The top five sources of IT security best practices consist of standards, frameworks and guidelines. The sources listed below are international organizations and governmental entities. The perspectives on IT security, risk and controls vary considerably.
IT auditors working in different technology environments know that the selection of best practice standards and frameworks is a critical task. There are invariably differences between the concepts in best practice documents and the implementation in real world technology environments.
This ‘Top Five’ list is intended to be used as a reference for IT auditors, security practitioners, risk managers, compliance professionals, IT administrators, software developers and the broad range of IT professionals. We hope to add value to the overall IT professional community.
1. Control Objectives for Information and related Technology (COBIT). Published by ISACA.
The latest version is COBIT 4.1 which consists of generally accepted best practices, processes, measures and indicators for IT governance and control. The formal mission is to “to research, develop, publicize and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers and auditors”. COBIT 4.1 contains 34 high-level processes which cover 318 control objectives and are categorized in the four domains below: -Planning and Organization -Acquisition and Implementation -Delivery and Support -Monitoring and Evaluation
2. ISO/IEC 27001 IT Security Techniques — Information Security Management Systems. Published by the International Organization for Standardization.
This is an Information Security Management System (ISMS) standard which is part of the ISO/IEC 27000 family of standards. The official name is ISO/IEC 27001:2005 – Information Technology — Security Techniques — Information Security Management Systems — Requirements. The standard was created in 2005 by the International Organization for Standardization (ISO) and the International Electro-technical Commission (IEC). The objective is a management system for information security.
The standard emphasizes a risk management approach in which an organization identifies, analyzes and evaluates risks. The focus is on reducing risk in a range of areas where information security could be compromised. There are over 130 controls defined as part of the standard.
3. Center for Internet Security (CIS) Benchmarks
The Center for Internet Security (CIS) Benchmarking and Metrics Division publishes consensus best practice standards for security configurations. Information security metrics and other resources are also published to measure security status and to make decisions about security investments. The official objective is to ‘reduce the risk of business and e-commerce disruptions resulting from inadequate technical security controls.’
The Benchmarks are detailed recommendations for technical control rules and values in operating systems, middleware and software applications and network devices. There are 53 different benchmarks including Unix and Microsoft Windows operating systems, Oracle and Sybase databases, Cisco and Juniper network routers and more. These benchmarks were created through a consensus of hundreds of security professionals in business, industry, government and academia worldwide.
4. US Department of Defense, Security Technical Implementation Guides (STIGs)
Security Technical Implementation Guides or ‘STIGs’ contain guidelines for the standardized installation and maintenance of computer software and hardware. The US Defense Information Systems Agency (DISA) created these best practices as a series of configuration documents in support of the US Department of Defense (DoD).
The STIGs are standards to configure systems and devices. These standards are intended to be used in conjunction with security checklists which are also known as lockdown or hardening guides. There are also Security Readiness Review Scripts (SRRs) for testing systems for compliance with the STIG configuration.
The STIGS cover most operating systems, databases and web servers.
5. US National Institute of Standards and Technology (NIST), Computer Security Division, Special Publications (SPs).
These ‘special publications’ are designed to help secure our nation’s information and information systems. There are over 300 NIST information security documents including Federal Information Processing Standards (FIPS), NIST Interagency Reports (NIST IR), the Special Publication (SP) 800 series and the Information Technology Laboratory (ITL) Bulletins.
The SP 800-series is based on ITL research, guidelines and outreach efforts with industry, academic and government organizations.
The ‘special publications’ are organized into ‘families’ focused on a specific aspect of IT security and control such as risk assessment, access controls, audit and accountability, system and information integrity and contingency planning. Some examples of specific guides are the Guide to General Server Security, Guide to Secure Web Services, Guidelines on Electronic Mail Security and Security Considerations in the System Development Life Cycle.