Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/8/2019
11:30 AM
Steve Zurier
Steve Zurier
Slideshows
Connect Directly
Twitter
RSS
E-Mail
100%
0%

7 Considerations Before Adopting Security Standards

Here's what to think through as you prepare your organization for standards compliance.
Previous
1 of 8
Next

ISO 27001. PCI DSS. GDPR. When it comes to business and security standards, it's easy to get lost in the alphabet soup of acronyms.

How can you discern which ones are right for your organization? Start by asking some high-level questions as to what you hope to accomplish by adopting them – and how adhering to standards can help your growth, says Khushbu Pratap, a senior principal analyst at Gartner who covers risk and compliance.

"The most important questions to ask [are]: Are your customers asking for it, and do your stakeholders think a particular standard is important?" says Pratap.

Assuming the answers are yes, there are additional factors to think through before moving ahead with a strategy for compliance. The seven practical tips outlined in this feature will help. Heavily regulated organizations typically have special teams that work on these standards, but even for them, use this list as a chance to take a step back and better target your standards compliance and certification teams.

 

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio
 

Recommended Reading:

Previous
1 of 8
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MarkL199
50%
50%
MarkL199,
User Rank: Apprentice
10/23/2019 | 4:59:45 AM
ISO 27001 used as a Framework
I agree with the article in that you really need to understand the business drivers, but I also think that a vast majority of business would be best served using ISO 27001 as their Information Security Management System. This gives the framework for their security program as a whole, from the creation of policies to performing compliance activities. I would not even consider certification, unless there is an overwhelming need. The next decision is whether to use the controls contained within ISO 27001, or take the opportunity to swap out more suitable controls (e.g. NIST, CIS20, ISF, PCI DSS etc.). The good thing about ISO 27001 is that it does give a wide coverage of controls across a security program, such as covering non IT-related area's most other controls don't (e.g. policies, people, physical etc.) However, ISO 27001 can be a bit high level and not detailed enough, even if using ISO 27002. This is where tailoring your controls either by using say NIST SP 800-53 across your enterprise, or specific requirements (e.g. PCI DSS). I personally like to use ISO27001 as the framework and also utilise the non-tech controls contained within. Then I would bring in more specific controls to cover the technical side, cloud specific, privacy, IoT etc. My concern about going straight to NIST is that although they are excellent controls, they are designed for information systems and therefore focus on the IT security side and not really a holistic information security program. Lack resources, time, or just need to get some technical controls in fast? I would go with CIS20 controls as they are very easy to follow and lead you through a three stage maturity process.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Exactly
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4590
PUBLISHED: 2020-09-21
IBM WebSphere Application Server Liberty 17.0.0.3 through 20.0.0.9 running oauth-2.0 or openidConnectServer-1.0 server features is vulnerable to a denial of service attack conducted by an authenticated client. IBM X-Force ID: 184650.
CVE-2020-4731
PUBLISHED: 2020-09-21
IBM Aspera Web Application 1.9.14 PL1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 188055.
CVE-2020-4315
PUBLISHED: 2020-09-21
IBM Business Automation Content Analyzer on Cloud 1.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the i...
CVE-2020-4579
PUBLISHED: 2020-09-21
IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.12 could allow a remote attacker to cause a denial of service by sending a specially crafted HTTP/2 request with invalid characters. IBM X-Force ID: 184438.
CVE-2020-4580
PUBLISHED: 2020-09-21
IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.12 could allow a remote attacker to cause a denial of service by sending a specially crafted a JSON request with invalid characters. IBM X-Force ID: 184439.