when the Veterans
Administration lost a laptop containing information on 26.5 million veter-
ans in 2006 causing a public outrage. Today, few companies would want
to admit that they are not encrypting their laptops due to the shift in the
herd mentality to encryption. The sheep have headed for the hills, and
the slow sheep are vulnerable to being left behind. Upon reviewing the
standards and control frameworks, it is clear that the requirements for
protecting mobile devices and media were specified prior to 2006. It
could be argued that proactive attention to these frameworks would save
much in the long run. The Veterans Administration suffered in terms of
4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 30/42
public reputation and financially ($20 million lawsuit to settle claims), all
which could have been avoided. What happened to this government
agency could happen to any of our organizations if the controls are not in
place. Adherence to the control frameworks and standards increases the
likelihood that breaches will not have a devastating effect on the confi-
dentiality, integrity, or availability of the information assets.
The 11-Factor Compliance Assurance Manifesto
The regulations, control frameworks, standards, technical implementa-
tion guides, and penalties for noncompliance provide insight into what
needs to be achieved to provide the organizational compliance assurance
to the various security-related regulations. Now this begs the next ques-
tion: What actions need to be taken to achieve and maintain compliance
with the regulations?
To answer that question, the 11-Factor Security Compliance Assurance
Manifesto (Fitzgerald, 2008), as shown in Figure 7.1, sets out the princi-
ples by which compliance assurance may be achieved.
4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 31/42
1. Designate the individual responsible for compliance assurance oversight
—Whereas many of the policy-type regulations may not appear to
change on a frequent basis, the supporting documents, technical speci-
fications, and current areas of concern do change over time. New laws
are also created, such as the new incident breach reporting laws imple-
mented as part of the HITECH Act (Chapter 13), where state-by-state
adoption of some form of the law is enacted. Similarly, when the HIPAA
privacy rule was being made effective, each state had groups that were
focused on creating a preemption analysis. Staying on top of these
changes and ensuring that someone is directing the security compli-
ance efforts is essential. In medium-sized organizations, this is likely to
be the manager or director of security, whereas in larger organizations
the chief information security officer, chief security officer, or security
officer is likely be responsible for ensuring that the security compli-
ance assurance activities are performed. The chief information officer’s
organization and the other business units carry out the mitigation
work as appropriate.
2. Establish a security management governing body—To achieve support
for the implementation of security policies throughout the organiza-
tion and to ensure that the security policies do not disrupt the business,
4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 32/42
it is advisable to establish an information security council. Councils
made up of representatives from IT, business units, human resources,
legal departments, physical security, internal audit, ethics and compli-
ance, and information security can be effective in achieving compli-
ance with the regulations. Their oversight and interaction provide
feedback as to whether the security activities planned are feasible and
whether there is a high probability of compliance success.
3. Select control framework and standards—The frameworks mentioned,
such as COSO, ITIL, ISO 17799, COBIT, NIST, and FISCAM, offer an excel-
lent place to map the security controls that are in place to the frame-
work, uncover the gaps in compliance, and create action plans to in-
crease the security assurance with these objectives. Multiple control
frameworks can be selected for different levels of detail. For example,
COBIT may be selected to provide a governing framework, whereas ISO
17799 controls maybe mapped to the framework (already available
from the IT governance institute) and then linked to the NIST control
objective families and supported by the Defense Information Systems
Agency (DISA) STIGs. The mapping provides a mechanism to review
how a set of technical controls supports the higher-level statements in
the other frameworks. The same controls serve multiple purposes.
4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 33/42
Comprehensive frameworks are created through this process, enabling
the other compliance assurance activities.
4. Research and apply technical controls—There are many approaches at
the technical level for being compliant with the control objectives.
Analysis must be performed to determine the best control based upon
the risk profile of the organization. For example, achieving compliance
with a requirement to provide adequate off-site backups of informa-
tion in the event of a disaster could be achieved in a small regional of-
fice by placing a daily tape in a fireproof safe and rotating the weekly
tape off site. Alternatively, a small office may decide to store the
backup tapes remotely with a tape storage facility, transmit the backup
information securely over the Internet for backups, or assign an indi-
vidual to take home the backup tape nightly. Each of the scenarios has
its own costs and risks inherent in the control selection.
5. Conduct awareness and training—The documented security policies
and procedures are necessary; however, if individuals do not truly un-
derstand their responsibilities to comply with the security controls, the
likelihood that the appropriate processes will be followed is greatly
diminished.
4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 34/42
6. Verify compliance—Vulnerability assessments, penetration testing, and
internal audit reviews of the security controls ensure that the policies
and procedures that were created are being followed. Implemented se-
curity on the computing platform can be tested and compared with the
documented baselines, configurations, and change control records to
provide assurance that the security controls are being maintained per
the requirements implemented through the control frameworks.
7. Implement a formal remediation process—When weaknesses in the se-
curity controls are discovered through internal audits, external audits,
vulnerability assessments, risk assessments, or other internal reviews,
the issue must be logged and tracked to completion. Accountability
should be placed at a middle management or senior management level
to ensure the appropriate attention and priority are placed on remedy-
ing the issue. Completion dates must be assigned (preferably no later
than 90 days after creation of the action plan). Documentation of the
remediation (evidence) must be provided when the issue has been re-
solved. The existence of formal tracking of the security issues provides
the assurance that security is an ongoing, management-supported
process.
4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 35/42
8. Dedicate staff, automate compliance tasks—Compliance initiatives are
very time consuming and drain the organization of resources to collect
evidence, provide explanations, participate in interviews, and locate
the policies and procedures that support the regulations. Without an
organized automated process, this activity becomes even more chal-
lenging and time is wasted on inefficiencies. The same information
may be requested multiple times to answer similar questions, where
one report may have provided a reasonable answer. Initially, more
staff should be allocated to the compliance efforts to provide a focus to
the activity. When the compliance tasks are added to the regular jobs of
predominantly IT staff, they may be given lower priority and re-
sources. As automation increases, the staff required to support the
compliance efforts should either remain constant or decrease. A con-
stant staff may be needed to ensure that the new regulations and
changes are adequately addressed.
9. Report on compliance metrics—Dashboards of red, yellow, and green,
or heat maps are useful tools to demonstrate where security is weak
within the organization and where more focus should be placed. These
metrics should be reported in a manner that is meaningful to the busi-
ness, such as unavailability issues, which could impact major, mission
4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 36/42
critical applications, or confidentiality concerns that may affect the
consumer trust in the brand.
10. Enforce penalties for noncompliance to policy—Does one grin and bear
it when the security control objectives are not followed or grit one’s
teeth? This is one area that needs teeth! There must be sanctions in
place for those that do not follow the security policies. Associates must
also be trained that compliance with the security controls is part of
their job responsibilities. The individual responsible for compliance as-
surance must ensure that the guidelines are established for sanctions
and that the appropriate parties follow through with the sanction
(which may be the manager, and legal and human resources
representatives).
11. Collaborate and network externally—Many organizations must comply
with the same regulations. Why not leverage that experience? Working
with peers within the industry vertical for dealing with industry-spe-
cific regulations and acrossindustries for understanding various meth-
ods to implement the control frameworks, standards, and technical
controls can be invaluable. For example, nonprofit organizations, such
as the HIPAA Collaborative of Wisconsin, were formed to bring to-
gether healthcare providers, payers, and clearinghouses to discuss ap-
4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 37/42
proaches to implementing HIPAA. The presentations, network contacts,
and information sharing that happen are phenomenal. Attending con-
ferences and industry associations such as the Information Systems
Security Association (ISSA), Information Systems Audit and Control
Association (ISACA), Computer Security Institute (CSI), Management
Information System Training Institute (MISTI), SANS (SysAdmin, Audit,
Network, Security) Institute, and others helps to gain a common under-
standing of the regulation and implementation approaches. This also
provides input as to what the herd is doing to be compliant with the
regulation.
4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 38/42
4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 39/42
1.
Figure 7.1 11-Factor Security Compliance Assurance Manifesto.
The Standards/Framework Value Proposition
Control frameworks and standards provide the roadmap to build a suc-
cessful information security program. Once in place, continuous review
of the policies, standard operating procedures, and implementation of the
controls will enhance the effectiveness of the program. Monitoring
through audits accompanied by corrective actions and tracking enables
refinement of the control framework and standards to reduce the risk of
a security event impacting the business in a significant way. Think of the
various security control frameworks as each contributing in some way to
the infrastructure of a super six-lane freeway. Rather than manage our
security programs by ourselves, on an old gravel road at 20 miles per
hour, it is time to get on the superhighway supported by the strong
plethora of control frameworks and standards and enjoy the ride!
Suggested Reading
Federal Information Security Management Act of 2002 (FISMA). November 27,
2002. http://csrc.nist.gov/groups/SMA/fisma/index.html
4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 40/42
2.
3.
4.
5.
6.
7.
8.
National Institute of Standards and Technology (NIST), Special Publications,
http://csrc.nist.gov/publications/PubsSPs.html
National Institute of Standards and Technology (NIST). August 2009.
Recommended security controls for federal information systems, Special publica-
tion 800-53. http://csrc.nist.gov/publications/PubsSPs.html
National Institute of Standards and Technology (NIST). July 2008. Guide for assess-
ing controls in federal information systems.
http://csrc.nist.gov/publications/nistpubs/800-53A/SP800-53A-final-sz.pdf
Defense Information Systems Agency (DISA), Security technical implementation
guides (STIGs), http://iase.disa.mil/stigs/stig
National Security Agency, Security configuration guides, http://www.nsa.gov/snac
International Organization for Standardization (ISO). ISO/IEC 27001:2005
Information security management systems—Requirements.
http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?
csnumber=42103
International Organization for Standardization (ISO). ISO/IEC 27002:2005
Information technology security techniques—Code of practice for information se-
curity management.
4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 41/42
9.
10.
11.
12.
13.
14.
15.
http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?
csnumber=50297
U.S. General Accounting Office. January 1999. Federal Information System
Controls Audit Manual (FISCAM), GAO/AIMD-12.19.6.
http://www.gao.gov/special.pubs/12_19_6.pdf
U.S. Government Accountability Office. February 2009. Federal Information
System Controls Audit Manual (FISCAM), GAO-09-232G.
http://www.gao.gov/new.items/d09232g.pdf
Information Technology Infrastructure Library, http://www.itil-official-
site.com/home/home.asp
Tolle, E. 2005. A new earth: Awakening to your life’s purpose. New York: Penguin.
PCI Data Security Standards Council,
https://www.pcisecuritystandards.org/security_standards/documents.php
International Register of ISMS Certificates, http://iso27001certificates.com
Fitzgerald, T 2008. Compliance assurance: Taming the beast. In Information secu-
rity handbook, H. Tipton and M. Krause, eds., chap. 28. Boca Raton, FL: Auerbach.
4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 42/42
16.
17.
18.
19.
20.
IT Governance Institute. 2000. COBIT® framework: Governance, control and audit
for information and related technology.
TSA urban legends (nail clippers, knitting needles and corkscrews). 2009. TSA Blog
(May 9). http://blog.tsa.gov/2009/05/tsa-urban-legends-nail-clippers.html
Lighters, nail clippers and lithium batteries. 2008. The TSA Blog (January 31).
http://blog.tsa.gov/2008/01/lighters-nail-clippers-and-lithium.html
IT Governance Institute. COBIT® 4.1, http://www.itgi.org
Committee of Sponsoring Organizations of the Treadway Commission (COSO).
1992. Internal control—Integrated framework.