The governing principle of an Information Security Management System (ISMS) is that an organization should design, implement and operate a coherent set of policies, standards, and procedures (PSP) to manage risks to its information assets. While ISO-27001 is the most well-known promoter of the ISMS concept, the idea of an ISMS can be found in other leading IT control frameworks including COBIT (most notably in Risk IT) and FISMA/NIST (most notably in SP 800-39). PPS’s ISMS Practice Area addresses the three key life-cycle phases of an ISMS:
- Strategize: What framework(s) should we consider? What attestation do we need to provide to which stakeholders? What standards should we align ourselves with? What will the process look like if rolling this out world-wide? What internal/external resources will we need to design it, implement it, certify it, operate it, and validate it?
- Implement: What Risk Assessment Methodology will we adopt? How do we develop the Risk Treatment Plan? How best to Gap Assess current vs. desired state? How do we leverage Security Metrics to know that we are achieving KPI’s?
- Operate: How do we evolve the scope of the ISMS to address other key systems or different locations? How do we independently/objectively validate the operation of the ISMS? How do we provide assurance/attestation to stakeholders like the Board and customers? How do we manage and learn from incidents before risk is realized?
- ISO 27001
ISO 27001: An Information Security Management Systems (ISMS) standard that is promulgated by the International Organization for Standardization (ISO). It is a formal specification for an ISMS in that it mandates a particular set of controls that need to be in place. Therefore, organizations that claim to have adopted 27001 can be formally audited and certified compliant with the standard. It is this ability to certify the operation of an ISMS that makes 27001 unique and makes it ideal to be used as a form of independent attestation to the design and operation of an Information Security program.
Read more on ISO 27001
- ISO 27002
ISO 27002: (formerly ISO 17799) A “collection” of security controls (often referred to as best practices) that are often used as a “security standard”. By definition, an audit (or assessment) is comparison to a standard. While 27002 is not a standard per se – it is often used that way. Assuming that the design and/or operation of your Information Security Management Systems is “consistent with” (e.g., there are no notable gaps) it can be said that your environment is “compliant” with the standard.
Read more on ISO 27002
- Shared Assessments
Shared Assessments: Provides an assessment of an organization’s implementation of its controls using a standardized questionnaire which is based on the ISO 27002 standard, with additional input from Shared Assessments Program members. The approach is more rigidly defined (e.g., answers are Yes, No, or N/A, making the completed SIG easy to read by machine. The original idea was that service providers could complete the SIG just once, and then provide the completed SIG to multiple clients.
Read more on Shared Assessments
- HIPAA Compliance
HIPAA: The Health Insurance Portability and Accountability Act of 1996 (HIPAA) has significantly changed business practices and policies for all Covered Entities (CE). As with many other Regulatory issues, HIPAA is largely a call to a strong control environment, with a focus on the necessary security safeguards to ensure the security of patients. Contrary to prevailing opinion, the achievement of HIPAA Security compliance is not reliant on complex technology solutions and strategies, but rather on simpler people and process-oriented control environment issues.
Read more on HIPAA
- HITRUST Certification
HITRUST: Focused on providing a prescriptive set of controls that are cross mapped and referenced to standards and regulations relevant to healthcare to simplify the process of becoming largely compliant with relevant laws and regulations and mitigating most risks that a typical hospital has to an acceptable level. An over-simplified view is that HITRUST is a set of predefined controls for an assumed set of risks and compliance requirements – with an IT-GRC like mapping. It’s a pre-customized CSF in a box. HITRUST has the advantage over ISO 27001 by being a bit “simpler” as the risks and risk treatments are largely defined.
Read more on HITRUST
- Business Continuity Management
Business Continuity Management: At its simplest – Business Continuity Management ensures that critical business processes and resources remain available (or can be rapidly restored) in order to ensure the continued achievement of critical organizational objectives.
A logical subset of Business Continuity is Information Continuity (aka; Disaster Recovery) which is focused on ensuring that critical Information Technology resources are available. Our Business/Information Technology Continuity Practices are based on the leading standards including; ISO-27031, ISO-22301, & NIST 800-34.
Read more on Business Continuity Management
- Secure Data Flow Diagram
- Payment Card Industry (PCI)
Payment Card Industry: The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle cardholder information for the major debit and credit cards. It was intended to increase controls around cardholder data to reduce credit card fraud. Validation of compliance is done annually — by an external Qualified Security Assessor (QSA) for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.
Read more on Payment Card Industry
- Personally Identifiable Information (PII)
Identity Theft Prevention: The rise in Identity Theft had lead to 47+ states and the federal government issuing guidance on information security requirements intended to prevent identity theft. Despite increased emphasis on technical controls intended to prevent data breaches of Personally Identifiable Information (PII), Patient Health Information (PHI), Card Holder Data (CHD), and Intellectual Property (IP) – it continues to be a problem
Read more on Identity Theft Prevention
- Sarbanes Oxley
COBIT : The specialized nature of information systems (IS) auditing and the skills necessary to perform such audits, require standards that apply specifically to IS auditing. From this recognition came the development of the COBIT Auditing Framework by the Information Systems Audit and Control Association (ISACA). ISACA is an education foundation dedicated to the large-scale research efforts necessary to expand the knowledge and value of the IT governance and control field.
Read more on COBIT
- Policies, Procedures & Standards
Policies, Procedures & Standards: It’s often been said that information security does not exist until it is documented. While that may not be true in the literal sense — it is most definitely true from a liability and/or from an auditor’s perspective. The move to more formal and provable Information Security Management Systems (ISMS) has become a challenge for most organizations as fully documented, metricized, and compliance-monitored Policies, Procedures & Standards are quite rare.
Read more on Policies, Procedures & Standards
NIST Framework: Identifies 75 existing standards that are likely to be applicable to the development of the Smart Grid. NIST’s mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.
Read more on NIST