Operational security (for me) is a constantly evolving and an always interesting arena to work in. The bad guys always have more time than you (and technically they are quite smart as well).
Whilst having a coffee and a chat recently, we began talking about security standards in a given environment. I jumped on my usual soap box (perhaps a little too quickly) outlining why 27001 wasn’t the best one for this given scenario being discussed at the time.
My friend was right, 27001 is a known and adopted standard – if you need to sell stuff, the people buying it, open their wallets and pull out the list of questions they needed to ask ‘is it 27001 compliant? ‘ Though I think the market needs to move on. 27001 was used in the UK for baseline control sets, though it was very much ‘point in time’ auditing.
First and foremost 27001 is good. Then again, PAS 555 is also good (though not really adopted).Also SANS top 20 is also good. Lots of things are good.Though 27001 doesn’t necessarily play into the operational space so good. When things are going wrong and there is a breach, you cant necessarily employ McGyver type agility with 27001.
Though same is said of the Swiss army knife. The knife, great for cutting cheese, the cork opener, for getting the red wine to go with the cheese. The horse hoof cleaner.. Wait.. Move on!
27001 is great for the checklist to state that the processes are in place. Its great for the top level policy stuff, though it doesn’t perhaps state what you need to do. Its the principles rather than the procedures (if you get my take) .. You will have logging.. You will lock the system down.. Blah. It does also go into some details, though generic stuff rather than the SANS Top 20 going into the more specific threats and detail.
The SANS top 20 takes the technical stuff to a different level. Perhaps in future blogs I might look into each five and articulate what it means to me (in terms of what needs to be looked and where and why). In the mean time, back to the dairy lees.