question

profilejimpop1998
Chapter7SecurityComplianceUsingControlFrameworks_InformationSecurityGovernanceSimplified.pdf

4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 1/42

7

Security Compliance Using Control Frameworks

The cautious seldom err.

Confucius, 551–479 BC

Security Control Frameworks Defined

Control frameworks and security standards are often interchangeable

terms depending upon the creator. Just to confuse things further, ISO

27001, from the International Organization for Standardization, posits an

information security management “system” (ISMS) and the controls are

contained within the ISO 27002 Code of Practice (ISO, 2005). The National

Institute of Standards and Technology (NIST) Special Publication 800-53

(NIST, 2009), titled Recommended Security Control for Federal

4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 2/42

Information Systems, breaks the controls into 18 control families and 3

classes (managerial, operational, and technical) of controls. COBIT,

Control Objectives for Information and related Technology framework,

defines a control framework as a tool for business process owners that fa-

cilitates the discharge of their responsibilities through the provision of a

supporting control model. Alternatively, COBIT defines a standard as a

business practice or technology product that is an accepted practice en-

dorsed by the enterprise or information technology (IT) management

team.

COBIT adapted the control from the Committee of Sponsoring

Organizations of the Treadway Commission (COSO) report “Internal

Control-Integrated Framework” (COSO, 1992) to mean “the policies, proce-

dures, practices, and organizational structures designed to provide assur-

ance that business objectives will be achieved and that undesired events

will be prevented or detected and corrected.”

For the purposes of this discussion, control frameworks, controls, and

standards are interchangeable, as the intent of each of them is to provide

some definition to a practice or set of practices that if performed will pro-

tect the organization’s information assets. These consist of documented,

4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 3/42

executed, tested, implemented, and monitored controls that reduce the

risk of threats succeeding against company vulnerabilities.

Security Control Frameworks and Standards Examples

The following are some examples of the control frameworks and stan-

dards that address information security requirements.

Heath Insurance Portability and Accountability Act (HIPAA)

The Heath Insurance Portability and Accountability Act (HIPAA) final rule

for adopting security standards was published February 20, 2003, which

required a series of administrative, technical, and physical security pro-

cedures for entities to use to assure the confidentiality of protected health

information (PHI). The standard was intentionally nontechnology specific

and intended to provide scalability to small providers and large providers

alike.

Federal Information Security Management Act of 2002 (FISMA)

4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 4/42

Primary purpose of the Federal Information Security Management Act

(FISMA) is to provide a comprehensive framework for ensuring the effec-

tiveness of security controls over information resources that support fed-

eral operations and assets. The law also provided funding for NIST to de-

velop the minimum necessary controls required to provide adequate se-

curity. The government publishes an annual report card based upon its

assessment of compliance with the framework.

National Institute of Standards and Technology (NIST) Recommended Security Controls for Federal Information Systems (800-53)

The NIST Special Publication 800-53 standards and guidelines reference

the minimum set of controls that must be implemented to protect the fed-

eral system based upon the risk level determined. Implementation of the

18 families of security controls establishes a level of “security due dili-

gence” for federal agencies and the contractors that perform work for the

government. These standards are very comprehensive, freely available,

and an excellent resource to supplement other control frameworks.

Federal Information System Controls Audit Manual (FISCAM)

4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 5/42

Issued by the U.S. Government Accountability Office (formerly known as

the U.S. General Accounting Office), the Federal Information System

Controls Audit Manual (FISCAM) provides guidance for information sys-

tems auditors to evaluate the IT controls used in support of financial

statement audits (GAO, 1999). This is not an audit standard, but is in-

cluded here because auditors are typically testing the control environ-

ment in government audits using this standard. There has been increased

emphasis on the use of NIST 800-53 controls and the NIST 800-53A assess-

ments. However, FISCAM is still utilized by government auditors, and,

therefore, it is worthwhile to understand the contents.

ISO/IEC 27001:2005 Information Security Management Systems—Requirements

ISO/IEC 27001:2005 provides a model for establishing, implementing, op-

erating, monitoring, reviewing, maintaining, and improving an informa-

tion security management system (ISMS). This was an evolution from

British Standard (BS) 7799-2 and ISO 17799.

The UK Department of Trade and Industry Code of Practice (CoP) for in-

formation security, which was developed from support of industry in

4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 6/42

1993, became BS 7799 in 1995. The BS 7799 standard was subsequently re-

vised in 1999 to add certification and accreditation components, which

became part 2 of the BS 7799 standard. Part 1 of the BS 7799 standard be-

came ISO 17799 and was published as ISO 17799:2000 as the first interna-

tional information security management standard by the ISO and

International Electrotechnical Commission (IEC). ISO 17799 standard was

modified in June 2005 as ISO/IEC 17799:2005 containing 134 detailed in-

formation security controls based upon the following 11 areas:

Information security policy

Organizing information security

Asset management

Human resources security

Physical and environmental security

Communications and operations management

Access control

Information systems acquisition, development, and maintenance

Information security incident management

Business continuity management

Compliance

4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 7/42

ISO standards are grouped together by topic areas and the ISO/IEC

27000 series has been designated as the information security manage-

ment series. For example, ISO 27002:2005 Information Technology—

Security Techniques—Code of Practice for Information Security

Management replaced the ISO/IEC 17799:2005 Information Technology—

Security Techniques—Code of Practice for Information Security

Management document. This is consistent with how ISO has named other

topic areas, such as the ISO 9000 series for quality management. ISO/IEC

27001:2005 was released in October 2005 and specifies the requirements

for establishing, implementing, operating, monitoring, reviewing, main-

taining, and improving a documented information security management

system taking into consideration the company’s business risks. This man-

agement standard was based on the BS 7799 part 2 standard and provides

information on building information security management systems and

guidelines for auditing the system.

ISO/IEC 27002:2005 Information Technology—Security Techniques—Code of Practice for Information Security Management

4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 8/42

ISO/IEC 27002:2005 provides 11 security control clauses, as noted earlier.

The code of practice specifies the controls necessary and the implementa-

tion guidance by specifying the controls with may be chosen to build the

ISMS specified through application of ISO/IEC 27001:2005.

Control Objectives for Information and Related Technology (COBIT)

COBIT is a framework and supporting toolset that allow managers to

bridge the gap with respect to control requirements, technical issues, and

business risks, and then communicate that level of control to stockhold-

ers. COBIT can be used to integrate other standards as an umbrella

framework.

COBIT is published by the IT Governance Institute and contains a set of

34 high-level control objectives, one for each of the IT processes, such as

define a strategic IT plan, define the information architecture, manage

the configuration, manage facilities, and ensure systems security. Ensure

systems security has been broken down further into control objectives

such as manage security measures, identification, authentication and ac-

4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 9/42

cess, user account management, data classification, and firewall

architectures.

The COBIT framework examines the effectiveness, efficiency, confiden-

tiality, integrity, availability, compliance, and reliability aspects of the

high-level control objectives. The model defines four domains for gover-

nance, namely, planning and organization, acquisition and implementa-

tion, delivery and support, and monitoring. Processes and IT activities

and tasks are then defined within these domains. The framework pro-

vides an overall structure for IT control and includes control objectives,

which can be utilized to determine effective security control objectives

that are driven from the business needs.

COBIT gained increasing popularity through implementation to demon-

strate compliance with Sarbanes-Oxley regulations, which were enacted

in 2002 to require management and the external auditor to report on in-

ternal controls over financial reporting.

Payment Card Industry Data Security Standard (PCI DSS)

4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 10/42

The Payment Card Industry Data Security Standard (PCI DSS) is a set of

comprehensive requirements for enhancing payment account security,

formed by several major credit card issuers, to facilitate the broad adop-

tion of a comprehensive security standard designed to protect cardholder

data. The standard applies to all parties that are involved in credit card

processing, such as merchants, processors, acquirers, issuers, and service

providers as well as other entities that store, process, or transmit card-

holder data. The standard contains requirements to address each of the

following areas:

Build and maintain a secure network (proper network device

configuration)

Protect cardholder data (storage and encrypted transmission across

open networks)

Maintain a vulnerability management program (e.g., secure systems,

antivirus software)

Implement strong access control measures (logical and physical access,

need to know)

Regularly monitor and test networks (regularly test, track, and monitor

access)

4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 11/42

Maintain an information security policy (maintain a policy that ad-

dresses information security for all personnel)

The reviews are to be performed annually to ensure that cardholder

data is protected. Depending upon the size of the entity participating in

the program, the review may need to be conducted by an external

assessor.

Information Technology Infrastructure Library (ITIL)

The Information Technology Infrastructure Library (ITIL) is a set of books

published by the British government’s Stationary Office between 1989

and 1992 to improve IT service management. The framework contains a

set of best practices for IT core operational processes such as change, re-

lease, and configuration management; incident and problem manage-

ment; capacity and availability management; and IT financial manage-

ment. ITIL’s primary contribution is showing how the controls can be im-

plemented for the service management IT processes.

Security Technical Implementation Guides (STIGs) and National Security Agency (NSA) Guides

4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 12/42

Security Technical Implementation Guides (STIGs) and National Security

Agency (NSA) Guides are configuration standards for the Department of

Defense Information Assurance. They are freely available and used as the

basis for technical standards for many private organizations. These stan-

dards, if implemented, support many of the high-level requirements spec-

ified within requirements such as FISMA, HIPAA, PCI, NIST, COBIT, ISO

27001, and GLBA (Gramm-Leach-Bliley Act).

Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook

The Federal Financial Institutions Examination Council (FFIEC) is empow-

ered to provide uniform principles, standards, and reporting forms for

the examination of financial institutions by the Board of Governors of the

Federal Reserve System (FRB), the Federal Deposit Insurance Corporation

(FDIC), the National Credit Union Administration (NCUA), the Office of the

Comptroller of the Currency (OCC), and the Office of Thrift Supervision

(OTS). Several booklets have been issued by the council, including Audit,

Business Continuity Planning, Development and Acquisition, Electronic

Banking, Management, Operations, Outsourcing Technology Services,

4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 13/42

Retail Payment Systems, Supervision of Technology Service Providers,

Wholesale Payment Systems. Information Security was also added as a

booklet in July 2006, which includes guidance for the security process,

risk assessment, security strategy, security controls implementation, and

security monitoring as well as the examination procedures and related

laws. The handbook issued by the FFIEC serves as a supplement to the

member agencies expectations for meeting the GLBA 501(b) require-

ments. These documents provide the detail necessary to evaluate an in-

formation security program.

The World Operates on Standards

The fact about standards is that they are useful and the world is made up

of many of them, from the minimum weight in the passenger seat that

must be met before the airbag protection will become active, to the speci-

fication of the size of a #8 screw, to the standard formats for electronic

data interchange of electronic transactions between healthcare

providers, payers. and clearinghouses. Standards ensure that products

are built to specifications and allow us to simplify the complexity of the

world by creating a common deliverable and common language. Imagine

4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 14/42

if every time a manufacturer wanted a product built they had to design a

screw that could be potentially different from any other screw a manu-

facturer created. Not only would this process be very expensive, it would

also be very time consuming for the customer and the supplier, and

would be very error-prone. Nonstandardized processes also slow the de-

livery of the product or service. Henry Ford recognized many years ago

that there were efficiencies and increases in quality by creating vehicles

that looked the same and were painted the same color (black). Although

the cars were available in other colors, the primary color produced was

black for efficiency. Imagine if stoplights were each made with different

colors to represent stop, slow down, and go. Imagine roadways that used

different types of striping to indicate passing versus nonpassing lanes

based upon the state in which you live. The world would be very chaotic

with each individual interpreting the colors and passing lanes as they

drove, many times potentially making the wrong decision.

Sometimes we like the standards, sometimes we do not. Sometimes

they just do not make intuitive sense to us nor do they seem effective. For

example, the Transportation Security Administration (TSA) originally did

not allow nail clippers on the airplane and reversed the decision in 2005

4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 15/42

after negative public opinion (however, there are varying accounts as to

whether it was the TSA that banned nail clippers or if thee ban was pre-

TSA). Lighters were also subsequently allowed in July 2007 by the Federal

Aviation Administration. Laws, regulations, and the standards that sup-

port them are sometimes developed without the extensive analysis of

their necessity, or in reaction to a major event and the need to do some-

thing, only to be rescinded later for their lack of effectiveness. This is un-

derstandable, as government and private industry must react to new situ-

ations, making decisions on the data available at the time. In defense of

the TSA, decisions to limit what was brought on an airplane had to be

made quickly on the heels of September 11, 2001, and its focus was on ob-

jects that had the potential to harm. Thus, the standard of no nail clippers

was enacted. As time went on, this standard was modified to reflect a

reevaluated risk. Liquid restrictions such as being able to carry only a 1

quart bag of 3.4 oz bottles of shampoo and other liquids on board were

placed on travelers due to an incident with liquid explosives (TSA, 2009).

Standards Are Dynamic

4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 16/42

Over time, the standards evolve, and they change to meet the societal and

technological needs. Although the intent of many security standards ap-

pears to stay the same over time, the underlying technologies that must

be supported are constantly changing. Just as in the “no liquids” ban on

airplanes was first introduced, and then evolved into “as long as the liq-

uids are 3 oz or less and fit in a 1 qt plastic bag,” and then may morph

into “no requirements at all” due to investments in more advanced scan-

ning technology, information security standards also need to change.

Alternatively, increased protections may be added, such as the x-ray body

scanners and pat downs, which were added at most airports in late 2010.

Most control frameworks are written at a higher, broader level, which

provides flexibility to implement controls to satisfy the specific technolog-

ical request. For example, the ISO 27002:2005 Information Technology—

Security Techniques (Code of Practice) control 10.5.1d indicates that “the

back-ups should be stored in a remote location, at a sufficient distance to

escape any damage from a disaster at the main site.” This leaves much in-

terpretation up to the implementer of the standard. How far away is far

enough? Before Hurricane Katrina inflicted extensive damage on New

Orleans, Louisiana, and other surrounding areas in 2005, many individu-

4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 17/42

als felt that storage a few miles away was sufficient. Today, when compa-

nies are assessing their business continuity plans, they typically point to

Katrina and quickly decide that 50 to 100-plus miles away would greatly

reduce the risk. Others have invested in new replication technologies and

the availability of inexpensive storage to ensure availability of the

information.

Changing environments necessitate the ability to change the implemen-

tation strategies to meet the lower cost of technology, increased effective-

ness of controls, and conformance to emerging regulations.

The How Is Typically Left Up to Us

As the aforementioned example illustrates, the good news is that the stan-

dards may be written to be flexible over time. The bad news is that they

are written to be flexible over time. In other words, standards often lack

the specificity of the ‘how’ that would be useful to implementing the stan-

dard. Obviously, this is by design. However, it leaves the implementer of

the standard to figure out, based upon the available alternatives, what

4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 18/42

the best method of implementation should be for their particular envi-

ronment and cost constraints.

The best practices terminology has received criticism over the past sev-

eral years, as the beauty is in the eye of the beholder. A practice that

works for one organization may not fit for another. One organization

may implement a policy banning USB drives due to their small size,

whereas another may allow them as long as the contents are automati-

cally encrypted with the company-approved software. Still another may

prohibit their use by policy to most users, but allow adoption by those

who establish a business need (as specified in ISO 27002:2005 10.7.1f), as

well as taking the additional step of controlling access through active di-

rectory authorization and a vendor product. Which is the best practice? It

depends on the organizational culture, appetite for risk, cost constraints,

and so forth. It may also be the case that the individuals within the orga-

nization do not have access to sensitive information, thus limiting the

exposure.

Therefore, the best practice for an organization must take in many fac-

tors not defined within the individual standard. Typically, an organiza-

tion would be prudent to follow the trends within their particular vertical

4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 19/42

industry, and pay attention to what the “herd” is doing. If 70% of the

sheep are heading for the hills, it may be worth heading in that direction.

It is also important to understand why another 10% is going in another

direction (assuming 20% are standing still) and may be headed to a better

best practice. In the tape backup example, maybe the 10% that are utiliz-

ing online, high-speed compressed disk-to-disk backup strategies are the

best practice that is right for the organization.

Whatever these practices are named for our individual organizations,

each must recognize that the practices must satisfy the standard and

where they do not, sufficient business justification and risk acceptance

must be documented. In this manner, the standards become the reference

point for making informed business decisions.

Key Question: Why Does the Standard Exist?

Before deciding how to implement the standard, it is a useful exercise to

examine the selected control within the standard and analyze why the

control exists in the first place. What threat is it addressing? What would

the risk be to my organization if I decided to ignore addressing the con-

4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 20/42

trol? In other words, how is implementing the control increasing the se-

curity, protection, or information assurance of the information assets

within the organization? Understanding the “what if I don’t” can quickly

lead to a deeper understanding of the intent of the control versus trying

to ensure compliance with every detail of the control.

For example, if there is a control within the standard that says that logs

of activity to the system must be retained for 1 year and access must be

restricted to only those with a need to know, understanding why this

standard exists will contribute to how it should be implemented. If the in-

tent of the control is to be able to go back and analyze incidents, then the

individuals who need read access are the systems security operations

team or those responding to the incidents. The files may also need to be

online if there is a frequent occurrence of investigation. Alternatively, the

logs may not be able to be reviewed due to resource (human) constraints

and may necessitate the investment in a Security Information and Event

Management (SIEM) tool that aggregates and correlates the information.

Understanding the intent of the control also assists in interpreting the

terminology used within the control. Many different organizations, com-

mittees, and geographic representations promulgate the standards. The

4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 21/42

NIST uses terminology in the 800-53 standard (Recommended Security

Controls for Federal Information Systems) with roots in the government

sector that would be familiar to many accustomed to working for or con-

tracting with government agencies. Contrast that with the IT Governance

Institute’s COBIT framework (ITGI, n.d.), which is reviewed by an interna-

tionally represented committee.

Compliance Is Not Security, But It Is a Good Start

Checking off each of the controls specified within a standard is analogous

to completing the weekend honey-do list at home—it may be done at the

end of the weekend, but wait for the household auditor to see if it was

done well. When HIPAA, GLBA, FISMA, PCI DSS, and other regulations ar-

rived on the scene, some organizations reviewed the “compliancy with

the standard” as the primary goal and subsequently created a checklist

approach to satisfying the controls with the minimum that would be

needed for compliancy, without the benefit of a real risk assessment. The

danger in this is that the security controls implemented may prove to be

ineffective to addressing the vulnerabilities of the organization and the

threats that they face.

4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 22/42

However, even though compliance with standards may not be suffi-

cient to mitigate the risk level to an acceptable level for the organization,

the fact that the organization is adopting a control framework provides

the opportunity to create a baseline and enhance the security level over

time. Without such a framework in place, there is less chance that the en-

vironment will be secure, as items can be missed too easily.

Integration of Standards and Control Frameworks

Each of the standards and control frameworks contributes in their own

way and the astute security professional will become familiar with each

of them. COBIT provides an excellent overall governance framework that

ties together business goals, governance drivers, business outcomes, and

IT resources, processes, and goals. ISO 27001 provides a nice control

framework for establishing an ISMS, ensuring that risks are assessed,

controls are implemented, management is actively involved, and the doc-

umentation is up to date. NIST 800-53 provides the detailed controls with

tailored enhancements with the specifications for assessing the controls

(800-53A document). The HIPAA Final Federal Security Rule provides the

framework for implementing protection for the healthcare vertical indus-

4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 23/42

try. FISMA relies on the controls specified by NIST to comply with the reg-

ulation instead of creating a new set of controls. The ITIL provides the

control areas for providing effective and efficient service delivery, and

overlaps the security areas specified in the other control areas.

Several organizations, such as NIST and the IT Governance Institute,

have recognized the commonality of these standards as evidenced by

their work in mapping controls between HIPAA, NIST 800-53, COBIT,

FISMA, ITIL, and others. Although the wording, level of the control, and

measures for assessment may have different criteria, there is much com-

monality amongst the controls. For example, controls regarding configu-

ration management and the need to develop baselines may not be specifi-

cally called out in HIPAA and FISMA as they are in ISO27001 and NIST,

however, the need for securing the computing devices are represented

within the controls for technical controls and the implementation of sys-

tems security plans.

Auditing Compliance

4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 24/42

Once a control framework or set of standards has been chosen and imple-

mented, it is imperative that the framework be internally and externally

audited on a regular basis. Gaps in process are typically uncovered dur-

ing these audits, and if these gaps are mitigated quickly, the security pro-

gram becomes more complete over time. Care must be taken to address

reasonable risk, as it is rare that an organization will execute every con-

trol every time. What is important is that there are mitigating or compen-

sating controls that catch the anomalies before they become major issues,

and prompt follow-up and correction actions are taken. Audit testing of

the control frameworks will take many forms including interviewing, de-

termining and testing samples, performing vulnerability assessments, re-

view of policies and procedures, and conducting external penetration

tests. Each audit should be viewed as an opportunity to determine the ef-

fectiveness of the control framework and potentially modify the existing

controls. Preparing for the auditing of the controls is covered in more

depth in Chapter 11.

Adoption Rate of Various Standards

4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 25/42

Whatever the industry, it seems that there are always many standards

from which to choose. Each standard has occurred due to a lack of secu-

rity in a certain area, and laws or rules were put in place. HIPAA emerged

due to a concern about creating electronic medical records/ claims infor-

mation and the privacy concerns that would result over aggregating the

data. PCI emerged as cardholder information was being stored and not

properly protected. FISMA was enacted to provide a common evaluation

of the security across government agencies and their contractors.

ISO 27001/2 Certification

The aforementioned laws needed standards containing a listing of con-

trols that could be implemented, such as ISO 27001/2, NIST-800-53

Controls, COBIT, PCI, ITIL, and HITRUST (Health Information Trust

Alliance), to protect the information assets that were being targeted (gov-

ernment, financial, healthcare, or all industries). However, the adoption

rates of the different standards have varied from organization to organi-

zation. For example, some organizations are basing their security pro-

gram on ISO27001/2, whereas others use COBIT as a framework, and oth-

ers still are using NIST 800-53 controls. Others, such as those in health-

care, might be using the NIST 800-53 controls mapped to HIPAA (as avail-

4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 26/42

able from the NIST website in document 800-66) to satisfy the require-

ments of HIPAA. Others yet are using the HITRUST model to determine

compliance. So, this begs the question, why isn’t everyone using NIST 800-

53? Or ISO 27001/2?

To answer this question, it is useful to look at the number of companies

that are currently ISO 27001 certified, which varies greatly by country.

For example, Japan has the most number of certifications (3720), followed

by India (509), China (494), United Kingdom (455), Taiwan (401), and then

the list drops off with Germany at 145 and so forth. The United States has

approximately 100 companies that are certified in its information secu-

rity management system. With the number of years that the ISO security

standard has been around (approximately 20 years), one would think the

adoption rate would be much higher. The reality is that many companies

are utilizing the standard to frame their security programs; however,

they have not taken the step to obtain certification. The rationale, anecdo-

tally expressed at numerous security conferences, is (1) it can be a timely,

rigorous process involving extra (unnecessary) expense; (2) the benefit of

certification is not easily determined, as the auditors will still pull sam-

ples and audit according to their audit program; and (3) there is currently

4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 27/42

no law or mandate requiring that ISO 27001/2 be utilized and certified as

the control standard. Without a law requiring its use, organizations have

chosen the ISO 27001/2 standard to demonstrate compliance with areas

such as HIPAA, Sarbanes-Oxley Act of 2002 (Section 404), GLBA, SAS070

requirements, but have stopped short of pursuing certification. Audits are

expensive in terms of audit time, business interruption time, and cost,

and an ISO audit represents an extra expense over and above the other

required audits.

NIST Certification

U.S. government agencies are all too familiar with NIST 800-53 controls,

as they are required by FISMA to be implemented by all federal agencies

and their contractors. There is no requirement that the federal agencies

implement the set of ISO 27001/2 controls; however, they are mapped to

the NIST 800-53 controls as a reference. There is much overlap in these

controls. However, the NIST controls are at a more detailed level than the

ISO controls. In fact, the NIST controls are an excellent supplement to the

ISO controls if this is the framework that is selected. There does not exist,

at this time, a NIST security “certification” per say of the 800-53 controls;

4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 28/42

however, there is a process by which the government certifies the sys-

tems security plan and risk assessment, which embody the 800-53 con-

trols and how they are implemented within the general support system

defined by the systems security plan.

NIST 800-53 controls and guidance offer an excellent integration oppor-

tunity to supplement the ISO and COBIT controls in building the informa-

tion security program. Although the controls are required for use in fed-

eral agencies, they are also very applicable to the private sector and best

of all they are freely available for download from the NIST site on the

Internet.

Control Framework Convergence

Why can’t we have just one standard? On the surface, this appears to be a

simple, logical question. As Eckhart Tolle (2005) promotes in his book A

New Earth that individuals create stress in their lives by not accepting

“what is.” The reality is that laws and regulations will continue to emerge

from different organizations, and as security professionals, adapting to

the emerging laws and regulations and applying the appropriate stan-

4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 29/42

dards and control frameworks will be key. This is not to say that efficien-

cies cannot be gained, as controls can be implemented that would sup-

port multiple control frameworks. Sometimes, a control only needs to be

tweaked to satisfy multiple controls and standards.

Over time, the practices that are common do emerge and become gen-

erally accepted. Even as recent as a few years ago, laptops were not uni-

versally encrypted by companies, with IT departments citing the expense,

complexity, lack of necessity, files stored on the network by company pol-

icy, and so on. So what was the tipping point that changed the practice to

companies encrypting the laptops? It was when the Veterans

Administration lost a laptop containing information on 26.5 million veter-

ans in 2006 causing a public outrage. Today, few companies would want

to admit that they are not encrypting their laptops due to the shift in the

herd mentality to encryption. The sheep have headed for the hills, and

the slow sheep are vulnerable to being left behind. Upon reviewing the

standards and control frameworks, it is clear that the requirements for

protecting mobile devices and media were specified prior to 2006. It

could be argued that proactive attention to these frameworks would save

much in the long run. The Veterans Administration suffered in terms of

4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 30/42

public reputation and financially ($20 million lawsuit to settle claims), all

which could have been avoided. What happened to this government

agency could happen to any of our organizations if the controls are not in

place. Adherence to the control frameworks and standards increases the

likelihood that breaches will not have a devastating effect on the confi-

dentiality, integrity, or availability of the information assets.

The 11-Factor Compliance Assurance Manifesto

The regulations, control frameworks, standards, technical implementa-

tion guides, and penalties for noncompliance provide insight into what

needs to be achieved to provide the organizational compliance assurance

to the various security-related regulations. Now this begs the next ques-

tion: What actions need to be taken to achieve and maintain compliance

with the regulations?

To answer that question, the 11-Factor Security Compliance Assurance

Manifesto (Fitzgerald, 2008), as shown in Figure 7.1, sets out the princi-

ples by which compliance assurance may be achieved.

4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 31/42

1. Designate the individual responsible for compliance assurance oversight

—Whereas many of the policy-type regulations may not appear to

change on a frequent basis, the supporting documents, technical speci-

fications, and current areas of concern do change over time. New laws

are also created, such as the new incident breach reporting laws imple-

mented as part of the HITECH Act (Chapter 13), where state-by-state

adoption of some form of the law is enacted. Similarly, when the HIPAA

privacy rule was being made effective, each state had groups that were

focused on creating a preemption analysis. Staying on top of these

changes and ensuring that someone is directing the security compli-

ance efforts is essential. In medium-sized organizations, this is likely to

be the manager or director of security, whereas in larger organizations

the chief information security officer, chief security officer, or security

officer is likely be responsible for ensuring that the security compli-

ance assurance activities are performed. The chief information officer’s

organization and the other business units carry out the mitigation

work as appropriate.

2. Establish a security management governing body—To achieve support

for the implementation of security policies throughout the organiza-

tion and to ensure that the security policies do not disrupt the business,

4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 32/42

it is advisable to establish an information security council. Councils

made up of representatives from IT, business units, human resources,

legal departments, physical security, internal audit, ethics and compli-

ance, and information security can be effective in achieving compli-

ance with the regulations. Their oversight and interaction provide

feedback as to whether the security activities planned are feasible and

whether there is a high probability of compliance success.

3. Select control framework and standards—The frameworks mentioned,

such as COSO, ITIL, ISO 17799, COBIT, NIST, and FISCAM, offer an excel-

lent place to map the security controls that are in place to the frame-

work, uncover the gaps in compliance, and create action plans to in-

crease the security assurance with these objectives. Multiple control

frameworks can be selected for different levels of detail. For example,

COBIT may be selected to provide a governing framework, whereas ISO

17799 controls maybe mapped to the framework (already available

from the IT governance institute) and then linked to the NIST control

objective families and supported by the Defense Information Systems

Agency (DISA) STIGs. The mapping provides a mechanism to review

how a set of technical controls supports the higher-level statements in

the other frameworks. The same controls serve multiple purposes.

4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 33/42

Comprehensive frameworks are created through this process, enabling

the other compliance assurance activities.

4. Research and apply technical controls—There are many approaches at

the technical level for being compliant with the control objectives.

Analysis must be performed to determine the best control based upon

the risk profile of the organization. For example, achieving compliance

with a requirement to provide adequate off-site backups of informa-

tion in the event of a disaster could be achieved in a small regional of-

fice by placing a daily tape in a fireproof safe and rotating the weekly

tape off site. Alternatively, a small office may decide to store the

backup tapes remotely with a tape storage facility, transmit the backup

information securely over the Internet for backups, or assign an indi-

vidual to take home the backup tape nightly. Each of the scenarios has

its own costs and risks inherent in the control selection.

5. Conduct awareness and training—The documented security policies

and procedures are necessary; however, if individuals do not truly un-

derstand their responsibilities to comply with the security controls, the

likelihood that the appropriate processes will be followed is greatly

diminished.

4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 34/42

6. Verify compliance—Vulnerability assessments, penetration testing, and

internal audit reviews of the security controls ensure that the policies

and procedures that were created are being followed. Implemented se-

curity on the computing platform can be tested and compared with the

documented baselines, configurations, and change control records to

provide assurance that the security controls are being maintained per

the requirements implemented through the control frameworks.

7. Implement a formal remediation process—When weaknesses in the se-

curity controls are discovered through internal audits, external audits,

vulnerability assessments, risk assessments, or other internal reviews,

the issue must be logged and tracked to completion. Accountability

should be placed at a middle management or senior management level

to ensure the appropriate attention and priority are placed on remedy-

ing the issue. Completion dates must be assigned (preferably no later

than 90 days after creation of the action plan). Documentation of the

remediation (evidence) must be provided when the issue has been re-

solved. The existence of formal tracking of the security issues provides

the assurance that security is an ongoing, management-supported

process.

4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 35/42

8. Dedicate staff, automate compliance tasks—Compliance initiatives are

very time consuming and drain the organization of resources to collect

evidence, provide explanations, participate in interviews, and locate

the policies and procedures that support the regulations. Without an

organized automated process, this activity becomes even more chal-

lenging and time is wasted on inefficiencies. The same information

may be requested multiple times to answer similar questions, where

one report may have provided a reasonable answer. Initially, more

staff should be allocated to the compliance efforts to provide a focus to

the activity. When the compliance tasks are added to the regular jobs of

predominantly IT staff, they may be given lower priority and re-

sources. As automation increases, the staff required to support the

compliance efforts should either remain constant or decrease. A con-

stant staff may be needed to ensure that the new regulations and

changes are adequately addressed.

9. Report on compliance metrics—Dashboards of red, yellow, and green,

or heat maps are useful tools to demonstrate where security is weak

within the organization and where more focus should be placed. These

metrics should be reported in a manner that is meaningful to the busi-

ness, such as unavailability issues, which could impact major, mission

4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 36/42

critical applications, or confidentiality concerns that may affect the

consumer trust in the brand.

10. Enforce penalties for noncompliance to policy—Does one grin and bear

it when the security control objectives are not followed or grit one’s

teeth? This is one area that needs teeth! There must be sanctions in

place for those that do not follow the security policies. Associates must

also be trained that compliance with the security controls is part of

their job responsibilities. The individual responsible for compliance as-

surance must ensure that the guidelines are established for sanctions

and that the appropriate parties follow through with the sanction

(which may be the manager, and legal and human resources

representatives).

11. Collaborate and network externally—Many organizations must comply

with the same regulations. Why not leverage that experience? Working

with peers within the industry vertical for dealing with industry-spe-

cific regulations and acrossindustries for understanding various meth-

ods to implement the control frameworks, standards, and technical

controls can be invaluable. For example, nonprofit organizations, such

as the HIPAA Collaborative of Wisconsin, were formed to bring to-

gether healthcare providers, payers, and clearinghouses to discuss ap-

4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 37/42

proaches to implementing HIPAA. The presentations, network contacts,

and information sharing that happen are phenomenal. Attending con-

ferences and industry associations such as the Information Systems

Security Association (ISSA), Information Systems Audit and Control

Association (ISACA), Computer Security Institute (CSI), Management

Information System Training Institute (MISTI), SANS (SysAdmin, Audit,

Network, Security) Institute, and others helps to gain a common under-

standing of the regulation and implementation approaches. This also

provides input as to what the herd is doing to be compliant with the

regulation.

4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 38/42

4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 39/42

1.

Figure 7.1 11-Factor Security Compliance Assurance Manifesto.

The Standards/Framework Value Proposition

Control frameworks and standards provide the roadmap to build a suc-

cessful information security program. Once in place, continuous review

of the policies, standard operating procedures, and implementation of the

controls will enhance the effectiveness of the program. Monitoring

through audits accompanied by corrective actions and tracking enables

refinement of the control framework and standards to reduce the risk of

a security event impacting the business in a significant way. Think of the

various security control frameworks as each contributing in some way to

the infrastructure of a super six-lane freeway. Rather than manage our

security programs by ourselves, on an old gravel road at 20 miles per

hour, it is time to get on the superhighway supported by the strong

plethora of control frameworks and standards and enjoy the ride!

Suggested Reading

Federal Information Security Management Act of 2002 (FISMA). November 27,

2002. http://csrc.nist.gov/groups/SMA/fisma/index.html

4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 40/42

2.

3.

4.

5.

6.

7.

8.

National Institute of Standards and Technology (NIST), Special Publications,

http://csrc.nist.gov/publications/PubsSPs.html

National Institute of Standards and Technology (NIST). August 2009.

Recommended security controls for federal information systems, Special publica-

tion 800-53. http://csrc.nist.gov/publications/PubsSPs.html

National Institute of Standards and Technology (NIST). July 2008. Guide for assess-

ing controls in federal information systems.

http://csrc.nist.gov/publications/nistpubs/800-53A/SP800-53A-final-sz.pdf

Defense Information Systems Agency (DISA), Security technical implementation

guides (STIGs), http://iase.disa.mil/stigs/stig

National Security Agency, Security configuration guides, http://www.nsa.gov/snac

International Organization for Standardization (ISO). ISO/IEC 27001:2005

Information security management systems—Requirements.

http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?

csnumber=42103

International Organization for Standardization (ISO). ISO/IEC 27002:2005

Information technology security techniques—Code of practice for information se-

curity management.

4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 41/42

9.

10.

11.

12.

13.

14.

15.

http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?

csnumber=50297

U.S. General Accounting Office. January 1999. Federal Information System

Controls Audit Manual (FISCAM), GAO/AIMD-12.19.6.

http://www.gao.gov/special.pubs/12_19_6.pdf

U.S. Government Accountability Office. February 2009. Federal Information

System Controls Audit Manual (FISCAM), GAO-09-232G.

http://www.gao.gov/new.items/d09232g.pdf

Information Technology Infrastructure Library, http://www.itil-official-

site.com/home/home.asp

Tolle, E. 2005. A new earth: Awakening to your life’s purpose. New York: Penguin.

PCI Data Security Standards Council,

https://www.pcisecuritystandards.org/security_standards/documents.php

International Register of ISMS Certificates, http://iso27001certificates.com

Fitzgerald, T 2008. Compliance assurance: Taming the beast. In Information secu-

rity handbook, H. Tipton and M. Krause, eds., chap. 28. Boca Raton, FL: Auerbach.

4/23/23, 2:41 PM Chapter 7 Security Compliance Using Control Frameworks | Information Security Governance Simplified

https://learning.oreilly.com/library/view/information-security-governance/9781439811658/018-9781466551282-007.xhtml 42/42

16.

17.

18.

19.

20.

IT Governance Institute. 2000. COBIT® framework: Governance, control and audit

for information and related technology.

TSA urban legends (nail clippers, knitting needles and corkscrews). 2009. TSA Blog

(May 9). http://blog.tsa.gov/2009/05/tsa-urban-legends-nail-clippers.html

Lighters, nail clippers and lithium batteries. 2008. The TSA Blog (January 31).

http://blog.tsa.gov/2008/01/lighters-nail-clippers-and-lithium.html

IT Governance Institute. COBIT® 4.1, http://www.itgi.org

Committee of Sponsoring Organizations of the Treadway Commission (COSO).

1992. Internal control—Integrated framework.