Posted by: David Schneier
assess, assessment, assessments, Audit, auditor, audits, CISO, community bank, control, controls, credit union, credit unions, data security, framework, information security, information security office, infrastructure, ISO, risk assess, risk assessment, risk assessments, risk management, risk-based
I had an interesting phone call recently with someone in a CISO-type position. They were looking for a consultant to help them keep a seat warm working with information security risk assessments and were hoping to find a resource with practical experience using the NIST 800-53 standard. It was the second such conversation I’ve had recently where a manager was looking for experience with a specific security framework (the other was ISO 27000). During the conversation I pointed out that while I’ve worked with the NIST standard previously I’ve also worked with the related ISO standard, PCI and all of the security related FFIEC guidelines. And of course beyond the frameworks and guidelines I’ve also been auditing since 1997 and have had to consider just about every known risk factor and dimension independent of an existing standard. So for me it’s all mostly semantics in terms of which framework anyone is using.
In the days since that conversation I’ve put some thought into the frameworks because in the end the aforementioned CISO was committed to finding the NIST experience and eventually did. But what did that really mean? Having fairly recently had the occasion to have both NIST 800-53 and the ISO 27000 documents in front of me it was striking how similar they both were with only a few obvious distinctions to be made between the two. Essentially the differences reflected more on the cultures that created them than the risk factors they were focused on (NIST = U.S.A and ISO = European). But information technology architectures fundamentally are identical the world over so despite formatting and spelling they both are addressing the same challenges whether or not they realise it. And for those of us who have familiarity with both, to know one is to know both, even if those who are committed to either one disagree. If you’ve worked on audit/assessment projects leveraging ISO 2700o material you’re immediately qualified to work on projects using the corresponding NIST framework and vice versa. And if you have experience working with PCI standards guess what? You can pretty much step in and work with either NIST or ISO content (except of course you have to expand your sights to include the entire infrastructure, not just on whatever touches PAN data).
My preference is that we would consolidate globally into the ISO frameworks where applicable and maybe even fit that in to the SSAE 16 process. I’ve read enough toothless SAS 70/SSAE 16 reports to know that it’s easy enough to rig the system to your advantage. And unless you’re a government agency that has to comply with NIST there’s little meaningful value to using NIST whereas being ISO 27000 certified carries a great deal of weight within the audit/assurance community. Plus there’s the added benefit of having InfoSec practitioners all getting trained and practiced at both building out ISO 27000 compliant solutions and also knowing how to test the related controls. Think about that, a single global security standard regardless of where you enter into the profession. Having run a few practices in my career and way more than my fair share of engagements I can tell you that has great appeal. Plus it would help eliminate awkward dialogues where my sixteen years of real and relevant experience is at least partially marginalized because it hasn’t all been with one particular standard.
Ultimately in the end a frameworks only meaningful advantage is that it theoretically ensures consistency in how controls are identified and assessed. If you have someone who knows a framework but doesn’t really understand the details within that sort of defeats the process anyway, no matter how robust or thorough it may be. Perhaps that’s why I consider it a non-issue when it comes to which frameworks a practitioner has used. I’d much rather work with someone who understands the technology and has a good feel for the details rather than someone who knows that SDLC is addressed in SA-3 for NIST or Section 12.5 for ISO 27002. But than again, I’ve always been more concerned with real risk, not perceived risk so this shouldn’t be surprising to anyone who’s read my content in the past.
A security framework by any other name would be just as comprehensive, you know what I mean?