In truth, compliance-based security rarely provides effective protection against determined attacks. This was clearly the case in the recent breaches of retailers Target, Neiman-Marcus, and Michaels Stores.
Compliance requirements like the Payment Card Industry (PCI) Data Security Standard (PCI/DSS) give the illusion of reasonable security. This is not to say that these requirements do not reduce risk -- because they certainly do. They are merely incomplete because they fail to provide flexibility or the means to adjust according to a company's true security needs. An effective information security program requires a framework that allows a company to adjust based upon both the risks faced by the company and the market vertical the company serves.
Security is simply another business risk like shareholder, market, and customer risk. Risk by its very nature is never black and white, but gray. In dealing with risk-based decisions, executives must look at the best information they can find and make the most reasonable decisions they can, given their current situations. This reasonableness is the cornerstone of not only business operations, but also Western case law, which is founded upon the "reasonable person" standard.
What that means in the context of enterprise IT is the answer to the question: Has the organization done what a reasonable person would do to protect sensitive information? Recent court decisions clearly demonstrate that simply meeting an industry-compliance requirement, like PCI, is insufficient in meeting the reasonableness standard. The courts want to know whether corporations have done what is reasonable for their companies or industries versus whether they have they simply met a compliance prerequisite.
The challenge for security professionals is how to bridge this gap. Is there a way to combine the flexibility of ISO 27000 with the stringent requirements of PCI? Many chief information security officers are faced with two competing directives: Adopt the ISO 27000 framework and improve PCI compliance. The former is designed as a security framework -- plan, do, check, and act -- based on the groundbreaking work by consultant and statistician W. Edwards Deming. It’s meant to be a constantly evolving and improving standard.
PCI, on the other hand, is actually a subset of ISO 27000 security controls focused on the credit card payment zone, generally defined as anywhere on a network credit card information traverses and/or is stored. The answer to connecting the two seems to lie in the origins of PCI. Since PCI started with ISO 27000 security controls, then why not simply cross-pollinate them with one another?
ISO 27000 breaks information security into ten areas of focus and labels them from four to fourteen. Each of these has multiple security controls that provide specific guidance to reduce an organization's risk profile. They include:
- Risk assessment
- Security policy
- Organization of information security
- Asset management
- Human resources security
- Physical and environmental security
- Communications and operations management
- Access control
- Information systems acquisition, development, and maintenance
- Information security incident management
- Business continuity management
PCI has two compliance sections: technology controls and administrative controls. While ISO 27000 does little in meeting PCI’s administrative requirements, it lines up very well with the technology controls that revolve around the PCI payment zone. Thus, the controls imposed on the network from ISO 27000 can also apply to those mandated by PCI. Simply add PCI as the eleventh category to the ISO 27000 framework (category 15) and cross-reference the requirements for items such as physical security, anti-virus, wireless usage, and software development with those of PCI.
This will allow an organization the flexibility of ISO 27000 and still meet the requirements of PCI. While not a perfect marriage, it should certainly improve your security stance.
Tom Bowers has 30 years of experience in the field of computer technology and information systems. He has served as the chief architect for information security structures and protections in numerous industries.