Minimum Reasonable Information Security Practices

As described in the Summary, reasonable information security practices lie in managing the following domains:

Information Security Management
Information Security Subject Matter Expertise
Security Management of Sensitive and Private Information
SecureTheHuman
Security Management of the IT Interface
Security Management of the IT Infrastructure: Use of CIS Critical Security Controls
Third-Party Security Assurance
Information Resilience
Information Security Governance

These are described below.

Information Security Management

The organization manages its own information security by means of a formal documented Information Security Management Program designed to protect the confidentiality, integrity and availability of its information and the information of its clients in accordance with commercially reasonable information security management standards appropriate for a company with its security-risk profile and the security-risk profiles of its clients.

The organization’s Information Security Management Program is based on an Information Risk Assessment

The Organization conducts a periodic risk assessment, at least annually, of its information systems sufficient to inform the design of its information security management program.
The Organization updates its risk assessment as reasonably necessary to address changes to its information systems, nonpublic information of clients and others, or business operations.
The Organization’s risk assessment considers the particular risks of the its business operations related to cybersecurity, nonpublic information of clients and others, information systems utilized, and the availability and effectiveness of controls to protect client and other nonpublic information and information systems.
The Organization carries out its risk assessment in accordance with written policies and procedures, including:
1. Documented criteria for evaluating and categorizing identified cybersecurity risks or threats facing the it organization and its clients;
2. Documented criteria for assessing assurance of confidentiality, integrity, and availability of information systems and nonpublic information.
3. Documentation describing how identified risks are mitigated, accepted, or otherwise addressed based on the risk assessment.
The organization documents its risk assessment.

The Organization’s Information Security Management Program is designed to perform the following core cybersecurity function: [2]

Identify and assess internal and external cybersecurity risks that may threaten the security of client information or nonpublic information stored on its information system
Protect client information and nonpublic information stored on those information systems from unauthorized access, use or other malicious acts through physical, administrative and technical controls, including the implementation of policies and procedures.
Ability to detect cybersecurity events and alert appropriate personnel.
Ability to respond to identified or detected cybersecurity events to mitigate any negative effects and restore operations.
Ability to recover from cybersecurity events and restore normal operations and services.

The Organization’s information security management program is managed by an Information Security Manager, appointed by Executive management, and responsible and accountable for managing the organization’s information security management program.

The Information Security Manager is supported by a cross-functional steering committee and subject matter expertise. Executive management provides the Information Security Manager with appropriate resources and regularly reviews the information security program.

The Organization has a program for identifying, documenting and controlling sensitive information with access to information based upon the twin concepts of least privilege and need-to-know.

The Organization has an information security awareness and education program so that all staff receives information security awareness training at least annually, and are periodically trained in phishing defense.

The Organization has formal documented standards for ensuring that 3^rd-parties with which it shares information secure it in accordance with documented standards that are at least as strong as the standards described in this document.

The Organization has formal documented standards, processes and procedures for managing the security of its own IT infrastructure in accordance with the Center for Internet Security (CIS) Critical Security Controls (See below). These standards document, for each control, how – and to what extent – the organization meets that control. As the organization may have different clients with different security needs, the Organization’s security standards are to meet the highest standard of any of its customers. [3]

The Organization has documented incident response and business continuity plans that are tested at least annually. The organization’s Incident Response plan calls for client notification as soon as possible in the event of a suspected breach or other security incident.

The Organization measures its information security performance through metrics that are published at least quarterly to its clients.

Information Security Subject Matter Expertise

The Organization has appropriate information security subject matter expertise or access to that expertise.

The Organization has either a Certified Information Systems Security Professional (CISSP) on staff or utilizes one through an ongoing consulting relationship. [4]

All technical staff receive a minimum of 16 hours per year of information security continuing education.

Information security continuing education includes educational activities in areas such as the following;

Security and Risk Management
Privacy Management
Asset Security
Access Controls
Security Engineering
Communication and Network Security
Identity and Access Management
Security Assessment and Testing
Security Operations
Software Development Security
Penetration Testing
Risk Identification, Monitoring, and Analysis
Incident Response, Recovery and Resilience
Information Security Management Frameworks
Information Continuity
Other Advanced Technology Management Programs

Qualifying CPE activities include activities such as:

Attending educational courses or seminars, such as those offered
Attending security conferences
Being an active member of an information security association chapter
Completing university/college courses
Providing security training
Publishing security articles or books
Serving on industry boards
Self-study, if properly rigorous and documented
Volunteer work on behalf of information security professional associations such as (ISC)², ISSA, ISACA, and the Cloud Security Alliance

There are numerous organizations offering continuing education. These include:

Colleges and Universities
The SANS Institute
(ISC)²
ISSA
ISACA
CompTIA

As a general rule, the training courses offered by solution providers on configuring their solutions do not qualify as continuing education.

Security Management of Sensitive and Private Information

The organization formally identifies, documents, and controls access to sensitive and private information in accordance with laws, regulations, contractual obligations, and in accordance with its own fiduciary responsibilities.

The organization has a formal program to protect the information of others:

Personally identifiable information
HIPAA protected information
Information of minors
GDPR-protected information
Credit card information
Information protected by NDA or other agreements

The organization has a formal program to protect its own information assets

Intellectual property
Trade secrets
Operational reports
Spreadsheets
Word files
Emails
eCommerce systems
Online banking systems
Passwords to critical systems; server configuration information, etc.
Websites
Backup and recovery systems
Physical inventory records

All information requiring protection has a “Security / Privacy Owner” responsible for identifying the appropriate security level of the information and identifying people and roles authorized access to the information.

Each Information Security / Privacy owner is responsible for

Knowing the protection needs of information
Knowing where information needing protection is located
Providing users with guidance on who they are authorized to share information with, where they can move or save information, and, more generally, explaining to users how the information is protected
Maintaining an up-to-date “Information Inventory: What, Who Where.

SecureTheHuman

SThe organization has an active awareness training and education program to turn personnel into cyber guardians having the knowledge, skills, and commitment needed to meet the ongoing challenges of cyber crime, cyber privacy and information security.

SecuringTheHuman is more than annual awareness training. SecuringTheHuman means turning people into cyber guardians having the knowledge, skills, and commitment needed to meet the ongoing challenges of cyber crime, cyber privacy and information security. It takes leadership to create a cyber-adaptive culture that supports turning people into cyber guardians.

Some of the things that can help grow a cyber-adaptive culture.

Phishing Defense Training
Make Cybersecurity a Part of Department Meeting Agendas
Train people: See Something. Say Something
Celebrate Wins
Offer Lunch and Learns
Provide Posters & Login Banners as Continuous Reminders; Change Regularly
Have IT Provide Cybersecurity Tools for Users ¤ Provide Password Management Tools
Make Phishing Reporting Easy
Use Email Alerts to keep information security front-of-mind
Provide Staff “Cybersecurity is Everyone’s Job,” a publication of the National Initiative for Cybersecurity Education Working Group, Subgroup on Workforce Management, National Institute of Standards and Technology
Provide Citadel Information Group’s Free Cybersecurity News of the Week to Staff

Security Management of the IT Interface

All access to the organization’s network is protected in accordance with appropriate documented procedures, access is identifiable to a specific person, and audit logs (records) are recorded and securely maintained.

All of the Organization’s technical personnel having access to a client’s IT network connect via individual user-accounts. The organization does not use shared accounts for access to its clients’ IT networks.

All remote access to the Organization’s’ IT network is through a Virtual Private Network (VPN) with two-factor authentication. VPNs are configured with no split tunneling. There is no direct remote access to internal servers from the Internet.

User passwords providing administrative access to the organization’s IT network are a minimum of 15 characters in length, composed of all 4 character sets: upper case, lower case, number, and character.

All access and behavior by IT staff is logged. All logs are traceable to a specific individual. Organization logs include at least the following: user identification, type of event, event time, success or failure indication, origination of event, and identity or name of affected data, system component, or resource.

Logs are stored in a secure manner using, for example, a syslog server. Logs are protected from unauthorized modification.[5] Logs are stored for a minimum of 365 days.

The Organization reviews all administrative accounts with access to its ’ IT networks at least every 90 days to ensure that staff permissions remain correct.

Security Management of the IT Network; Use of CIS Critical Security Controls

The Organization manages the security of its IT networks in accordance with commercially acceptable IT security management standards, at least as strong as those described below.

Use of CIS Critical Security Controls: The Organization has formal documented standards, processes and procedures for managing the security of its clients’ IT infrastructures in accordance with the Mapping of CIS Controls to STV Basic Code, based on Center for Internet Security (CIS) Critical Security Controls. (Version 6c).

Documentation includes the technical or other standards in-place for implementing the control, the procedures used to configure and implement the control, and the processes used to ensure the control is followed.

There are 20 Critical Security Controls in the CIS Framework, Version 6c, each of which is based upon a set of sub-controls. The SecureTheVillage Code uses these sub-controls as the basis for managing a client’s network.

As documented in the Mapping of CIS Controls to STV Basic Code, each Sub-Control is either Required, Addressable, or Mixed.

If a sub-control is listed as required, then compliance with the Code requires the IT organization to implement the control.

If a sub-control is listed as addressable, then compliance with the Code requires the organization to either implement the control or, if it doesn’t fully implement the control, that its documented security management standards include:

A description of why the organization doesn’t implement the control
The compensating controls the organization has in place to appropriately meet the intent of the sub-control

Some sub-controls contain both a required component and an addressable component. These are indicated in the Mapping of CIS Controls to STV Basic Code.

Example of a Required Sub-Control: The Code requires an IT organization to implement the following sub-control without exception.

Critical Security Control #9: Limitation and Control of Network Ports

Sub-Control 9.1: Ensure that only ports, protocols, and services with validated business needs are running on each system.

Example of an Addressable Sub-Control:

Critical Security Control #2: Inventory of Authorized and Unauthorized Software

Sub-Control 2.2: Deploy application whitelisting technology that allows systems to run software only if it is included on the whitelist and prevents execution of all other software on the system. The whitelist may be very extensive (as is available from commercial whitelist organizations), so that users are not inconvenienced when using common software. Or, for some special-purpose systems (which require only a small number of programs to achieve their needed business functionality), the whitelist may be quite narrow.

Sub-control 2.2 is addressable rather than required as this control is, in general, not commercially reasonable for mid-market and smaller companies.

Example of a Mixed Required-Addressable Sub-Control:

Critical Security Control #2: Inventory of Authorized and Unauthorized Software

Sub-Control 2.1: Devise a list of authorized software and version that is required in the enterprise for each type of system, including servers, workstations, and laptops of various kinds and uses. This list should be monitored by file integrity checking tools to validate that the authorized software has not been modified.

Required: Devise a list of authorized software and version that is required in the enterprise for each type of system, including servers, workstations, and laptops of various kinds and uses.

Addressable: This list should be monitored by file integrity checking tools to validate that the authorized software has not been modified.

This second clause in #2.1 is addressable rather than required as file integrity checking tools are often not commercially reasonable for smaller companies.

Third-Party Security Assurance

The Organization follows a formal documented process based upon the Center for Internet Security (CIS) Critical Security Controls to ensure the security of 3^rd-parties who will have access to customer information or information systems. This includes:

Solution organizations
3^rd-Party applications
Data centers
Cloud service providers (SaaS, etc.)
Cloud infrastructure (Amazon S3, Azure, etc.)
Backup/recovery systems
Disaster recovery sites
Telco and Mobile Service Providers

Information Resilience

The organization develops, maintains, and tests Incident Response Plans and Business Continuity Plans. This includes training staff to meet their incident response or business continuity responsibilities and maintaining relationships with law enforcement and other professionals likely to be crucial should an incident or disaster occur.

The organization has a formal Incident Response / Business Continuity Team, including

Information Security Manager
Appropriate Executives ¤ CEO, COO, CFO, HR
CIO, IT Director, IT Vendor
Information Security Subject Matter Expertise
Computer Forensics / Investigator Subject Matter Expertise
Legal Counsel
PR

The organization has a formal Incident Response / Business Continuity Team, including

Information Security Manager
Appropriate Executives ¤ CEO, COO, CFO, HR
CIO, IT Director, IT Vendor
Information Security Subject Matter Expertise
Computer Forensics / Investigator Subject Matter Expertise
Legal Counsel
PR

The organization develops Incident Response / Business Continuity Plans, trains staff in the plans, regularly tests the plans, and updates plans on a regular basis.

IT management planning includes

Information Backups and Images
Computer Logs and Audit information
Documentation
Disaster Recovery & Restore Procedures
Off-Site Preparedness
Telecommunications Preparedness
Power
HVAC
Etc

Organizational planning includes

Business Impact Analysis
Staff Resources
Incident Handling Communications, both Legal and Public Relations

Plans contain necessary contact information such as

Attorneys
Insurer
IT Vendors
Cloud Vendors
Security Vendor
Forensics Specialist
Local Law Enforcement
PR Person
Banker
Accountant
Payroll Company
Others, as identified

Plans include System Information such as

Network Inventories and Diagrams
Server, Router, Firewall Configurations
Passwords
Data Inventories and Maps: Where the Crown Jewels Are
IT Checklists and Procedures

Following recovery from an incident, the organization formally addresses “lessons learned,” updating plans to take advantage of the newly learned lessons.

Information Security Governance

The Information Security Manager meets at least quarterly with executive management to review the organization’s information security profile.

Material cybersecurity events during the time period addressed by the report.
Changes in the cyber security threat environment, in particular in relation to the client’s risk exposure.
Cybersecurity risks.
Overall effectiveness of current security controls, including strengths and weaknesses.
Recommendations for improving security management.

[1] In the language of the International Information Security Standard, ISO 27001, this is called an Information Security Management System. An Information Security Management System (ISMS) is a systematic and structured approach to managing information security. ISMS implementation includes policies, processes, procedures, organizational structures, education and training programs, relationships with vendors, and the software and hardware functions mediating the flow and control of information. As described in Information Security Standard, ISO 27001, an ISMS implementation should be directly influenced by the organization’s objectives, security requirements, processes employed, size and structure. See https://www.iso.org/isoiec-27001-information-security.html.

[2] These five core functions are described in the Framework for Improving Critical Infrastructure Cybersecurity by the National Institute of Standards and Technology (NIST). See https://www.nist.gov/cyberframework.

[3] From the CIS website: “The CIS Critical Security Controls (CIS Controls) are a concise, prioritized set of cyber practices created to stop today’s most pervasive and dangerous cyber attacks. The CIS Controls are developed, refined, and validated by a community of leading experts from around the world. Organizations that apply just the first five CIS Controls can reduce their risk of cyberattack by around 85 percent. Implementing all 20 CIS Controls increases the risk reduction to around 94 percent…. The CIS Controls embrace the Pareto 80/20 Principle, the idea that taking just a small portion of all the security actions you could possibly take, yields a very large percentage of the benefit of taking all those possible actions.” https://www.cisecurity.org/critical-controls.cfm.

[4] See https://www.isc2.org/cissp/default.aspx.

[5] One strategy for doing this is to set audit files to read-only and audit for whenever permissions change on that file. Another is to use file integrity monitoring/change detection software on logs to ensure that existing log data cannot be changed without generating alerts.