Standards, models and best practices for security: powerful tools or further risk?
The construction of a security plan for a company is a broad undertaking that typically proceeds in cycles. The theoretical background of such assessments must be known in order to determine the best options for the given company. The company’s specific situation regarding security practices and issues must also be assessed, as a plan for securing a business must always be tailored to it. The main scope of creating a security plan is to strengthen the company from a security standpoint whilst maintaining business continuity, i.e. cyber security must always act as an enabler for business in a company, not as a barrier.
Cyber security standards
The broadest and most detailed tools to evaluate the security situation of a company and to address the findings are so-called cyber security standards. These standards (sometimes also referred to as frameworks) are collections of standardized techniques, guidelines and procedures, created by organizations, commissions or institutes as a common reference for companies within the same field.
The two most commonly used standards in the cyber security field are the ISO/IEC 27000-series (ISO27K) and the NIST Cybersecurity Framework (NIST CSF), which can both be adapted to fit the needs of most companies independently of their business field. There are also standards specific to certain industries, such as the NERC 1300 for electric systems and ANSI/ISA 62443 for industrial automation and control systems. It is advisable to carefully research the available standards for the industry of the company whose security plan is being developed, as they will typically include very specific guidelines that can not be offered by a more generic standard or framework.
The ISO/IEC 27000-series is developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) and consists of nearly fifty different standards. It is typically referred to as an information security management system (ISMS), i.e. a comprehensive set of guidelines and security controls that forms a system to manage all cyber security related operations within a company. It is becoming the de-facto standard for most companies, as its broad scope and extensive documentation make it applicable to businesses of different sizes and of all industries. The first and main standard is ISO/IEC 27001, which is based on the Plan-Do-Check-Act (PDCA) cycle.
The NIST Cybersecurity Framework is a set of policies devised by the National Institute of Standards and Technology, an agency of the United States Department of Commerce. It was originally aimed at protecting critical infrastructure, i.e. operations and facilities that ensure that society and economy remain operational, but is nowadays implemented by many private businesses as well as some governments and is mainly used in the United States of America. The NIST CSF follows the cycle Identify, Protect, Detect, Respond, Recover.
Security models and best practices
Security models are specifications of the technical applications and data needed to enforce a policy or standard. They can be aimed at ensuring confidentiality of information or its integrity and apply to different situations. Security models can be static or adaptive, i.e. changing based on the current situation of the company and cover different functionalities. The most commonly used models are those regulating access control, that is the restraint of access to a physical place or to information. A widespread model for access control is the Access Control Matrix, a table defining user rights and the consequent access to data which is commonly used for operating systems and applications.
Best practices are non-binding suggestions on procedures that have been identified and accepted by an industry as producing the superior result. They are not legal requirements and can be subject to quick change based on the development of the industry. Best practices can be used as a basis to create policies within a company and are often grouped and described in publications by organisations such as the European Union Agency for Cybersecurity (ENISA).
The risk of following a standard, model or best practice
Applying a standard to a company or making it follow industry best practices is aimed at improving its security management capabilities by creating sensible policies and models tailored to it. This process can also produce further risks to the company, if the initial assessment of the situation or the application of the standard are not carried out correctly. As the most common standards proceed in cycles, the company could be exposed to further threats while new measures are being implemented. Especially in smaller businesses, focusing on complying with a standard to obtain a certification might occupy valuable resources that could be needed to manage the current security situation of a company. Furthermore, whilst best practices are recognized by an industry, they may not fit the specific needs of a company and risk creating overly complicated policies and models that could drive employees to ignore them or only partially implement them.
Work carried out in theFIRMA
TheFIRMA is a learning environment that operates at the ICT unit of Turku University of Applied Sciences. Using interviews with relevant parties and applying the de-facto standard security framework in Europe, ISO/IEC 27000-series, the cyber security situation of theFIRMA was assessed. Following the assessment, three pillars of action were identified and addressed: physical security, software security and awareness training.
Physical security focused on hardware solutions for the perimeter of the company premises and on an improvement of access control for employees and guests. The main suggestions for securing the premises included the use of higher security door hinges, using lock systems for hardware that does not need moving from the workspaces and applying a colour-coded system to badges for better identification of staff members and their roles.
The section of software security tackles the management of User owned Devices (UoDs), the reduction of user privileges on theFIRMA’s workstations as well as the hardening of network protection within the company. One of the main areas of focus is augmenting the security of the workstations by implementing existing and easy to use solutions such as UEFI BIOS, Secure Boot and BitLocker.
The main focus of the thesis lies on awareness training for both employees and administration. Only by creating a lasting awareness within staff for the importance of both cyber security measures and data protection will theFIRMA truly improve its security resilience. One of the main issues in the company is the high rotation of employees which, paired with working on mainly externally commissioned projects, poses a real challenge to implementing security by design as a common ground and starting point for all projects. As a result, a presentation was created to be shown to new employees on their first day at theFIRMA. This document details the fundamentals and best practices of cyber security in the company and aims at providing easily understandable information, whilst also giving a sense of duty to the student and justifying security-oriented requests by the company. After the presentation students would the play a cyber security game in which they can put the newly acquired knowledge to the test with real-life scenarios.
Result of the work
The work resulted in a satisfactory number of solutions and suggestions that could be implemented in theFIRMA, allowing for a significant improvement of the company’s cyber security situation without causing major costs. The special structure of the company and its low budget posed a challenge when searching for viable results that would benefit the company and employees both in the short and long term, especially considering the high employee rotation.
A more ample integration of security checks and solutions within the Active Directory as well as more targeted training and awareness material for specific roles in the company are amongst suggested future improvements.
This article is based on a thesis written by Philipp Woolaway. You can find the thesis here: https://www.theseus.fi/handle/10024/779693