Compliance, Best Practice, and Risk

I gave a presentation to the Central Texas chapter of the ISSA last Thursday, entitled “Comparing NIST’s Cybersecurity Framework with Best Practice“. When I sat down to put the actual slides together, I struggled with defining what “best practice” actually means. 

I believe the term has different connotations for different people. To me, it typically signifies practices that are commonly accepted as the right thing to do (an “industry standard”?), comprehensive, can be benchmarked against (both for internal performance and audit purposes), etc. But does best practice encompass the cutting edge of what might be possible in a certain area of expertise?

I have always considered ISO/IEC 27001 a best practice standard for the elements necessary to run an information security program, so that’s what I chose to compare the Cybersecurity Framework to in my presentation. (See also my earlier blog post.) But I would argue that even if you are compliant with a best practice standard, you aren’t typically done formulating your security management program. It’s a start. It’s much better than nothing. But:

When we are talking about compliance in the context of information security, the standards (or frameworks, or regulation) in question are typically bodies of work that contain — sometimes amongst other requirements — a catalog of security controls. Be that the controls in HIPAA’s security and privacy rules, the Framework Core in the Cybersecurity Framework, Appendix A in ISO/IEC 27001, … 

Even if you managed to come up with a catalog of any possible control that might apply to any possible operational environment, how do you know which controls are the most significant ones for mitigating a particular organization’s risks? Where should your priorities be? And how much effort should you invest into implementing any particular control?

These are questions answered by risk assessment and risk management activities. Risk is particular to individual organizations and their particular infrastructures, business objectives, operational environments, … Almost all security compliance frameworks contain “controls” requiring us to perform risk assessments and manage controls based on their outcomes. 

But it is easy to meet that requirement on paper by documenting a superficial risk assessment. Actively managing technology/IT risk in consideration of other business risks and overarching organizational objectives and exposure takes more than that. Which is what I tried to visualize with this little pyramid:

Maturity of Security Management Programs

The complete slide deck is available on Slideshare.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.