In previous articles
in this series, we’ve talked about three of the four legitimate ways of
treating risk – avoiding, transferring, and accepting it – and one illegitimate
way, ignoring it. By “legitimate” I mean
acceptable to a regulator or auditor under the right circumstances. I’ve
purposely put off discussing strategies for mitigating risk, the fourth risk
treatment, for two reasons.
First, most of the security industry – that pretty much means
vendors – focus on controls, that is, ways to spend money to reduce risk. That is understandable since vendors are in
the business of transferring money from your pocket to theirs. You might never
get the idea from a vendor that there is any way to treat a risk but by
spending some money. But as we have seen
there are other ways.
Second, risk mitigation is a huge topic. It immediately
leads us into a welter of risk management frameworks, standards, and control
sets. Among them are the ISO 27000
series, the U.S. National Institute of Standards and Technology special
publications (the NIST SP series), the SSAE16 standard of the American
Institute of Certified Public Accountants, the Payment Card Industry Data
Security Standard (PCI DSS), the Control Objectives for Information and
Technologies (COBIT) of the Information Systems Audit and Control Association
(ISACA), and others. All of them are
quite happy to help you understand and implement their standards, always with
hundreds of pages of documents and usually for a fee.
And that’s just the tip of the iceberg. Unpack any one of them and you can easily find
dozens or hundreds of what they call “controls.” A control is simply something you do to
reduce or limit risk. Sometimes a single
control leads to many individual practices or detailed specifications. Setting
standards for security risk assessment is an industry unto itself.
As if the proliferation of standards were not enough, large
heavily-regulated enterprises like financial institutions and healthcare
providers are wont to visit on their suppliers customized risk-assessment
questionnaires and processes, and these questionnaires can easily have hundreds
of items. The Standardized Information
Gathering (SIG) questionnaire of the Shared Assessments Program has over 1,000
items at last count.
The language of the standards and questionnaire often convey
the distinct impression that every item is mandatory, despite statements to the
contrary. And of course they are all
different enough to preclude a standardized response, but similar enough to
offer a glimmer of hope for economies.
It can be a daunting challenge for the executive of a small-
or medium-sized company who wants to win the business of “the bigs” in the
industry. How much of this stuff do I
really have to do? How do I even get my
arms around the overlapping and seemingly conflicting demands of multiple
customers and regulators? Will I really
lose the business unless I have all employees use different 15-character
passwords for every system that they change every month, among scores of other
items?
For the sake of the innovation, entrepreneurship, and
competitiveness of the American economy, it is our mission to help the SMB
executive navigate a path through this morass of standards. Future articles will attempt to contribute to
this mission.
No comments:
Post a Comment