Security Standards

Greene (2014) define security framework as a collective term given to guidance on topics related to information systems security, predominantly regarding the planning, implementing, managing, and auditing of overall information security practices. Security framework defines the policies, procedures and processes by encompassing all internal, external and tangential parties to manage information, systems and services within an organization (Theriault, 2017). Framework helps an organization to reduce risk and exposure to vulnerabilities (2017).

Some key frameworks and associated challenges in implementing are:

NIST Cybersecurity framework – National Institute of Standards and Technology is a federal agency under the United States Department of Commerce to develop and promote measurement, standards, and technology to improve quality of life, facilitate trade and enhance productivity (Theriault, 2017). Three main components of NIST cybersecurity framework are core, implementation tiers and profiles (2017).

NIST cyber security framework has more than 900 controls which can be challenging to implement without platform, method and full support from executive management (Schlimmer, 2018). It can be simplified by reducing the complexity and tailor per organization’s needs like focusing in fundamental controls, apply NIST SP 800-171 which offers 80% controls with just 20% efforts and most importantly by engaging entire organization (2018).

ISO 27000 family – 27000 series of standards developed by the International Standards Organization to manage information securely and risk associated with people, processes and systems (Theriault, 2017). There are several sub-standards for varying industries, for instance 27001 has six parts, which include definition of security policy, scope of policy, risk assessment, management of risk, security controls and statement of applicability (2017).

Watson (2016) highlighted some of the key challenges in implementing ISO 27001 as acceptance by employees, technical expertise to implement the standard, correct interpretation of standard’s requirements and managing ISMS documentation. Churchman (2017) also stated that often organizations are reluctant to implement ISO 27001 as they treat as low priority item, does not think it applied to them and also afraid of slowness in work due to security processes, protocols and procedures.

PCI DSS – Payment card industry data security standard ensure security of businesses processing card payment and reduce card fraud through tight security controls around storage, transmission and processing (Theriault, 2017).

Some of the key challenges in adopting PCI DSS are the long list of mandatory requirements, highly technical specifications, need of organizational support for implementation, lack of competence and incorrect scope of project (Barbosa, 2018). Trivedi (2013) puts forth public facing environment, high turnaround time, third party compliance and handling of client data as some of the key challenges faced by organizations in implementing PCI DSS framework.

References

Greene, S. (2014). Security Program and Policies: Principles and Practices. Indianapolis, IN: Pearson.

Theriault, C. (2017). What is an information security framework and why do I need one? Retrieved from https://tbgsecurity.com/what-is-an-information-security-framework-and-why-do-i-need-one/

Schlimmer, S. (2018). Simplify NIST cybersecurity framework adoption. Retrieved from https://www.infosecurity-magazine.com/opinions/simplify-nist-cybersecurity/

Trivedi, C. (2013). Case study: Merchant with ‘card not present’ environment. Retrieved from http://www.sisainfosec.com/downloads/implementation-challenges-merchants-pcidss.pdf

Barbosa, O. (2018). Top 5 challenges of PCI DSS Compliance. Retrieved from https://blog.cipher.com/top-5-challenges-pci-dss-compliance

Churchman, H. (2017). The 3 key challenges of ISO 27001 implementation for SMEs. Retrieved from https://advisera.com/27001academy/blog/2017/04/17/the-3-key-challenges-of-iso-27001-implementation-for-smes/

Watson, M. (2016). Overcoming the top challenges of implementing ISO 27001. Retrieved from https://www.itgovernance.co.uk/blog/overcoming-the-top-challenges-of-implementing-iso-27001/