Call me jaded but my level of distrust goes up when an organization:

• 
  
  Pronounces itself as the “Information Security” guardian of an industry segment


• Develops a “proprietary” framework/standard that it rationalizes based on the uniqueness of the industry


• Develops its own certification programs and charges exorbitant fees to qualify entities for certification

Perhaps I am just cynical based on our mutual experience with the  “Payment Card Industry Standards Council” and the PCI-DSS program which has only succeeded in reducing the risk to the payment brands at the expense of the merchants and the card owners. 

My lack of trust in all things PCI-related is well illustrated by the recent “gift card” I gave to my nephew for graduating high school.  He called me embarrassed to report that the card balance was zero and that the credit card company had told him that it had already been used.  After a considerable time on the line the credit card company finally “admitted” that the card had been used five days prior to my purchasing it.   If the credit card companies can’t prevent/detect this proactively – what faith can we have in them or their ability to govern?

On learning of HITRUST I was hopeful that it would be different.  But on first blush it looks like they have stolen a page or two out of the Payment Card Industry Standards Council playbook.  For example,  the costs involved for a consulting/auditing firm to be “qualified” exceed $20,000.  Initially the standard was only available at a significant cost. On a more positive note, the Alliance recently announced that the Common Security Framework (the standard) will now available for free (however, after 30 minutes on the site today – I still can’t find it).

Hopefully, I am wrong and HITRUST will be a shining beacon for Information Assurance – but I’m not so sure.  I would rather have a comprehensive, non-industry specific, standard (e.g., ISO-27001) achieve sufficient status that these entities don’t feel the need to develop proprietary standards.  The benefits would be significant.

Is ISO 27001 Right for (Y)our Organization?

Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

• How to deal with increasing threats
• How to manage multiple regulatory requirements
• How to handle client requests for attestation
• To validate that significant changes did not have unanticipated results

Free Download: ISO 27001 Implementation Roadmap

Have no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!

Free Whitepaper: Five Best Practices for SIEM

The promise of SIEM is the consolidation of all relevant Security Event Logs from disparate sources into a single unified and normalized data store.

• Simplify compliance monitoring/reporting
• Vastly improve Incident Detection & Incident Response
• Contextualize event information with other business relevant information

Free Download: A Best Practices Guide to Database Security

Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.

Free Whitepaper: Stop Wasting Money on Penetration Testing

Penetration Testing is most frequently performed to:

• Substantiate the net effectiveness of a mature control environment
• Prove to a third party that an environment is secure/trustworthy
• Quickly assess the security of a less mature control environment (in a sense a technical risk assessment)
• To validate that significant changes did not have unanticipated results

Best Practices for Firing A Network Security Administrator

Want to know how to fire a Network Admin? Need to know what precautions to take? Firing any employee can be a stressful event. Firing one who has significant knowledge of and privileged access to your Information Technology/Security infrastructure is even more stressful, as the risks are so notable.

Download: Information Security Attestation Guide

A Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.