Skip to content

Page077

Determining Data Security Controls

Determining which data security controls to employ is a critical skill. Baselines, standards, scoping, and tailoring are used to choose and customize which controls are employed. Also, controls determination will be dictated by whether the data is at rest or in motion.

Certification and Accreditation

Let’s begin the discussion of standards by describing certification and accreditation. Certification means a system has been certified to meet the security requirements of the data owner. Certification considers the system, the security measures taken to protect the system, and the residual risk represented by the system. Accreditation is the data owner’s acceptance of the certification, and of the residual risk, which is required before the system is put into production.

Standards and Control Frameworks

Several standards are available to determine security controls. Some, such as PCI-DSS (Payment Card Industry Data Security Standard), are industry-specific (vendors who use credit cards as an example). Others, such as OCTAVE®, ISO 17799/27002, and COBIT, are more general.

Standards Selection

As the name implies, standards selection describes the process of deciding on an information security standard to follow. This can be a simple process in certain industries: for example, healthcare organizations in the United States must follow HIPAA (Health Insurance Portability and Accountability Act), organizations that process credit cards must follow PCI-DSS (Payment Card Industry Data Security Standard, discussed next).

Other industries (without regulatory requirements to follow a specific standard) typically choose from internationally recognized standards such as those provided by ISO, COBIT, ITIL (discussed next), and others. Note that industries such as healthcare may choose to follow these standards in addition to standards required by regulation.

PCI-DSS

The Payment Card Industry Data Security Standard (PCI-DSS) is a security standard created by the Payment Card Industry Security Standards Council (PCI-SSC). The council is comprised of American Express, Discover, Master Card, Visa, and others. PCI-DSS seeks to protect credit cards by requiring vendors using them to take specific security precautions: “PCI-DSS is a multi-faceted security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data” [11].

The core principles of PCI-DSS (available at https://www.pcisecuritystandards.org/security_standards/index.php) are: - Build and Maintain a Secure Network and Systems - Protect Cardholder Data - Maintain a Vulnerability Management Program - Implement Strong Access Control Measures - Regularly Monitor and Test Networks - Maintain an Information Security Policy [11]