Sorting infosec standards and regulations into Hogwarts houses seems sort of silly at first. After all, the idea of anthropomorphizing a written set of rules and guidances isn’t really something serious people do. The Hogwarts Houses, however, come with a set of characteristics that define the students’ personalities. Various online sites have sorted politicians, celebrities, and Game of Thrones characters into their houses. People love categorizing, and the Hogwarts Houses allow people to do this in a pretty finite, fun way. Even though infosec standards and regulations don’t have personalities, the organizations that create them do.
Infosec compliance lacks the strict hierarchy of other compliance areas. Infosec standards and regulations often, though not always, act as guidances and peer suggestions. Increased consumer attention has spun much of this discussion into compliance being a selling point for revenue. With the largely diversified field, however, organizing these infosec standards and regulations into a larger guide can help negotiate the continually shifting compliance landscape.
Categorizing Infosec Standards and Regulations Using Hogwarts Houses
The Gryffindors of Infosec Standards and Regulations
Gryffindor, the house of heroes such as the titular Harry Potter and his two best friends Hermione Granger and Ron Weasley, stands as the house that most values courage, bravery, and determination.
Defining Gryffindors within the world of infosec standards and regulations means looking at those organizations bravely leading the charge of security with a sense of determination to make the world more cybersafe.
The National Institute of Standards and Technology (NIST) publishes for free its well respected Cybersecurity Framework. Providing guidance instead of punishment, the Cybersecurity Framework and NIST 800-53 help give organizations a way to start organizing their best practices without automatically spending money to get caught up on the basics. With an eye towards protecting cyber security, the NIST website also offers a free reference tool to that represents the Framework Core, a set of industry standards, guidelines, and practices.
Similar to NIST, the UK Cabinet Office, National Security and INtelligence, and Government Security Profession published this eleven page document to help guide protection of government assets. It incorporates twenty “Mandatory Requirements” grouped into the seven areas of Governance, Risk Management, & Compliance, Protective Marking & Asset Control, Personnel Security, Information Security & Assurance, Physical Security, Counter-Terrorism, and Business Continuity.
The Open Web Application Security Project began in 2001 as an open international community allowing organizations to conceive, develop, acquire, operate, and maintain trusted applications. Although OWASP presents less compliance and more resource, it deserves a place on this list as an heroic act of industry innovation that provides guidance to members. Looking at peer driven standards, frameworks, and guidances, OWASP stands as an organization whose primary goals overlap with the traditional compliance goals set out by more formalized organizations.
The Slytherins of Infosec Standards and Regulations
Slytherin, often erroneously considered the villainous foil to Gryffindor because it housed the evil Voldemort, focuses on pride, ambition, and cunning making it less about evil and more about potentially hubristic characteristics.
This category falls to those standards and frameworks that are well respected but also require users to pay for the privilege of being compliant. In this sense, the ambition and cunning win out. Often, infosec standards and regulations are considered to be best business practices or something that should protect the industry. In this way, it makes perfect ambitious sense to monetize the experience.
The International Organization for Standardization brings to the table some of the most recognized and most often complied with standards. ISO/IEC 27000 compliance complete with all of its related standards leads the charge for those starting their infosec standards and regulations journey. The prescriptive nature of ISO 27000 means that having copies of the standard itself matters to compliance. As a leading expert on information security, ISO has managed to leverage that into an ambitious and ongoing business.
Created by the Information Systems Audit and Control Association (ISACA), the Control Objectives for Information Related Technology (COBIT) framework acts as a tool to help bridge the gaps between business needs and technical issues to ensure that controls are appropriately mapped. COBIT importantly serves as a tool for process based modeling. Breaking thirty four specific processes into the four specific domains of Organization, Delivering & Support, Acquiring & Implementation, and Monitoring & Evaluation, the framework offers maturity models to assess changes needed as businesses grow.
During the 1980’s, the Securities and Exchange Commission created a committee to review fraudulent reporting. Five supporting organizations of auditors and accountants joined in the review leading to the Committee of Sponsoring Organizations of the Treadway Commission (COSO). In 2013, a significant revision added to the original framework. COSO’s Internal Control – Integrated Framework identifies the five interrelated components of control environment, risk assessment, control activities, information & communication, and monitoring. Its Enterprise Risk Management – Integrated Framework developed by PricewaterhouseCoopers added strategic, operations, reporting, and compliance business objective with the eight framework components of internal environment, objective setting, event identification, risk assessment, risk response, control activities, information & management, and monitoring.
The Hufflepuffs of Infosec Standards and Regulations
Hufflepuff, long considered the weakest house due to its students kindness and selflessness, values hard work, patience, loyalty, and fair play.
Industries have adopted their own guidelines to help their hardworking members. Both the healthcare industry and the credit card industry have created infosec standards. This idea of loyalty to their community is the reason that they are the Hufflepuffs of information security compliance. The standards are intended to help the industry members be their best making them more about hard work and fair play than other standards.
The Health Information Trust Alliance (HITRUST) started in 2007 to help protect patient information. The HITRUST model seeks to create baselines across the health industry that can be applied to businesses based on their risk and maturity. Instead of starting with risk and creating controls in response to those risks, HITRUST looked at the healthcare industry and determined that certain risks were more likely for their members. In doing so, the HITRUST model allows HIPAA covered entities to tailor their programs through the Common Security Framework model. HITRUST provides broad access to its common risk and compliance management frameworks hoping to support the members of its community.
The Payment Card Industry Security Standards Council (PCI) was organized by American Express, DIscover Financial Services, JCB International, Mastercard, and Visa to help promote information security over electronic payment systems. The PCI Data Security Standard (PCI DSS) has become the standard of compliance for any and all payment processors. In order to comply with PCI DSS, vendors must review their landscape to determine the scope of their risk. Following from that, they map their networks to review where information lives and travels. Because PCI DSS is an industry specific standard trying to aid its members, it offers a lot of information, such as lists of approved assessors, devices, and applications.
The Ravenclaws of Infosec Standards and Regulations
Ravenclaws, the esoteric and scholarly house, most values wit, learning, and wisdom.
The key to Ravenclaws lie in their intense desire to be factually correct. Though many would argue that regulations do not promote wisdom and learning, the rule of law that they provide fits well with the need for Ravenclaws to be in charge of information. Rules of law rely on facts. In the case of the regulations discussed, they intended to punish those without integrity or who did not think about the repercussions of actions. This makes the following the most Ravenclawed of the infosec standards and regulations.
In 2002, the Sarbanes-Oxley Act (SOX) was enacted in response to a wide array of corporate fraudulent reporting. Although the Securities and Exchange Commission (SEC) had addressed many of the concerns in SOX, corporate greed led to several companies flouting the laws. SOX intended to force ethics upon these kinds of companies by establishing penalties for those who would misreport. In the world of infosec standards and regulations, SOX Section 404 causes the greatest cost. 404 requires that business evaluate their IT environment to determine whether there are financial reporting risks and controls that address them. These risks can be internal or external. Often, they come from the way transactions in the financial statements are authorized, processed, or recorded. Once the risks are identified, 404 requires a review of controls in place. These can be anything from looking at the employee level involved in the reporting structure to looking at the automation and possibility of human error. After reviewing the controls, the organization needs to determine the risk of failure to operate as intended and the risk that failure would lead to a material misstatement in financial reports. Finally, companies are required to report on their conclusions. SOC1 reports are obtained and reviewed for the IT controls performed at third parties, such as payroll processor. A company’s SOX conclusions are published in item 9a of the public company’s SEC 10k annual filing.
The European Union’s General Data Protection Regulation (GDPR) has made accountability and governance one of its main directives. The GDPR establishes a single set of rules that apply to all member states. However, it also expands the scope to data controllers that collect information from EU residents or process information (whether it be directly or as cloud service providers) from EU residents, or if the person about whom the data is collected is an EU resident. This means that despite not necessarily being in the EU, an organization that deals with EU resident information in this variety of ways will need to become compliant. The GDPR looks to assess the lawfulness, fairness, & transparency of privacy, limit the purpose of using information, minimize the amount of data involved, ensure information accuracy, limit the amount of storage an organization keeps on a person, and enforce the integrity and confidentiality of the information. All of these are intended to lead to accountability by the processor or controller responsible for the compliance.
The Health Insurance Portability and Accountability of 1996 (HIPAA) required the Secretary of Health and Human Services to enact privacy regulations to protect individually identifiable health information. The HIPAA Security Standards create a regulatory requirement that those businesses falling within its purview create administrative procedures to protect and manage protection of data, physical safeguards over computer systems and buildings preventing intrusion, technical security services that review access to information, and technical security mechanism that prevent unauthorized transmission of information.
How do you think we fared sorting the infosec standards and regulations into houses? Do you agree with our assessment? What would you suggest be added?