- Why We Need a Code of Basic Information Security Management Practices for IT Organizations
- Basis of The Code of Basic Information Security Management Practices for IT Organizations.
- How an Organization Can Use the Code.
- How an IT Service Provider Can Use the Code.
- Does SecureTheVillage Certify IT Organizations as Compliant with the Code?
- If My IT Organization Meets the Code, am I Fully Protected?
- What the Code is Not.
- Does the Code Require an IT Organization to Fully Implement the CIS Controls?
- Why Doesn’t the Code Require an IT Organization to Fully Implement the CIS Controls?
- Is the IT Organization Required to Fully Implement Any of the CIS Controls?
- What if an IT Service Provider’s Client Doesn’t Want to Pay for a Control.
- I’m a 1-Person IT Company. My Clients are Very Small Businesses. Basic as the Code is, it is Still Too Much. What Do I Do?
- Who is SecureTheVillage?
- How Does SecureTheVillage Assist IT Organizations?
- How Does SecureTheVillage Plan to Promote the Code?
Why We Need a Code of Basic Information Security Management Practices
We are in a time of crisis. Equifax. Target. The Democratic National Committee. Sony. Netflix. HBO. Yahoo. Hotel Chains. The Office of Personnel Management. The list goes on.
Current estimates are that more than 40% of cyber crime victims are the small and medium-sized businesses that make up the Los Angeles Economy. And while some estimates say that 60% of these victims are out of business in 6 months, At minimum, a small business victim loses cash flow, profits, and strategic momentum.
Welcome to the new normal. Where cybersecurity is not a problem to be solved but—like ordinary crime and like hurricanes, fires, and earthquake—a situation to be managed.
And one of the most important areas where cybersecurity needs to be proactively managed is in the interface between the IT organization and the Executive suite.
In December 2014, following the cyber-attack on Sony by North Korea, retired Air Force Major General Brett Williams, was on This Week with George Stephanopoulos. Williams responded as follows to George’s question of “what do you say when a company comes to you and asks what should we do?”
The number one thing at the Board level and CEO level is to take cybersecurity as seriously as you take business operations and financial operations. It’s not good enough to go to your CIO and say “are we good to go.” You’ve got to be able to ask questions and understand the answers.
Too frequently, as we hear repeatedly when organizations get breached, executives have significant room for growth in knowing the cybersecurity questions to ask and understanding the answers.
Making matters more challenging, the Executive suite historically has tasked the IT organization to keep the systems up and the information flowing. While Executives have expected IT to secure things, the priority placed on keeping information flowing has impacted cybersecurity resources and budgets.
This has meant, in turn, that no matter how good or how expert an IT organization became, its cybersecurity focus was secondary to its primary mission to keep the information flowing.
One need look no further than the ransomware crisis to see that—in the new normal—this is no longer sufficient. Cybersecurity can no longer be the poor stepchild.
We have got to do better … And we can … The Code is an important tool for doing it.
The Code of Basic Information Security Management Practices for IT Organizations is designed to give an Executive the ability to go to her CIO, ask the right questions, and understanding the answers. The Code is designed to bridge the all-too-frequent language barrier between Executives and their IT organizations.
The Code is designed to provide transparency in the information security management practices of an IT organization. It frames the information systems security questions and answers that an executive needs to know: “Does this IT organization protect my information in accordance with basic information security IT management practices?”
- The security of a company’s information systems can be no better than the security provided by the IT organization. IT Organizations hold the keys to the corporate kingdom.
- COOs, CFOs, and other managers of the IT management function have neither the time nor the technical understanding to know what all the IT jargon means. Executive management needs a simple way to assess if its IT organization is properly managing security of its information.
- Cybercriminals are actively targeting IT organizations as a means of breaking into their clients.
- There is great variability in the security management practices of IT organizations.
- SecureTheVillage’s initiative lets the good ones stand out while providing direction and encouragement to those wanting to step-up.
- And our initiative provides the managers of the IT management function to ‘just say no’ to IT organizations unwilling to grow.
Basis of The Code of Basic Information Security Management Practices for IT Organizations
The Code of Basic Information Security Management Practices is based on both technical and legal frameworks.
Primary Information Security Management Frameworks: The Center for Internet Security Controls.
The Code draws extensively from the Center for Internet Security’s Critical Security Controls (CIS Controls). The CIS controls form a set of prioritized best practices to address the most common cybersecurity threats and vulnerabilities facing organizations today. The concept behind the CIS controls is that they are developed and maintained by an open community of expert practitioners who apply their real-world experience as defenders to create practical and actionable security guidance.
From the CIS Controls FAQ:
The Center for Internet Security’s Critical Security Controls for Effective Cyber Defense V 6.1 (CIS Controls) are a recommended set of actions for cyber defense that provide specific and actionable ways to thwart the most pervasive attacks. The CIS Controls are a relatively short list of high-priority, highly effective defensive actions that provide a “must-do, do-first” starting point for every enterprise seeking to improve their cyber defense.
It is in this same open community spirit that SecureTheVillage has built upon and tailored the CIS Controls, not to be a set of best practices but of basic practices. A floor, not a ceiling. We are grateful to CIS for their support of SecureTheVillage.
Other Information Security Management Frameworks
How an Organization Can Use the Code.
An organization can use the Code in several ways.
- Include the Code in their RFQs.
- Only hiring outside vendors who meet the Code.
- Use familiarity and competence with the Code as part of the recruiting and selection criteria in hiring IT people.
- Expect their internal IT organizations to meet the Code.
How an IT Service Provider Can Use the Code.
An IT service provider can leverage the Code in several ways:
- As a performance barometer and set of standards that they use to manage their own information security and the information security of their clients.
- By documenting its implementation of the Code, IT service providers can demonstrate to their customers and clients the steps they are taking to secure their clients’ sensitive and critical information.
- Help educate their customers and clients on basic security management practices.
- For competitive advantage by committing to the Code in their service agreements.
Does SecureTheVillage Certify IT Organizations as Compliant with the Code?
SecureTheVillage does not certify IT organizations as compliant with the Code.
SecureTheVillage is not responsible for reviewing, or assessing, or monitoring an IT organization’s security practices or its adherence to the Code.
If My IT Organization Meets the Code, am I Fully Protected?
No. No matter what you do, you are never fully protected. This is the new normal.
There is no 100% security, nor is that the objective of the Code. In fact, recognizing this truth is, perhaps, the most important thing any business executive must do. It’s vital, for without it, executive management is unlikely to devote sufficient management attention to the cybersecurity challenge. As Benjamin Franklin said, distrust and caution are the parents of security.
The Code is designed as a baseline, a ‘floor’ so to speak, for IT organizations. It’s not intended to set the bar. It’s intended, instead, to establish a documented floor, a minimum set of information systems security management practices.
The floor is designed to be so basic that an IT organization should feel embarrassed if it isn’t doing these things and an executive should refuse to countenance an IT organization whose security practices don’t even meet these basic information systems security management practices.
All the caveats above notwithstanding, the Center for Internet Security, one of the sources for SecureTheVillage’s Code says that “studies show that implementing the First 5 Controls provides an effective defense against the most common cyber attacks.”
What the Code is Not.
The Code is not intended as a replacement or alternative to regulatory and contractual frameworks such as, for example,
- HIPAA HITECH
- FTC security and privacy regulations
- California cybersecurity and privacy laws
- California breach disclosure laws
- New York State Dep’t of Financial Services Cybersecurity Requirements For Financial Services Companies
- Payment Card Industry Data Security Standard
These regulatory and contractual frameworks establish a standard against which affected organizations are expected to comply.
Meeting the Code is a step in the right direction towards becoming compliant with these cybersecurity standards, but, by itself, the Code will not put you in compliance with other cybersecurity regulatory and contractual frameworks.
The Code, as we’ve described, isn’t a standard but a floor, a baseline. The Code represents the least that an IT organization needs to provide its clients if it is to provide basic protection against today’s cyber-challenges.
Does the Code Require an IT Organization to Fully Implement the CIS Controls?
We don’t ask an IT organization to fully implement the 150 or so CIS controls. In fact, several of them are not appropriate for many of the mid-market and smaller business that make up the Los Angeles business and non-profit community. Rather, the Code makes sure that:
For In-House IT Organizations
- The IT organization has a formal Information Security Management Program that documents how it manages its organization’s IT security.
- The program is based upon the Code of Basic Information Security Management Practices, including the CIS controls, in accordance with commercially reasonable information security management standards appropriate for the organization, based on its given security-risk profile.
For IT Service Providers
- The IT Service Provider has a formal Information Security Management Program that documents how it manages its own security and protects its clients’ information.
- The program is based upon the Code of Basic Information Security Management Practices, including the CIS controls, in accordance with commercially reasonable information security management standards appropriate for the organization, based on its given security-risk profile and the security-risk profiles of its clients.
- The IT Service Provider educates its clients on the importance of the Code of Basic Information Security Management Practices and documents any client-requested deviations from its implementation of the Code.
- The IT Service Provider is transparent to its clients about how – and to what extent – it implements the Code.
- The IT Service Provider’s Service Level Agreement includes a statement that it adheres to the Code of Basic Information Security Management Practices.
Why Doesn’t the Code Require an IT Organization to Fully Implement the CIS Controls?
The Center for Internet Security describes its controls as global industry best practices endorsed by leading IT security organizations and governing bodies.
We don’t believe that it is economically appropriate for many of the small and medium size organizations that make up the Los Angeles Community to implement global industry best security practices.
To the contrary, we believe this is economically inappropriate for many of our small and medium size organizations. What we believe is feasible and what the Code provides is the minimum necessary commercially reasonable organization-based best practices. Whatever best practices means in your organization, if you’re not doing the basics, then what you’re doing can’t be called best practices.
As an example, the 20th of CIS’ controls requires an organization to conduct periodic Penetration Tests and what are called Red Team Exercises. When even a basic penetration tests can run upwards of $25,000, SecureTheVillage does not see this as commercially reasonable for many mid-market or smaller organization; certainly not for small companies.
We believe that an organization can and should use the CIS controls as a tool in implementing commercially reasonable security management practices, appropriate for an organization of its security-risk profile, taking into account its size and business circumstances.
And, it is this that we ask of the IT Organization: Have a documented information security management program, based upon the CIS Controls, together with the NIST and the ISO frameworks, as described below and include this program in your Service Level Agreement.
Is the IT Organization Required to Fully Implement Any of the CIS Controls?
Yes. There are some controls that are so basic that an IT organization should implement these as a basic matter of managing an IT environment. These are the IT security management equivalents of things like double-entry bookkeeping, what the information security industry refers to as basic cybersecurity hygiene. These are documented in the details.
What if an IT Service Provider’s Client Doesn’t Want to Pay for a Control?
There may be circumstances when a client doesn’t want to implement an organization’s controls.
An example might be the back-up and recovery solution recommended by the IT Service Provider. Another example may be the replacement of an old firewall that isn’t capable of meeting the CIS controls.
In these situations, the IT Service Provider is expected to document that the client isn’t implementing the organization’s recommended security posture.
We also expect the IT Service Provider to discuss these weaknesses at quarterly security reviews. This is an excellent opportunity for the service provider to assist the client come to understand the new normal.
I’m a 1-Person IT Company. My Clients are Very Small Businesses. Basic as the Code is, it is Still Too Much. What Do I Do?
Follow the Code meeting all the required controls. Large or small, the required controls are fundamental.
For those parts of the Code that are addressable, document how you address these in a manner that meets your clients needs.
Please contact us if you need guidance or if you need support in helping your client understand the importance of these controls.
Who is SecureTheVillage?
SecureTheVillage is a 501(c)3 whose mission is a cybersecure Los Angeles. We accomplish our mission through education and community-building, one business, one nonprofit, one government agency, one college and university, one citizen at a time.
We are pragmatic in our approach recognizing that an ounce of prevention is worth a pound of cure. As the annual Verizon security reports repeatedly demonstrate, significant security can be achieved by implementing the IT security equivalent of ‘basic hygiene.’
Most importantly, we believe passionately that our greatest need is to create a cybersecure culture here in our village. We are guided by the SecureTheVillage Leadership Council, leaders in the Los Angeles cybersecurity community who share our passion. The Council has been instrumental in developing the Code.
How Does SecureTheVillage Assist IT Organizations?
SecureTheVillage will maintain educational resources on our website for IT organizations. We also organize training and education programs for IT organizations wishing to implement the Code.
We encourage IT organizations to join with SecureTheVillage as part of our mission of a cybersecure Los Angeles. Together we can create opportunities where together we can raise the ‘village’s information security management capability
How Does SecureTheVillage Plan to Promote the Code?
SecureTheVillage will be promoting the Code in several distinct ways.
- Work with Civic and Professional leaders to promote the Code and encourage its use.
- Encourage IT service providers to follow the Code, including it in their agreements with customers.
- Provide an online library of educational resources for IT organizations wanting guidance on meeting the Code.
- Provide promotional and marketing opportunities to IT service providers who attest to SecureTheVillage that they meet the Code.
- Encourage the business and nonprofit community to do business only with IT service providers who follow the Code.
- Provide the business, nonprofit and government community educational Roundtables to help them use and understand the Code.