This page grew out of my article on security policies for the Tripwire State of Security Blog.
When I started to talk about security standards and good practice guidance it got too big too quick (it’s pretty hefty as it stands!), so it links to here. This is the pertinent excerpt;
What security policies should NOT be – PROPRIETARY
Even if you are not a financial services firm, healthcare provider, supplier to governments, or a payment card processor, it’s not advisable to make up your ‘own brand’ policies. That’s ok until you need to do business with a more regulated client. Think forward. You need to make policies relevant to YOUR business, but recognised standards as frameworks for control add credibility and enable easier negotiations….
….mandatory legal and regulatory requirements and other focused guidance for specifics like cloud security and web app security. Rather than clutter this article, I’ve saved a starter for 10 list on my blog.
and so this was born…
A starter for 10 for creators/implementation of policies, assessments, audits, due diligence materials, procedures, awareness initiatives and more general security related stuff.
CAVEATS: It is not exhaustive and has a strong UK bias. Do verify information yourself before using and please, without hesitation, ping me with corrections or additions (especially free sources of information and anything that gives practical insight into implementing any of this). Information is (as far as possible) current to the last revision date, or date on linked resources. It is likely to become a living page I’ll add to over time.
Why did I bother?
I remember my earliest days in IT (mumble mumble years ago), when much guidance for security was very niche, immature or non-existent. The same applied to internet speeds, search tools and many of the open online resources we now lean on so much. I was in a support firm too small to employ a security specialist, or to need enterprise class security (the same as the SMBs on our client list).
Even then (often while under a desk up to my elbows in a computer, or tracing network cables), I remember feeling driven do the right thing security-wise for the businesses we supported. Most seasoned pros will know and have access to all of this. It is more for folk in smaller firms, people starting out, or folk outside security with a vested interest. It’s to ease that ‘where do I start’ and ‘have I missed something’ angst when there isn’t an experienced body on hand to add perspective (back then I would have killed for the social media contacts I have now!).
REVISION DATE: 14th March 2015
Mandatory Stuff (for reference if not applicable to your organisation)
National Data Protection Law – Country specific. Worth noting that Information Commissioners frequently collaborate with other regulatory and legal bodies. For example, in the UK the ICO has shown a tendency to refer investigations to financial regulators (the FCA or PRA – formerly the FSA) if there’s crossover and it’s linked to a high impact/high profile incident. It’s because financial regulators can impose operational sanctions on businesses and levy bigger fines.
The UK Government summarises principle 7 of the Data Protection Act as ‘keep data safe and secure‘, but doesn’t go into detail on specifics of ‘secure’. However it has a huge knock on effect for us. Especially for;
- Access control,
- On/offshore data transfer,
- Data retention requirements – you can’t keep data beyond a point where business justification can’t be proven),
- Use notification requirements – you have to tell individuals up front what you plan to do with their personally identifiable information (PII) if you collect it. That has been robustly complicated by marketers scooping lakes of publicly available personal data from social media, permission hungry mobile apps and digital business in general.
- 3rd parties getting data and
- Notification requirements and business implications of incidents involving personal data.
EU Data Protection Law – applicable to member states (although the current UK government would like to selectively change that). As for the UK DPA, security has a very non-specific place in the EU’s judgement of adequate security for personal data. Brussels are struggling to implement and put oversight in place for new requirements (a long-standing issue), but that space must be watched by firms who could be impacted.
Other Laws – the link takes you to a 2 or 3 year old document from Bristol University (there’s a dearth of this kind of thing outside consultantville, but the search goes on). It gives a simple rundown of most other laws touching on security. Some are bulleted below. Where there are not specific links I recommend a search on the Out-Law site (Pinsent Masons law firm make a significant amount of very useful news and guidance available about privacy, security and data protection law);
- RIPA (The Regulatory and Investigatory Powers Act) which tells you limitations, oversight and controls required if you want surveil and monitor people’s online or offline activity. That equally applies how you digitally and physically oversee staff.
- The Data Retention & Investigatory Powers (DRIP) Bill & Successors – with potential implications for all handlers of electronic communications.
- Anti-Terrorism legislation
- The Right to be Forgotten,
- The Computer Misuse Act,
PCI DSS (Payment Card Industry Data Security Standards) – Not mandatory unless payment cards processed and there are different levels of compliance linked to quantities of transactions, but widely acknowledged as good practice for technical controls and particularly (sometimes overly?) granular.
G-Cloud – Mandatory for cloud vendors supplying the UK government. That linked G-Cloud content is now (as of January 2015) archived. It refers to CloudStore, the old aggregator for government cloud offerings. It’s now the Digital Marketplace, but the Digital Marketplace landing page is in Beta. In terms of requirements and accreditation. to the best of my knowledge they are still correct. Suppliers are also asked to complete an ICO DPA checklist
FedRAMP – The US Government standard for suppliers to them. Security requirements are based on NIST security benchmarks (currently NIST SP 800-53 Rev 4 – the link downloads a word version of the standard). Not a bad thing to ask US firms about, given the lack of any useful assurance from things like Safe Harbor (more on that below).
Cyber Essential (Private Sector) – Higher level and now mandatory, (with caveats), for others supplying the UK government.
Healthcare Specific Information – WIP
Financial Services Specific Information – WIP
Beyond mandatory stuff (some standards and private/public sector sources of guidance on control and good practice)
Cyber Essentials (Charities) – Give A Day is a not for profit initiative set up by security pros. It’s mission is to provide the kind of high quality help the charity sector may otherwise find uneconomic or hard to find. They now have the go ahead and backing from the UK Government to provide support, online resources and training to charities who want to become Cyber Essentials certified. They can also provide more general advice via the same route. Do get in touch via their site if you think Give A Day can help you, or, CRUCIALLY, if you would like to become a sponsor – all security pros, including myself, volunteer their time.
ISO (International Standards Organisation) – internationally recognised standards, with the ISO27000 family being the information security ones.
- ISO7000 – Link to a free toolkit provided by members of the ISO27k forum. Includes a free overview of the ISO27000 standard family.
- ISO27001 – The standard for creating an Information Security Management System
- ISO27002 – Good practice security guidance for risks and controls that your ISMS might identify.
- ISO22301 – The Business continuity standard.
- ISO27302 – The cybersecurity standard (mainly internet security focussed)
- Other ISO standards with a toe or more in the security camp
NIST (National Institute of Standards & Technology) – lots of guidance and recommendations for cyber/computer security, secure architecture and the more general world of tech. As mentioned above, FEDRamp refers out to NIST for required control.
SANS – Link to the SANS 20 Critical Security Controls (demonstrably a subset of the comprehensive catalog defined by NIST in their SP 800-53 standard), but SANS.org as a whole has a vast range of advice, information and training on technical and procedural security. Most recently some specialist information on Securing The Human – an often forgotten area where you should include provision in policy.
OWASP (Open Web Application Security Project) – respected guidance on security for web applications
CSA (Cloud Security Alliance). A great free source of security guidance for cloud developers/vendors and consumers of their services and products.
- The CSA STAR Program – To improve transparency about cloud vendor security, the CSA launched their STAR (Security Trust & Assurance Registry) program in 2011. Suppliers voluntarily publicise information about their security controls and practices, so more and less risk averse firms can locate a provider matching their regulatory and local control requirements.
- Their Cloud Controls Matrix is another good template for assessing vendor security.
Other useful links, sites & stuff:
ISO27000 Practitioner Insights – Dejan Kosutic (@Dejan_Kosutic) provides excellent insights into security and business continuity focused ISO standards. For example “6-step process for handling supplier security according to ISO 27001“.
Supplier Security Governance – This is one of my specialist areas of expertise and in the below articles you will find a wide range of links to good practice advice and my own take on what good vendor governance should look like:
- The Game of Clouds – How to procure and stay secure
- Target, AT&T and Tears – Ways to get a grip on supplier risk
- Security: One character can make all the difference
- Perspective on 512k Day, Internet Capacity & Your Cloud
FAIR (Factor Analysis of Information Risk) – Methodology for top down security risk assessment. Honing available risk metrics to help stakeholders put a monetary figure on current risk and business risk appetite. The link takes you to the OpenGroup free information on FAIR. CXOWare is the risk management software built around FAIR.
NB/ This does not answer the challenge of bottom up risk assessment (as discussed here), but does aid the process of scaling risks to prioritise where most control is desired for policy formulation.
Passwords – Articles outlining current challenges with identity verification and authorisation and point to standards for good password choices for both systems and users:
- Passwords: Long? Strong? Keep Getting it Wrong? – Here on Infospectives
- How To Discover How Secure Your Password Is [TOOL] – Security FAQs
The Analogies Project – A valuable source of material and advice for raising awareness of information security. Their mission in their own words: The aim of the Analogies Project is to help spread the message of information security, and its importance in the modern world. By drawing parallels between what people already know, or find interesting (such as politics, art, history, theatre, sport, science, music and every day life experiences) and how these relates to information security, we can increase understanding and support across the whole of society.
I Am The Cavalry – Similar to The Analogies Project, in that it is a volunteer organisation with content put together by professionals, which aims to simplify and remove the FUD from security. Their strapline is “Technology worthy of our trust”. Their focus, as that suggests, is somewhat more technical, but with a good holistic spread of advice, links to excellent resources and articles. Very much recommended.
Mobile Device Security – Various articles and information sources about mobile device risks and secure usage of removable storage and mobile devices.
- Mobile Devices: STOP, THINK, CONNECT – Stay Safe Online
- Businesses At Risk From Unreported Mobile Device Theft – PCWorld
- REPORT: 23% of consumers save banking credentials on multiple mobile devices – IT Pro Portal
- Ever Lost Your Phone? – My take on the pain involved and ways to avoid it
- Why Your USB Flash Drive Is Ripe For A Hack Attack – Venture Beat
- Should I Be Worried About Carrying Sensitive Data On My Flash Drive? – Security FAQs
- Is Your Mobile Device Secure? – Information Security Buzz
US Safe Harbor Scheme – This isn’t here because it’s a source of security advice or a standard. Safe Harbor is an EU-US joint agreement advertised as providing EU firms some comfort that personal data of EU residents will be afforded some data protection during storage and transfer while under the care of scheme members. There is a frequent and dangerous misconception that hosting data with a ‘Safe Harbored’ US vendor confers some kind of guaranteed security. It does not. The link at the top takes you to a detailed run down on history, limitations and advice.
The ISF (Information Security Forum) – A well-respected independent source of security advice on good standards for security and providing resources like their Supplier Security Evaluation Tool (available to all security professionals on request).
Threat Assessment– For now just linking to something of mine: Dynamic Cyber Threat Intelligence – Pretty, but potentially pointless. Looking at how threat data and threat intelligence fits into your overall security and risk environment. To add to this section any and all practical advice to help build a good policy and process are welcome.
Vulnerability Management – WIP
Social Media Security – WIP
Incident Management & Response – WIP
Internet of Things: Considerations – WIP
More soon! Where things are Work In Progress (WIP), it’s not for a lack of good content, it is just down to time restrictions in the timeframe for getting the policy article published. You are more than welcome to speed the process of updating by sending in those links 🙂