|
ISACA recently released a standards harmonization study that compares 15 controls frameworks and security standards against the Certified Information Security Management domains (CISM). None of them provide complete coverage and depth in all five domains, and few supply guidance for how to implement security recommendations. However, by creatively pairing the standards, you can obtain deep coverage in all areas, and achieve redundancies that ensure you not only know what needs to be done, but how to do it.
Each standard was first classified against the following criteria
Information security management programme components Security principles High-level information security controls Detailed control practices Model or methodology
Ratings were then provided for each standard against ISACA's Certified Information Security Management (CISM) certification domains:
Information Security Strategy Risk Management Information Security Program Management Information Security Management Response Management
Only one standard provides strong guidance in the area of response management--NIST 800-12 An Introduction to Computer Security—The NIST Handbook. This may, in part, reflect the growing consensus of the limitations of response management as a viable security protection strategy in light of zero day attacks.
ISO/IEC 13335 Information Technology—Guidelines for the Management of IT Security offers the deepest guidance, though it does address all areas in depth. Also, this is a controlled standard that requires a license. Except for a slightly lesser rating in the area of Detailed Control Practices, NIST 800-12 can provide essentially the same depth and coverage--and this standard is available for free.
But to achieve full coverage, you need exercise some creativity in pairing these guidance standards. Here are the pairs that can provide the deepest and broadest guidance available:
* Superior, providing redundant coverage including emphasis on Response Management:
NIST 800-12 plus ISO/IEC 13335
* Full coverage, with high emphasis on Risk Management:
NIST 800-12 plus OCTAVE Risk Management methodology
* Full coverage with redundant emphasis on Security Controls
CobiT plus ISO/IEC 13335
* Full general control
CobiT plus NIST 800-12
Preferred: Free full coverage guidance
NIST 800-12 plus ISF (Standard of Good Practice for
Information Security) plus ISO 15408
Perhpas surprisingly, those that provided the weakest depth and breadth are those that are most familiar:
ISO/IEC 17799 Code of Practice for Information Security Management provides only high level guidance and superficial depth, providing little information about security program components, security principles, or detailed control practices. Nevertheless, it is the standard best used to ensure reasonable attention to security in enterprise governance practices.
According to the study, ITIL and SSE-CMM provide useful, but superficial guidance for the security concerns contained in the CISM domains. Both ITIL and SSE-CMM covered only modeling and methodology, and was second only to the Open Group's Manager’s Guide to Information Security and GAISP (Generally Accepted Information Security Principles) both of which were given no classification in the key areas at all, and provide only superficial guidance in the key areas.
Open Group, GAISP, ITIL and SSE-CMM can be used as the foundation guidance if little security infrastructure is in place. But if it is, advance to the next control levels using the recommended pairings.
|
Sections 
