June 12th, 2017 by Jerod Brennen
Privacy Rights Clearinghouse maintains a database of every data breach made public since 2005, and as the total number of records rapidly approaches one billion, board members, infosec leaders, and consumers are all asking the same question: Why does this keep happening?
It’s not like we don’t collectively understand how to secure our systems and networks. NIST maintains nearly two hundred special publications focused on computer security, and the ISO 27000 series contains dozens of standards for securing information systems.
What’s more, multiple industries have specific standards and regulations targeting information security and risk management controls. Retail has PCI. Healthcare has HIPAA. Education has FERPA. Energy has NERC. Financial Services seems to be bound to more information security standards and regulations than all other industries combined.
Still, the question remains: Why does this keep happening?
Three key factors
First, organizations of all sizes are drowning in the details. A 2012 Small Business Administration survey in the United States found that 99.7% of U.S. employer firms were small businesses. The sheer number of controls contained within existing information security standards and regulations can be daunting for large, multinational corporations. Expecting small and medium businesses to comply with those same standards and regulations is unrealistic.
Second, in an effort to remain independent, many of these standard and regulatory bodies focus on what controls need to be implemented, and not how to implement them. Many of these bodies offer the same control recommendations as their counterparts without providing the details organizations need in order to put those controls into effect.
Third, these control sets are often presented without any context around priority. With PCI, for example, organizations are either compliant or non-compliant, and many of those organizations struggle with how to prioritize individual control recommendations while striving to achieve the goal of 100% compliance.
Common Sense Security Framework (CSSF)
The CSSF is an open information security framework designed to help bridge these gaps by focusing on the fundamentals. The framework is divided into seven (7) areas:
Each protection area contains three (3) questions that organizations should be asking themselves about their information security controls. In a matter of minutes, organizations can evaluate themselves against the CSSF by answering Yes or No to the following twenty-one (21) questions.
Protect your applications
Scope includes web and mobile applications.
Protect your endpoints
Scope includes workstations, laptops, smartphones, tablets, kiosks, and removable media.
Protect your networks
Scope includes wired, wireless, cloud, and remote access (VPN) networks.
Protect your servers
Scope includes directory, file, web, application, and database servers.
Protect your data
Scope includes data at rest and data in motion.
Protect your locations
Scope includes headquarters, branch offices, data centers, and retail outlets.
Protect your people
Scope includes people who work for your organization, as well as people who work with your organization.
Organizations can prioritize their fundamental security control gaps by focusing on the No’s. The CSSF pairs each question with recommendations for free, open source, and commercial tools that could potentially help an organization quickly and cost-effectively shift each No to a Yes.
The CSSF counters complexity with simplicity. It counters independence with guidance. It counters uniformity with prioritization.
It’s important to note that the CSSF is not intended to serve as a replacement for any of the other existing regulations or standards. Rather, the CSSF serves as a primer of sorts, as a stepping stone between knowing the fundamentals and understanding how to implement them.
Similar to the Penetration Testing Execution Standard (PTES), the CSSF is a grassroots effort. The CSSF GitHub project contains the spreadsheet self-assessment tool, but additional resources (such as a collection of HTML bookmarks and specific how-to guides) are still under development. As organizations and security professionals continue to adopt and contribute to the CSSF, the framework’s effectiveness will continue to improve.
By shifting our focus to the fundamentals of information security, the CSSF could prove an invaluable tool in helping organizations shore up their defenses.
This article was previously published on June 5, 2017 in HELPNETSECURITY