Data Security Is A Universal Challenge For Regulators

We Have Much To Lose

The stakes for data security are enormous. Data breaches are not only more numerous; they are more damaging. We are hurtling forward into a perilous future, with organisations collecting more data and with consequences of its misuse becoming more dire-and even deadly.

Mikko Hypponen “If it’s smart, it’s vulnerable”

Role Of Data Security Laws

During the past two decades, policymakers have rushed out a body of law to address the worsening data security nightmare. The most significant development is the rise of breach data notification laws. But they don’t cure the harm; it just informs people of the danger. The damage has been done. And so, despite data security law’s obsession with data breaches, the law doesn’t seem to be reducing the size, severity, or number of breaches. The news inundated with stories about data breaches that were readily preventable through rather inexpensive, non-cumbersome means.

Why aren’t data breaches slowing down? Why doesn’t the law seem to be making a difference?

My Argument

The premise of this talk is to reorient the way these problems are addressed by shifting focus beyond laws/rules and present an alternative, broader vision of data security policy through the application of specific sectoral standards on three areas: accountability, redress, and technological design. It is tempting to say to organisations: “Come on, just be more secure!” But data security is notoriously complicated and needs a great deal of calibration. Security measures come with difficult costs and trade-offs. It is also a delicate dance between technology and people. There are no absolute answers, as we are dealing with a continuum of risk and an ongoing cat-and-mouse game between attackers and defenders.

I contend that there is a better and central role for the standards approach to play.

Understanding differences

While policies define “what” an organisation needs, standards take this a step further and define the “how.” The policy defines the boundaries withing which the standards must be supportive. Standards may also refer to guidelines established by a standard organisation from one of the many control frameworks and accepted by management. Guidelines are discretionary or optional controls. Standards are voluntary, regulation is mandatory.

In practice, organisations usually rely on data security frameworks and standards when determining what security practices and safeguards they should be implementing. Examples include National Institute for Standards and Technology (NIST) 800-53 and the International Standards Organisation (ISO) 27001. Correlation exists between organizations that fully conform with standards and those that are compliant with regulation. The problem is that companies often have strong incentives to implement these standards as checklists with scant regard to the human side of the equation. Compliance efforts often falter by focusing on quantity rather than quality. Another criticism is that these “best practices” are too rigid. Security threats are evolving, and best practices for security change constantly. There might be items on a list that don’t quite for with specific organisations or contexts.

ISO 27001 gives you a best practice management framework for implementing and maintaining security. It also gives you a baseline against which to work - either to show compliance or for external certification against the standard. However, compliance or external certification to ISO 27001 does not mean you are secure - it means that you are managing security in line with the standard, and to the level you think is appropriate to the organisation.

If your risk assessment is flawed, you don't have sufficient security and risk assessment expertise, or you do not have the management and organisational commitment to implement security then it is perfectly possible to be fully compliant with the standard but be insecure.

Standards Are Voluntary, Regulation Is Mandatory.

In practice, organisations usually rely on data security frameworks and standards when determining what security practices and safeguards they should be implementing. Examples include National Institute for Standards and Technology (NIST) 800-53 and the International Standards Organisation (ISO) 27001. Correlation exists between organizations that fully conform with standards and those that are compliant with regulation. The problem is that companies often have strong incentives to implement these standards as checklists with scant regard to the human side of the equation. Compliance efforts often falter by focusing on quantity rather than quality. Another criticism is that these “best practices” are too rigid. Security threats are evolving, and best practices for security change constantly. There might be items on a list that don’t quite for with specific organisations or contexts.

ISO 27001 gives you a best practice management framework for implementing and maintaining security. It also gives you a baseline against which to work - either to show compliance or for external certification against the standard. However, compliance or external certification to ISO 27001 does not mean you are secure - it means that you are managing security in line with the standard, and to the level you think is appropriate to the organisation. If your risk assessment is flawed, you don't have sufficient security and risk assessment expertise, or you do not have the management and organisational commitment to implement security then it is perfectly possible to be fully compliant with the standard but be insecure.

So, What's missing?

You need to decide on a risk method and implement a risk assessment, select your security controls and ensure that these are adequate to meet the security needs of your organisation. This requires information risk management and security expertise to implement. ISO 27001 does not tell you how to do this, but rather provides a framework within which to do it.

Furthermore, whilst ISO 27001 provides a list of controls in Annex A, this list is not meant to be exhaustive. In conjunction with ISO 27002 (ISO 17799) it provides guidance on the controls that you should consider.

However, it does not provide detailed guidance for your organisation, the information that you handle, and the systems that you use. Again, security expertise is required both to implement an information security risk assessment and to define the required security controls.

It is perfectly possible to implement an ISO 27001-compliant information security management system (ISMS) without adequately addressing information security. This can either be 'designed in' to the ISMS by management accepting high risks (rare); or can arise from inadequate risk assessment or poor selection or implementation of security controls (common).

Compliance or external certification to ISO 27001 does not mean you are secure - it means that you are managing security in line with the standard, and to the level you think is appropriate to the organisation.

So, what's missing?

You need to decide on a risk method and implement a risk assessment, select your security controls and ensure that these are adequate to meet the security needs of your organisation. This requires information risk management and security expertise to implement. ISO 27001 does not tell you how to do this, but rather provides a framework within which to do it.

Furthermore, whilst ISO 27001 provides a list of controls in Annex A, this list is not meant to be exhaustive. In conjunction with ISO 27002 (ISO 17799) it provides guidance on the controls that you should consider.

However, it does not provide detailed guidance for your organisation, the information that you handle, and the systems that you use. Again, security expertise is required both to implement an information security risk assessment and to define the required security controls.

It is perfectly possible to implement an ISO 27001-compliant information security management system (ISMS) without adequately addressing information security. This can either be 'designed in' to the ISMS by management accepting high risks (rare); or can arise from inadequate risk assessment or poor selection or implementation of security controls (common).

Compliance or external certification to ISO 27001 does not mean you are secure - it means that you are managing security in line with the standard, and to the level you think is appropriate to the organisation.