Security and assurance

I have been auditing against national and international standards for a while. It seemed to me to be a sensible way of trying to ensure best practice was being implemented and being implemented effectively. In recent months though I have realised there are some issues with these standards.

To start with, they are standards based on what someone else thinks you might need. Whilst in general that might be a good starting place, it is clear each and every organisation is different and therefore has different requirements. Sometimes those differences will be small and relatively insignificant but at other times, they could be very significant. Using a standard may mean missing some things or adding in others that are not useful to your organisation.

Secondly there is the problem that, like any audit, penetration testing or other such check, it is only really valid on the day it is completed. The next day a new piece of kit, threat, policy or whatever means that audit is now invalid.

There needs to be a better way of checking on security and providing a better level of assurance that all is well, but more importantly, also that all is likely to be well for the foreseeable future.

The assessment of the maturity of the implementation of security controls seems to offer that, at least in a significant part. There is never going to be 100% security: the criminals are just too clever with far too much time on their hands allowing them to develop ever more sophisticated attacks. So checking how well controls have been implemented means we have a decent level of assurance that they will protect us in the future. Work done by a number of organisations from around the world shows that if you implement the top controls (the ones that are most effective and doing most of the security work) at a level 5 maturity, then your organisation will be protected to a level of in excess of 98%. That can’t be bad!

The Cyber Defence Capability Assessment Tool (CDCAT) developed by Dstl for the UK’s Minstry of Defence is just such a tool and well worth a look if you feel there is a better way to deal with the ever changing cyber threats now being deployed.  Look here for more information:

About Author: Andy Taylor

37 comment(s) on “Security and assurance

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.