As discussed in the first part of this article, this document aims to discuss the standards that a company should have in terms of information security and compliance to answer the question “what standards to I need to have in place in my organization?”
So far, I have discussed the ISO standards and its sub-standards or sub-components. Let me continue the topic by continuing the standards below.
PCI-DSS or the Payment Card Industry Data Security Standard
This standard has the most number of questions that we encounter on a daily basis. While most of the questions we encounter directly ask the question “Do we need a PCI-DSS implementation in our organization?” The first question we shoot back is “Where does your business industry belong to?” and followed by “Does your regulators require you to have this standard?”
PCI-DSS basically addresses payment account data security. If the industry your company belongs to does not receive process and transmit payments online, you do not need to have this standard in your organization. While this standard was basically adapted and created to address payments and its data protection, this standard maybe adapted as a secondary standard that may work hand in hand with the ISO management standards.
PCI-DSS would be more detailed than the ISO standards and addresses security management, policies, procedures, network architecture, software design and other critical components that are utilized by the processing of such payments.
Basically, the PCI-DSS standards define:
- The building and maintaining a secured network
- Protection of cardholder information
- Maintain a vulnerability management program
- Implementation of a strong access control measure
- Regular monitoring and testing of the environments
- Maintenance of an information security policy.
COBIT or Control Objectives for Information and Related Technology, is not a clear standard per se, but is a framework that links IT initiatives to business requirements, organizes all IT activities into an accepted business practice model, identifies information resources to be utilized and leveraged, and defines that management control objectives. While COBIT may contain ISO and PCI-DSS standards, COBIT is more into the compliance aspect of doing things, to ensure that all activities, acquisitions and management activities fall within the accepted standards of doing things.
COBIT is now being accepted globally as a guidance tool for governance of the business that allows managers to bridge the gap between technical issues, technical requirements and business risks.
ITIL or Information Technology Infrastructure Library is a collection of best practices in IT Service Management and concentrates on the importance of services delivery in information technology. This standard considers the central role of the user in terms of information technology, not on the process and not on the solutions. This standard does not contain information security per se, but focuses on the quality of the service provided by service providers to the users, with information security components relegated to the background.
These basic standards are the most globally accepted information security and information security management standards that are being adopted globally. However, there are specific standards that came out due to regulations by legislation. Examples of these standards are the SOX, HIPAA, COSO, FISMA and FIPS. These regulatory standards would depend on where your company does its business and if your regional and main headquarters would require your local company to also adapt to these standards.