Find your starting point with IT compliance

Even a bad budget is better than ...

Think of security and compliance frameworks like a chart of accounts and budgets.

• They provide structure. Frameworks allow multiple people to look at the same data in the same way.
• They provide a way of seeing where you are versus where you want to be
• They allow for effective planning.
• They allow for tracking your progress over time.

Good security practices are good security practices. Almost all of any particular framework can be mapped to any other framework. The National Institute of Standards (NIST) even produces a spreadsheet with how to map controls in one framework to controls in another.

Controls are safeguards intended to meet security & privacy requirements; assessing controls verifies that these requirements are met.

Controls are often divided into families or groups much like an income statement is divided into revenue, cost of goods and sales, general and administrative expenses. These control families can sound confusing but in practice, you're probably already doing most of this for other areas of your business.

• AC - Access Control. (Does that employee really need access to the payroll system)
• AU - Audit and Accountability. (Does that employee still need access to the payroll system)
• AT - Awareness and Training. (Phishing training)
• CM - Configuration Management. (Do you plan your changes in advance or just push buttons)
• CP - Contingency Planning. (What happens if..)
• IA - Identification and Authentication. (How do you know who's accessing your systems)
• IR - Incident Response. (There was a fire. What do we do)
• MA - Maintenance. (How do we keep things running smoothly)

Your IT person should be able to explain controls in plain English and you should be able to match the relative thoroughness of your business controls to your IT infrastructure. For example, you may have rules about requireing two people to complete a wire transfer. You should ask your IT person or company if they have separate accounts when they perform administrative functions. That's the plain english version of :

Access Control Requirement 3.5.1 controls AC-6 which maps to ISO 27001 controls A.9.1.2, A.9.2.3, A.9.4.4 and A.9.4.5

Employ the principle of least privilege, including for specific security functions and privileged accounts.

DISCUSSION Organizations employ the principle of least privilege for specific duties and authorized accesses for users and processes. The principle of least privilege is applied with the goal of authorized privileges no higher than necessary to accomplish required organizational missions or business functions. Organizations consider the creation of additional processes, roles, and system accounts as necessary, to achieve least privilege. Organizations also apply least privilege to the development, implementation, and operation of organizational systems. Security functions include establishing system accounts, setting events to be logged, setting intrusion detection parameters, and configuring access authorizations (i.e., permissions, privileges). Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from having access to privileged information or functions. Organizations may differentiate in the application of this requirement between allowed privileges for local accounts and for domain accounts provided organizations retain the ability to control system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk.