Information systems security compliance

As the increasing complexity of information systems creates unprecedented security risks, organizations are implementing new information security standards.

Thanks to globalization, organizations have been able to grow by taking advantage of emerging markets. Since organizations are now present in many different places, their business models have rapidly become more complex in order to efficiently and transparently meet customer needs.

To quickly adapt to these new organizational requirements, information technology departments have progressively designed and implemented new IT architectures. Once confined to a few buildings, information systems now generate real-time exchanges between disparate systems that may belong to different entities—business units, partners, vendors, customers, etc.

Acting as veritable nerve centres, information systems are the nucleus of all organizational activities. The predominance and increasing complexity of information systems have created new risks for organizations. Maintenance is increasingly complex and synergies with systems that may belong to other organizations have spurred many initiatives to standardize IT activities. This standard-setting work, conducted mostly by universities, governments and umbrella organizations, has helped to define good practices for information systems management.

The adoption of these standards by organizations has resulted in a gradual harmonization of design, development, installation, maintenance and information systems security practices, and has improved their quality.

In this article, we will first discuss information security standards that are most often applied in the business world. We will then present a compliance guide for information systems security and conclude with important points to consider when choosing a standard.

The importance of information security and specialized standards

Nowadays, organizations rely mainly on information to make decisions, carry out their activities and meet regulatory requirements. As a result, information is now considered an important resource to be protected. Ensuring the confidentiality, integrity and availability (CIA) of an organization’s information has become a difficult task, which should be carried out on an ongoing basis. Information security standards provide organizations with the tools to help them define an information systems security strategy scaled to their business needs and contractual or legislative requirements.

There are numerous information security standards, including:
- ISO 27001;
- ISO 27002;
- SOC 1 - SSAE 16 (which replaced SAS 70), SOC 2 and SOC 3;
- PCI DSS;
- National Institute of Standards and Technology (NIST) standards.

We will limit our discussion on information security standards to those that apply most often to the business world.

Comparison of information security standards

ISO 27001

ISO 27001 specifies the requirements for implementing, operating and improving an information security management system (ISMS). This standard recommends a governance model that enables organizations to manage information security in a structured manner, prepare a customized information security management plan and respond to legitimate questions from management, including the following:
- Has the organization identified the applicable legal, regulatory and contractual obligations related to security?
- Has the organization identified the information and processes that need to be protected?
- What security measures are in place to protect this information?
- Does the organization understand its information system and can the system detect potential problems?

ISO 27001 does not provide specific guidance on information security controls to be put in place. Instead, it sets out a guidance framework for the following processes, among others:
- security measures management;
- compliance management;
- risk management;
- incident management.

As a general purpose and formalized standard, ISO 27001 will suit any type of organization that wants to identify all of its security issues. ISO 27001 cross-references a number of standards relating to ISMS implementation, such as ISO 27002 and ISO 27005.

By implementing the good practices recommended by ISO 27001, organizations can develop security measures that are more targeted to their activities and information systems. A ISO 27001-compliant organization can obtain ISO 27001 certification to better report on its level of security to internal and external users alike.

 

PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a standard developed by the credit card industry. The standard’s main purpose is to ensure the security of credit card information transmitted to organizations. Compliance with PCI DSS significantly reduces the risk of fraud and theft of banking information.

To protect an organization from potential internal or external threats, PCI DSS recommends putting in place a number of control mechanisms and procedures to protect credit card information, including managing access, encrypting credit card data and transmission, and installing firewalls and anti-malware. Some organizations can perform their own PCI DSS self-assessment. However, those that process more than a set limit of credit card transactions will have to use the services of a Qualified Security Assessor (QSA) to assess these transactions. PCI DSS certification is required if an organization wants to accept payments through major credit cards.

 

SOC 1, 2 and 3

SOC (Service Organization Control) 1 (SSAE16), 2 and 3 (AT 101) prescribe the preparation of three types of reports that describe the procedures and controls organizations implement to secure their information systems.

The SOC 1 report, which replaces the widely known SAS 70, focuses on the reliability of financial information, while the SOC 2 and 3 reports contain more stringent requirements related to security, availability, integrity and confidentiality of sensitive data.

The SOC 1 report is designed especially for organizations that carry out financial activities for their clients (e.g. financial services, payroll management), while SOC 2 or 3 type reports are intended for a wider range of organizations, i.e. those that provide services for which data security, confidentiality and integrity are essential, such as processing medical data and archiving confidential information.

Information systems security compliance guide

Compliance is not a one-off job to be carried out and then forgotten. Rather, it is a business process that adapts to regulatory constraints, the company’s needs and especially to new security risks. IT and IT-related risks constantly change and evolve. As a result, the compliance program must be adapted to these changes. To do so, it is important to have a dynamic compliance process that takes into account the following three principles (Figure 1):

  • understand the regulatory framework
  • integrate controls 
  • fix gaps

information systems

Choosing to comply with an information security standard or certification, or with a given standard, must be done in a thoughtful and structured way based on the organization’s strategic needs and contractual and regulatory requirements. The following is a detailed description of each step as presented in Figure 1:

Understand the regulatory framework

Establish a compliance governance framework

The first step in developing a compliance program is to understand the organization’s regulatory environment. For information systems security, research must be conducted in collaboration with the security team or a consultant specialized in this field. This process will focus on identifying the sources of governance that apply to the organization’s environment and listing the related controls.

In the case of an organization without a harmonized information security management structure, it is strongly recommended to use ISO 27001 to implement an ISMS.

An organization may also be required to comply with industry-specific information security standards (e.g. PCI DSS required by major groups like Visa and MasterCard) or standards imposed by its partners and clients (SOC 1, 2 and 3, PCI DSS, etc.).

 

Assign a certified manager

It is important to assign the compliance program to a person who has the necessary competencies. Many certifications aim to validate competence in information systems security, such as the CISSP (Certified Information Systems Security Professional), the CISA (Certified Information System Auditor), the CISM (Certified Information Security Manager) or the Lead Auditor ISO 27001 certification which specifically relates to implementing an ISO 27001-compliant information security management system.

 

Effectively communicate the compliance program

Implementing IT security controls always triggers some resistance from users. The key is to effectively communicate the compliance program, but especially to explain its added value and the controls that will be put in place to the staff affected by the program.

Integrate controls

Implement audit program processes

This process defines and standardizes the control activities and procedures based on the governance objectives. The process encompasses business risks, control objectives, control activities and control test procedures. It enables control traceability, illustrates its relationship with sources of governance, and identifies a non-compliant element based on business risk.

Fix gaps

Appropriate measures in cases of non-compliance

Non-compliance with information systems security policies can be an indication of flawed security mechanisms and of business risks. Accordingly, the decision-making process must include mechanisms for making dynamic decisions, compiling and reviewing control breakdowns, and developing and choosing mitigating strategies. Often, mitigating security risks does not require costly controls. The ideal is to find the perfect balance between risks and the costs of control.

 

Play an advisory role in IT teams

An effective security compliance program includes a process for advising IT architects and system developers, as well as for helping them understand control needs. This advisory service could also be used when preparing contracts with service providers. The IT and security compliance group must be able to define the responsibilities of service providers in relation to the controls. The effectiveness of these controls will be measured and the findings submitted to the organization’s upper management.

Conclusion

We presented the information security standards and practices most often applied in the business world. We also discussed specific elements and factors to consider when selecting a standard.

An organization should consider what options it has to effectively communicate information security, both internally and externally. If the options are limited, the solution is to then align the organization’s compliance process with one of the information security standards.