The authors developed a comprehensive security control framework that unified information security, privacy, physical security, and customer credentialing controls. They selected ISO 17799 as the base framework due to its alignment with their existing security policy. The framework was mapped to other regulatory requirements like SOX, PCI DSS, and SAS70. Developing the framework presented challenges around determining the appropriate framework, identifying all relevant controls, and classifying key controls. The benefits of a unified framework include reduced audit duplication and more efficient compliance testing.
Gen AI in Business - Global Trends Report 2024.pdf
2007 issa journal-building a comprehensive security control framework
1. ISSA The Global Voice of Information Security ISSA Journal | April 2007
Building a Comprehensive
Security Control Framework
By Lori Crooks and Aurobindo Sundaram
Developing a comprehensive security control framework involving information security,
privacy, physical security, and customer credentialing.
O ver the last several years, information security has pro-
gressed from being ad-hoc, to project-based, and then
to program-based. The next evolution for information
security is in process-based or control-based frameworks. These
frameworks treat information security as a business process, and
different security standards into a unified security control frame-
work (the framework).
The Methodology
involve the integration of best practice codes of practice (e.g., ISO We examined different ways to create our framework. They are
17799:2005), regulatory requirements (e.g., GLBA requirements, summarized below.
HIPAA requirements), policy, and compliance.
1. Create a custom framework
For 6 months in 2006, we developed a comprehensive security con-
This would have involved our researching all of our controls, ensur-
trol framework involving information security, privacy, physical
ing that they were substantially complete and broad enough as an
security, and customer credentialing.1 The following sections will
information security framework (by comparing them against ISO,
describe our process, particularly in unifying the framework, the
for example), and then crafting a set of control objectives2 and associ-
expected benefits of a framework for an organization, and tools and
ated control activities that would be the meat of the framework.
procedures that can aid readers in their efforts to develop their own
frameworks. Once we thought more about this, although it sometimes made sense
to create a custom framework, in this case, we would have had to
The Problem weigh its advantages against (a) having to explain to all our external
auditors how the framework met their requirements; and (b) having
Most companies are subject to meeting the requirements of differ- to continuously research and update the custom framework when
ent regulations. For instance, our Insurance Data Services business is standards and regulations change.
regulated under the Federal Fair Credit Reporting Act (FCRA). We
also perform annual Sarbanes Oxley (SOX) 404 audits to fulfill SEC 2. Use multiple frameworks, overlapping as necessary
requirements. Our customers audit us using their own standards,
sometimes based on international standards, such as ISO 17799. Our This option was the easiest solution, essentially nearly preserving the
credit card processing applications are required to be compliant with status quo, while searching for commonalities in control objectives.
the Payment Card Industry Data Security Standards (PCI DSS). The point of this method would have been to spend the bulk of our
And finally, we have requirements from several of our partners to time in making the controls consistent across the different frame-
complete annual SAS70 Type II audits. works, while leaving each of the frameworks themselves unmodi-
fied.
Our Information Security Policy was based on ISO 17799, but it was
specific to IT Security, and only loosely integrated with several of The disadvantage of this method is that tracking and managing
our other programs, such as hiring and termination practices and multiple frameworks still involves significant overhead. In addition,
physical security. In addition, we were finding that on every audit every time a new framework (regulatory or otherwise) impacts the
or assessment that was performed on us, we were duplicating effort, company, this process would have to be completed again. Although
performing redundant testing, and not re-using results from prior we could hope to identify operational synergies with this option, we
audits. For efficiency and structure, there was a need to converge our
2 The objectives of management that are used as the framework for developing and imple-
1 Customer credentialing is our term for validating a customer’s information and bonafide menting controls
business credentials before allowing them access to sensitive information. An automated or manual process that is periodically performed to meet a control objective
27
2. Building a Comprehensive Security Control Framework | Lori Crooks and Aurobindo Sundaram ISSA Journal | April 2007
were unsure if they would be significant, compared to the other op- ISO- SAS AIC FACT
tions. Control Framework GLBA
17799 70 PA ACT
5.0 – Policies and
3. Create a single framework with appropriate Procedures x x x x
mappings to other frameworks 6.0 – Organizing
With this option, we would have to pick one framework as the base Security and Privacy x x x
framework, and then ensure that we created mappings where neces- 7.0 – Asset
sary to all the regulatory and customer standards we had to comply Management x x x x
with. If the framework was complete, every time a new regulation
8.0 – Human Resource
was introduced, we would simply have to redo the mapping pro-
cess, since the controls themselves would already exist. In rare cases,
Security x x x x
9.0 - Physical and
however, additional controls would have to be added to extend the
framework. Environmental Security x x
The disadvantage of this method is that we were essentially starting 10.0 – Communications
from scratch. All of our existing controls would have to be mapped and Operating
Management
x x x x x
to the base framework, and we would have to develop entirely new
controls to meet the control objectives of the base framework. In ad-
dition, there would inevitably be control objectives in the base frame-
11.0 – Access Control x x x x x
12.0 – Application
work, which, even though we did not believe were applicable, would
still have to implemented or addressed in some way. And finally, we
Development x x x x
would have to start the process of mapping all of our existing meth- 13.0 – Information
odologies and controls for SOX, SAS70, etc., to the new framework. Security Incident
Management
x x x x
In the end, we decided to select Option for the following reasons:
• Our information security policy was already based on ISO 15.0 – Compliance x
17799, and many of our technical security programs (e.g. 16.0 – Customer
vulnerability management, virus protection, application se- Credentialing
curity, patch management) already mapped to elements of
the corresponding ISO best practices. Diagram 1 – Control Framework Mapping and Normalization Example
• The ISO standard, although specific to information securi-
ty, is widely accepted worldwide. Emerging standards, such The framework
as the BITS FISAP4 are based on ISO 17799. As we started populating the framework, we realized that the ISO
• Using a single framework gave us a starting point and a standard is heavily slanted towards security.
goal. We could then focus on mapping and migrating con- • Physical security controls mapped easily into Section 9 -
trols from other audit requirements into the framework. Physical Security
The end goal was to reduce audit time, combine testing, and • Corporate governance model for security and privacy
unify all of our controls. mapped into Section 5 - Policies and Procedures
• Option 1 would have resulted in our diverging from indus- • Privacy controls mapped into sections 11 - Access Control
try and international standards. We felt that had we done and 15 - Compliance
this, we would have spent significant additional time con-
vincing our partners and auditors of the completeness and However, our controls for customer credentialing were not ad-
breadth of our framework. equately covered in the ISO standard (some controls were covered in
Section 6 - Organizing Information Security). Therefore, we extend-
• Option 2 would have involved leaving the existing systems ed our base framework to add an additional section on Customer
in place, while trying to exploit some synergies of operations. Credentialing.
To us, this felt more like a stop gap solution, as the origi-
nal problem would not have been fixed. Although this was Tip: It is important that organizations not try to keep a framework
workable, we felt it better to build a clean, unified frame- rigid and inflexible. There are occasions where a framework must be
work for the future, despite the inevitable growing pains extended, and as long as it is done with discipline, the organization
and integration issues along the way. can reap the advantages of such an extension.
Diagram 1 shows the different sections of ISO 17799:2005 and our Challenges
mappings to different regulatory frameworks. In particular, our re-
sources section points the reader to step-by-step guides to regulatory As with every project, challenges were encountered. For this project
compliance planning. Our paper, though, focuses on a security con- challenges included determining the correct framework to use, iden-
trol framework for managing business operations, including regula- tifying controls outside of information security, ensuring complete-
tory compliance.5 ness of the framework and classifying key controls. Each of these
challenges is discussed below.
As previously mentioned, deciding on the methodology was chal-
4 Financial Institution Shared Assessment Program lenging. After we decided on Option , we considered several frame-
5 With SAS70 Type II audit the mapping may be expanded or reduced.
works, e.g., COBIT, ISO 17799, for our base control framework.
28
3. Building a Comprehensive Security Control Framework | Lori Crooks and Aurobindo Sundaram ISSA Journal | April 2007
The frameworks were assessed to see which one fit the company absence of a particular control to judge whether or not it was a key
and its various divisions best. Our company is unique because we control.
have many corporate-wide controls, but also we have several busi-
ness units that have their own set of controls. A few of the business Benefits
units had defined controls because they had gone through a SAS70 There are many benefits to a unified control framework. This
Type II audit; however, those controls did not tie to a specific control framework will be used for the whole company. Instead of having
framework – they were ad-hoc. After reviewing the different frame- different controls or control sets for internal audit, compliance, and
works, we decided that the ISO 17799:2005 code of practice fit our security, there will be one unified framework. During Sarbanes-
company – both company-wide and business unit specific. Since our Oxley testing, internal audit will be able to use this framework, as
security policy is aligned to the ISO, it made defining those controls will the security team for
simpler. their assessments. The
One issue we identified completeness of this
after our selection of the All our employees undergo mandatory information framework means that
standard framework was security and privacy training annually. This our external auditors will
to decide how to address be able to use our frame-
the sections that did not awareness helps us push accountability onto every work for their testing, for
fall under ISO 17799. We employee of the company. SOX, SAS70, and other
decided to enhance the compliance testing. Fi-
framework and add addi- nally, our customers will
tional sections as appropriate. Since privacy is key to our business, we appreciate the rigor and structure of a framework based on an inter-
added elements of privacy in our controls, based on AICPA Gener- nationally accepted standard.
ally Accepted Privacy Principles (GAPP). We also added a section We are currently completing the implementation of a compliance
on customer credentialing because we have controls for validating management tool for the framework. This will assist us in maintain-
our customers and their use of data that we provide. Since there is no ing compliance information centrally. Since we know certain con-
standard for credentialing, we built it based on our own controls. trols occur on a periodic basis, we can place those documents within
The ISO 17799 framework has sections that cover human resources, the management tool. Auditors can directly access the management
physical security, environmental security, change control, and other tool in read-only mode to assist with their testing. This saves time for
sections that are not strictly related to information security. Since the auditors and for the company, because the auditors do not have to
each of these sections falls out of our experience in information se- set up time with the employee to gather the documents.
curity, we had to coordinate and interview individuals who were Since the control framework is so broad, it affects every individual.
knowledgeable in these other sections. We spent significant resourc- This benefits the company because individuals will be expected to
es performing walk-throughs of processes, and defining appropriate be control conscious and to learn how to ensure their controls are
control activities that could be tied back into our framework working effectively. In fact, all our employees undergo mandatory
As mentioned previously, we identified which controls were corpo- information security and privacy training annually. This awareness
rate-wide and which ones were business unit specific. This took time helps us push accountability onto every employee of the company.
to ensure that there were appropriate controls for each of the business
units. Unfortunately, maintaining controls specific to each business Lessons learned
unit is complicated, time consuming, and leads to inconsistency in
implementations. It is far more efficient to drive control activities As we went through the framework definition process, we learned
from a corporate perspective (for instance, policies, procedures and many lessons: external expertise is useful, at least in the beginning;
standards should be created and enforced at a corporate level, unless resources with audit backgrounds are helpful, especially in defining
there are aspects that are so business-unit specific as to merit an ex- controls from processes; you will invariably need to make multiple
ception). As part of our continued evolution in information security, review and modification passes over the framework; and you should
we are rationalizing these business unit controls to make them enter- plan on the effort taking longer than you estimate.
prise controls – for instance, although different application develop- Although they can be expensive, using consultants to assist in the
ment groups use different project management methods, all of them control definition process is useful. In particular, they assisted with
are required to abide by secure application development standards ensuring that the framework and our controls were complete, while
developed at the corporate level. This consolidation and centraliza- identifying where our control gaps were. We do not recommend that
tion will reduce the number of controls to test, focus accountability the reader use consultants in the control definition phase – this is
on corporate compliance, and provide consistency for customers and best performed in-house using resources such as the internal audit
auditors. and compliance teams.
Once all the controls were identified and placed in the framework, Internal resources with auditing backgrounds are valuable because
it was important to go back through and compare to ISO 17799 to their experience and knowledge is useful during the control defi-
determine whether there was at least one control for each control nition process. It is particularly valuable when reviewing control
objective in the standard. Gaps were identified during our complete- processes with business operations and translating them into control
ness check, so we had to find an effective control to fit in that gap. activities that would meet an external auditor’s requirements.
Another challenge was identifying the key controls. We wanted to Our framework went through many revisions and took more time
ensure that our auditors were being efficient and only looking at the to develop than we initially planned. This is especially true when
key controls. But since we had defined many controls, trying to de- there are many gaps in the framework, because those take longer
termine key controls was a challenge. We analyzed the risk of the
29
4. Building a Comprehensive Security Control Framework | Lori Crooks and Aurobindo Sundaram ISSA Journal | April 2007
to identify and define controls for. It took a lot of time to sit with Regulatory Compliance Planning Guide (Mapping Regulations to
various individuals and understand their processes. Some processes High Level Control Objectives) – http://www.microsoft.com/tech-
are more complicated than others and took multiple meetings. Once net/security/guidance/complianceandpolicies/compliance/rcguide/1-
the process was understood, we had to pull controls from that and 02-00.mspx?mfr=true
then go back to the control owner to ensure we had documented it Regulatory Compliance Planning Guide Front Page – http://www.
correctly. microsoft.com/technet/security/guidance/complianceandpolicies/
This framework is not a one-time development; it will be an ongo- compliance/rcguide/1-02-00.mspx?mfr=true
ing process that will involve updates and maintenance. We’ll have to
periodically review to ensure that all controls are still relevant and About the Authors
check to see if new controls have been put in place. However, we
believe that the up-front effort we have expended will serve us well Lori Crooks is a Security Compliance Analyst at ChoicePoint, Inc in Al-
in the long run. pharetta, GA. Lori has 6 years experience in auditing and security. She
is a CISA and co-creater of ChoicePoint’s Security Control Framework.
She can be reached at lori.crooks@choicepoint.com
Resources
Aurobindo Sundaram is the Vice President of Information Security at
Creating a Systemized Approach to Regulatory Compliance at Mi- ChoicePoint, Inc. in Alpharetta, GA. He has worked in the information
crosoft - http://www.microsoft.com/technet/itshowcase/content/reg- security industry for more than 10 years, and is responsible for articulat-
compliance.mspx ing the vision and supervising the implementation of ChoicePoint’s Secu-
BITS Financial Services Roundtable - http://www.bitsinfo.org/ rity Control Framework. He can be reached at aurobindo.sundaram@
about.html choicepoint.com
30